Index of /publicDatasets/CTU-Malware-Capture-Botnet-114-2

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[IMG]win2-CC-active.png2015-04-14 14:01 16K 
[   ]2015-04-22_capture-win2.biargus2015-04-14 14:16 5.7M 
[   ]2015-04-22_capture-win2.binetflow2015-04-14 14:16 2.3M 
[   ]2015-04-22_capture-win2.rrd2015-04-22 09:29 8.0M 
[TXT]README.md2015-04-22 10:46 1.8K 
[   ]2015-04-22_capture-win2.json2015-04-22 10:47 2.1M 
[TXT]2015-04-22_capture-win2.html2015-04-22 10:47 1.4M 
[   ]8baa9b809b591a11af423824f4d9726a.exe.zip2015-12-16 10:26 62K 
[   ]2015-04-22_capture-win2.weblogng2016-06-15 19:07 14K 
[   ]2015-04-22_capture-win2.dnstop2016-12-06 08:08 2.3K 
[   ]2015-04-22_capture-win2.passivedns2016-12-06 08:08 1.8K 
[   ]2015-04-22_capture-win2.capinfos2016-12-06 08:08 1.1K 
[   ]2015-04-22_capture-win2.tcpdstat2016-12-06 08:08 1.8K 
[TXT]fast-flux-dga-first-analysis.txt2017-01-15 16:34 196  
[   ]2015-04-22_capture-win2.pcap2017-04-27 10:55 8.7M 
[DIR]bro/2017-04-27 10:56 -  
[TXT]README.html2017-04-27 10:56 2.1K 

Timeline

Fri Apr 10 09:54:27 CEST 2015

started win2

Fri Apr 10 09:50:07 CEST 2015

infected with 8baa9b809b591a11af423824f4d9726a.exe

Probably Emotet

So far the SYN requests were for - 119.59.124.163.8080 - 192.163.239.60.8080 - 188.126.72.179.8080 - 200.159.128.132.8080 - 195.219.57.34.8080 - 64.207.134.54.8080 - 103.245.153.70.8080 - 178.23.244.51.8080 - 103.228.200.37.8080 - There are more...

On 2015, Apr 14th 11:22am the C&C server 202.44.54.4 port 8080/TCP start working. A POST connection with encrypted data.

POST /83736aa6/806782973.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0) Host: 202.44.54.4:8080 Content-Length: 197 Connection: Keep-Alive Cache-Control: no-cache

First the answer was HTTP/1.1 502 Bad Gateway Server: nginx Date: Tue, 14 Apr 2015 09:23:17 GMT Content-Type: text/html Content-Length: 568 Connection: keep-alive

And then the real communication: HTTP/1.1 200 OK Server: nginx Date: Tue, 14 Apr 2015 09:36:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding

A lot of information sent at first.

A failed update http://77.55.74.118/Xj3i4z6wPYy/8a1.exe

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.4.3</center>
</body>
</html>

And then small periodic requests (note that is not .php anymore): 03:41:43.796181 POST /83736aa6/806782973/ 03:56:58.403597 POST /83736aa6/806782973/ (15 mins) 04:12:02.137821 POST /83736aa6/806782973/ (16 mins) 04:27:06.930518 POST /83736aa6/806782973/ (15 mins) 04:42:11.307701 POST /83736aa6/806782973/ (15 mins) 04:57:14.292672 POST /83736aa6/806782973/ (15 mins)

Wed Apr 22 09:24:25 CEST 2015

stopped