Index of /publicDatasets/CTU-Malware-Capture-Botnet-112-3

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]919a8a6d873bb2a7263d8309249726fd.exe.zip2015-12-16 10:26 149K 
[TXT]2015-04-22_capture-win11.html2015-04-22 12:00 30M 
[   ]2015-04-22_capture-win11.json2015-04-22 12:00 49M 
[   ]2015-04-22_capture-win11.pcap2015-04-22 09:24 74M 
[   ]2015-04-22_capture-win11.rrd2015-04-22 09:29 8.0M 
[   ]2015-04-22_capture-win11.weblogng2016-06-15 18:48 1.1M 
[TXT]README.html2015-04-22 11:58 3.9K 
[TXT]README.md2015-04-22 11:58 3.4K 

Timeline

Thu Apr 9 14:00:49 CEST 2015

yesterday it froze

Thu Apr 9 14:01:33 CEST 2015

win11 started already infected with 919a8a6d873bb2a7263d8309249726fd. The server froze. The previous capture is 112-1

Fri Apr 10 08:40:04 CEST 2015

today at 6am the malware stop connecting. Don't know what happened. The win is still working. I will reboot it

Fri Apr 10 08:41:00 CEST 2015

Win11 rebooted. The same pcap file

Traffic Analysis

a:3:{ s:13:"secret_string" s:18:"BER5w4evtjszw4MBRW" s:6:"server" a:21:{ s:9:"HTTP_HOST" s:14:"91.185.215.161" s:11:"HTTP_ACCEPT" s:3:"/" s:4:"PATH" s:29:"/sbin:/usr/sbin:/bin:/usr/bin" s:16:" SERVER_SIGNATURE" s:75:"
Apache/2.2.15 (CentOS) Server at 91.185.215.161 Port 80

" s:15:"SERVER_SOFTWARE" s:22:"Apache/2.2.15 (CentOS)" s:11:"SERVER_NAME" s:14:"91.185.215.161" s:11:"SERVER_ADDR" s:14:"91.185.215.161" s:11:"SERVER_PORT" s:2:"80" s:11:"REMOTE_ADDR" s:12:"14 7.32.83.56" s:13:"DOCUMENT_ROOT" s:13:"/var/www/html" s:12:"SERVER_ADMIN" s:14:"root@localhost" s:15:"SCRIPT_FILENAME" s:20:"/var/www/html/sp.php" s:11:"REMOTE_PORT" s:5:"49064" s:17:"GATEWAY_ INTERFACE" s:7:"CGI/1.1" s:15:"SERVER_PROTOCOL" s:8:"HTTP/1.1" s:14:"REQUEST_METHOD" s:3:"GET" s:12:"QUERY_STRING" s:53:"proxy=194.247.12.49%3A36975&secret=BER5w4evtjszw4MBRW" s:11:"REQUEST_UR I" s:61:"/sp.php?proxy=194.247.12.49%3A36975&secret=BER5w4evtjszw4MBRW" s:11:"SCRIPT_NAME" s:7:"/sp.php" s:8:"PHP_SELF" s:7:"/sp.php" s:12:"REQUEST_TIME" i:1428585399 } s:3:"get" a:2:{ s:5:"proxy" s:19:"194.247.12.49:36975" s:6:"secret" s:18:"BER5w4evtjszw4MBRW" } }

Mon Apr 20 11:08:47 CEST 2015

Some days ago, the domain papausafr.com stop answering. A little bit after Mon, 13 Apr 2015 14:04:11 GMT, in the real time. (04:07:42.825257 in the pcap time) So I will reboot it to see if it gets a new domain.

Mon Apr 20 11:24:45 CEST 2015

Rebooted win11. Same pcap file

It seems that is worked! It is asking for a new domain solocoufandle.com, and send some GET

22:22:15.343895 tcp 10.0.2.109 49158    -> 37.187.245.14 80 SRPA_SPA 528 431935  s[120]=GET /viber.php HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: no-cache....GET /md.php?command=getip H d[120]=HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Mon, 20 Apr 2015 09:37:45 GMT..Content-Type: text/html..Transfer-Encoding:  s[300]=GET /viber.php HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: no-cache....GET /md.php?command=getip HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: no-cache....GET /md.php?command=ghl&id=1494363983 HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: d[300]=HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Mon, 20 Apr 2015 09:37:45 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.4.37....1f..http://solocoufandle.com/md.php..0....HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Mon, 20 Apr 2015 09:37:45 GMT..C

Wed Apr 22 09:26:50 CEST 2015

poweroff