![[ICO]](/icons/blank.gif){kind=icon}
![[PARENTDIR]](/icons/back.gif){kind=icon}
![[IMG]](/icons/image2.gif){kind=icon}
![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/folder.gif){kind=icon}
![[ ]](/icons/unknown.gif){kind=icon}
![[ ]](/icons/compressed.gif){kind=icon}
| Name | Last modified | Size | Description |
|---|---|---|---|---|
| Parent Directory | - | ||
| win2-CC-active.png | 2015-04-14 14:01 | 16K | |
| fast-flux-dga-first-analysis.txt | 2017-01-15 16:34 | 196 | |
| bro/ | 2017-04-27 10:56 | - | |
| README.md | 2015-04-22 10:46 | 1.8K | |
| README.html | 2017-04-27 10:56 | 2.1K | |
| 2015-04-22_capture-win2.weblogng | 2016-06-15 19:07 | 14K | |
| 2015-04-22_capture-win2.tcpdstat | 2016-12-06 08:08 | 1.8K | |
| 2015-04-22_capture-win2.rrd | 2015-04-22 09:29 | 8.0M | |
| 2015-04-22_capture-win2.pcap | 2017-04-27 10:55 | 8.7M | |
| 2015-04-22_capture-win2.passivedns | 2016-12-06 08:08 | 1.8K | |
| 2015-04-22_capture-win2.json | 2015-04-22 10:47 | 2.1M | |
| 2015-04-22_capture-win2.html | 2015-04-22 10:47 | 1.4M | |
| 2015-04-22_capture-win2.dnstop | 2016-12-06 08:08 | 2.3K | |
| 2015-04-22_capture-win2.capinfos | 2016-12-06 08:08 | 1.1K | |
| 2015-04-22_capture-win2.binetflow | 2015-04-14 14:16 | 2.3M | |
| 2015-04-22_capture-win2.biargus | 2015-04-14 14:16 | 5.7M | |
| 8baa9b809b591a11af423824f4d9726a.exe.zip | 2015-12-16 10:26 | 62K | |
started win2
infected with 8baa9b809b591a11af423824f4d9726a.exe
Probably Emotet
So far the SYN requests were for - 119.59.124.163.8080 - 192.163.239.60.8080 - 188.126.72.179.8080 - 200.159.128.132.8080 - 195.219.57.34.8080 - 64.207.134.54.8080 - 103.245.153.70.8080 - 178.23.244.51.8080 - 103.228.200.37.8080 - There are more...
On 2015, Apr 14th 11:22am the C&C server 202.44.54.4 port 8080/TCP start working. A POST connection with encrypted data.
POST /83736aa6/806782973.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0) Host: 202.44.54.4:8080 Content-Length: 197 Connection: Keep-Alive Cache-Control: no-cache
First the answer was HTTP/1.1 502 Bad Gateway Server: nginx Date: Tue, 14 Apr 2015 09:23:17 GMT Content-Type: text/html Content-Length: 568 Connection: keep-alive
And then the real communication: HTTP/1.1 200 OK Server: nginx Date: Tue, 14 Apr 2015 09:36:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding
A lot of information sent at first.
A failed update http://77.55.74.118/Xj3i4z6wPYy/8a1.exe
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.4.3</center>
</body>
</html>And then small periodic requests (note that is not .php anymore): 03:41:43.796181 POST /83736aa6/806782973/ 03:56:58.403597 POST /83736aa6/806782973/ (15 mins) 04:12:02.137821 POST /83736aa6/806782973/ (16 mins) 04:27:06.930518 POST /83736aa6/806782973/ (15 mins) 04:42:11.307701 POST /83736aa6/806782973/ (15 mins) 04:57:14.292672 POST /83736aa6/806782973/ (15 mins)
stopped