Index of /publicDatasets/CTU-Malware-Capture-Botnet-120-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2015-04-22_capture-win4.biargus2015-06-04 15:28 547K 
[   ]2015-04-22_capture-win4.binetflow2015-09-17 17:16 470K 
[   ]2015-04-22_capture-win4.capinfos2015-07-23 20:02 763  
[   ]2015-04-22_capture-win4.dnstop2016-01-14 21:37 7.3K 
[TXT]2015-04-22_capture-win4.html2015-06-01 20:07 1.4M 
[   ]2015-04-22_capture-win4.json2015-06-01 20:07 1.9M 
[   ]2015-04-22_capture-win4.large.binetflow2015-06-20 15:15 85K 
[   ]2015-04-22_capture-win4.passivedns2016-01-14 21:37 12K 
[   ]2015-04-22_capture-win4.pcap2015-04-22 09:24 9.4M 
[   ]2015-04-22_capture-win4.rrd2015-04-22 09:29 8.0M 
[   ]2015-04-22_capture-win4.tcpdstat2016-12-05 22:30 1.9K 
[   ]2015-04-22_capture-win4.uniargus2016-12-05 22:30 10M 
[   ]2015-04-22_capture-win4.uninetflow2016-12-05 22:30 4.2M 
[   ]2015-04-22_capture-win4.weblogng2016-06-15 18:04 47K 
[TXT]README.html2017-01-15 13:04 7.1K 
[TXT]README.md2016-08-27 21:55 4.7K 
[DIR]bro/2017-08-31 09:45 -  
[   ]d1e1acd259b5548c2f09906dc3efa7df.exe.zip2015-12-16 10:26 11K 
[TXT]fast-flux-dga-first-analysis.txt2017-01-15 13:04 23K 

Timeline

Fri Apr 10 17:50:55 CEST 2015

started win4

Fri Apr 10 17:55:30 CEST 2015

With the njRat with MD5 d30b4088f7a5a2c762792dbbae90f197 (file njrat0.7d.zip), I created a client to connect to our server.

It was perfecty connected!

Fri Apr 10 17:59:13 CEST 2015

Get passwords

Fri Apr 10 18:05:19 CEST 2015

I stopped the client in the honeynet and I started it again

Fri Apr 10 18:07:22 CEST 2015

manager

Fri Apr 10 18:10:12 CEST 2015

keylogger activated

Fri Apr 10 18:14:21 CEST 2015

something was not working in the client in the honeypot, so I restarted the client

Fri Apr 10 18:16:03 CEST 2015

the client is up again

Fri Apr 10 18:20:55 CEST 2015

tried to use some features... it is difficult because is very slow.

Fri Apr 10 18:43:46 CEST 2015

power off the client and the honeypot.

Fri Apr 10 18:50:29 CEST 2015

up again the client in the honeypot

Fri Apr 10 18:56:21 CEST 2015

keylogger access, various actions

Fri Apr 10 18:59:14 CEST 2015

ask for all the passwords

Fri Apr 10 19:07:08 CEST 2015

Now I leave the server (windows) connected to the client in the honeypot without doing nothing.

Mon Apr 13 13:28:14 CEST 2015 (20:37:32.331696 in pcap)

I'm going to send some orders from the C&C to the bot, to see how the periodicity changes. I'm going to ask for get passwords

Mon Apr 13 13:27:01 CEST 2015

keylogger

Mon Apr 13 13:29:20 CEST 2015

manager

Mon Apr 13 13:29:40 CEST 2015

manager

Mon Apr 13 13:29:56 CEST 2015

remote desktop

Mon Apr 13 13:30:34 CEST 2015

Since nothing is working, I'm going to reboot the server program in the bot remotely

Mon Apr 13 13:32:25 CEST 2015

keylogger

Mon Apr 13 13:36:05 CEST 2015

remote desktop still not working.

Mon Apr 13 13:37:45 CEST 2015

I rebooted the bot from the windows itself.

Mon Apr 13 13:43:43 CEST 2015

I stopped the C&C server, because it was getting false connections. It showed like 20 bots.

Mon Apr 13 13:56:10 CEST 2015 (21:05:49.323559 in pcap)

I started the C&C server again. No orders.

Mon Apr 13 14:09:54 CEST 2015

ask for keylogger

Mon Apr 13 14:11:37 CEST 2015

ask for keylogger. Every time I ask for something, the server is sending stuff

Mon Apr 13 14:13:13 CEST 2015

Now it showed the windows in the server... Now sure why!

Mon Apr 13 14:13:42 CEST 2015

Asked for the remote desktop It seems it didn't work.

Mon Apr 13 14:17:06 CEST 2015

manager Did not worked.

Mon Apr 13 14:17:28 CEST 2015

network connections in the manager Did not worked.

Mon Apr 13 14:19:35 CEST 2015

microphone Did not worked.

Mon Apr 13 14:20:06 CEST 2015

Mon Apr 13 14:20:42 CEST 2015 I changed the positions of the windows in the bot, to see if it is reflected in the thumbnail in the C&C server. It did not.

So it seems that the bot and the server are communicating, but something is broken.

Mon Apr 13 14:21:55 CEST 2015

I stopped the C&C server. Now the bot started to ask again for the C&C server (time 21:31:29.237683 in pcap)

Mon Apr 13 14:23:41 CEST 2015

I started the C&C server again The thumbnail is ok, so the communication is working.

Mon Apr 13 14:24:24 CEST 2015

keylogger Worked.

it seems that if i ask for stuff just after the bot is connected, everything is working fine.

Mon Apr 13 14:24:41 CEST 2015

remote desktop, it worked.

Mon Apr 13 14:25:00 CEST 2015

manager

Mon Apr 13 14:25:08 CEST 2015

tcp connections. It worked.

Mon Apr 13 14:25:28 CEST 2015

get passwords. It worked.

i will stop here doing actions

Mon Apr 13 14:37:10 CEST 2015

I waited for a long time. Ask for keylogger Seems not to be working! or is taking a lot of time.

At some point it was shown. But very late.

Mon Apr 13 15:30:19 CEST 2015

ask for keylogger

Mon Apr 13 15:31:33 CEST 2015

The data from the keylogger come back!

Mon Apr 13 15:31:54 CEST 2015

Get passwords.

Mon Apr 13 15:32:47 CEST 2015

The passwords come back in the network. But they didn't appeared in the C&C interface quickly. They appeared later.

Mon Apr 13 15:48:29 CEST 2015

remote desktop

Mon Apr 13 16:04:21 CEST 2015

Not sure when it poped up. Could be now. It took long, but maybe it was some issue with the display in the linux remote desktop.

Sat Apr 17 CEST 2015

During this day I play a little with the commands and then I stopped the server2.exe process.

Sat Apr 18 11:26:55 CEST 2015

Today I reinfected it again

Wed Apr 22 09:25:10 CEST 2015

poweroff