Index of /publicDatasets/CTU-Malware-Capture-Botnet-117-1

Name	Last modified	Size

Parent Directory		-
2015-04-11_capture-win3.biargus	2015-04-11 14:34	1.9M
2015-04-11_capture-win3.binetflow	2015-09-17 16:00	1.4M
2015-04-11_capture-win3.capinfos	2016-12-05 22:30	1.1K
2015-04-11_capture-win3.dnstop	2016-12-05 22:30	8.1K
2015-04-11_capture-win3.html	2016-08-27 22:00	5.2M
2015-04-11_capture-win3.json	2016-08-27 22:00	9.1M
2015-04-11_capture-win3.passivedns	2016-12-05 22:30	13K
2015-04-11_capture-win3.pcap	2017-04-27 10:58	46M
2015-04-11_capture-win3.rrd	2015-04-11 14:25	8.0M
2015-04-11_capture-win3.tcpdstat	2016-12-05 22:30	2.0K
2015-04-11_capture-win3.weblogng	2016-06-15 19:07	62K
43671d11ed11b2764a660c5bfbb83067.exe.zip	2015-12-16 10:26	181K
README.html	2017-04-27 10:58	2.1K
README.md	2015-06-12 15:03	1.6K
bro/	2017-04-27 10:58	-
fast-flux-dga-first-analysis.txt	2017-01-15 13:04	196

Timeline

Infected with njRAT
MD5: 43671d11ed11b2764a660c5bfbb83067
This is a real njRAT connecting to a real domain in the wild.

Fri Apr 10 11:40:29 CEST 2015

started win3

Fri Apr 10 11:42:32 CEST 2015

Start installing .net 4.5 from microsoft

Fri Apr 10 11:50:55 CEST 2015

win3 restarted to use the new .net 4.5

Fri Apr 10 12:00:57 CEST 2015

Infected

The domain zunigle.ddns.net is being requested but no ip is going back.. I will redirect it to a honeypot to see what happens.

Fri Apr 10 15:15:09 CEST 2015

I installed a honeypot in other machine and changed the etc/hosts file fo win3 to point to the honeypot. However it used a custom port. So I used ncat to open the port and receive data...

It send!!!! lv|'|'|SGFja2VkXzFDMTAwNjFD|'|'|WIN3|'|'|Administrator|'|'|2015-04-10|'|'|USA|'|'|Win 7 Ultimate SP0 x86|'|'|No|'|'|0.5.0E|'|'|--|'|'||'|'|[endof]

The message SGFja2VkXzFDMTAwNjFD in base64 is is Hacked_1C10061C (without the slash)

Fri Apr 10 16:26:38 CEST 2015

I stopped the ncat program. The connection to port 1177 was broken and now is trying to connect again.

Fri Apr 10 16:28:18 CEST 2015

I tried to install a real njRat in linux. The port is open and the program is working. But I think is an incorrect version because it is not working..

Fri Apr 10 17:06:14 CEST 2015

I stopped the rat in the honeypot, but the redirection is working

Fri Apr 10 17:36:55 CEST 2015

stopped the socat and jrat

Fri Apr 10 17:39:22 CEST 2015

started socat and jrat again. Versions of the client rat and server rat are not the same.

Sat Apr 11 14:15:18 CEST 2015

stopped the vm win3