Index of /publicDatasets/CTU-Malware-Capture-Botnet-132-1

[ICO]NameLast modifiedSizeDescription
[PARENTDIR]Parent Directory  -  
[ ]2015-09-09_win3.pcap2015-09-10 14:19 2.7M 
[ ]2015-09-09_win3.rrd2015-09-10 14:27 8.0M 
[ ]2015-09-09_win3.dnstop2015-09-11 11:55 2.6K 
[ ]2015-09-09_win3.passivedns2015-09-11 11:55 2.0K 
[ ]2015-09-09_win3.capinfos2015-09-11 11:55 754  
[ ]2015-09-09_win3.json2015-09-11 11:55 255K 
[TXT]2015-09-09_win3.html2015-09-11 11:55 477K 
[ ]2015-09-09_win3.biargus2015-09-11 12:02 1.9M 
[ ]2015-09-09_win3.binetflow2015-09-11 12:02 1.1M 
[ ]Details.zip2015-09-11 21:55 84K 
[TXT]README.md2015-09-11 22:08 2.0K 
[ ]inner.exe.zip2015-12-16 10:26 90K 
[ ]2015-09-09_win3.weblogng2016-06-15 17:55 123K 
[ ]2015-09-09_win3.tcpdstat2016-12-05 22:29 1.7K 
[TXT]fast-flux-dga-first-analysis.txt2017-01-14 17:09 6.8K 
[TXT]README.html2017-01-14 17:09 2.4K 
[DIR]bro/2017-08-31 09:45 -  

Timeline

Tue Sep 8 09:11:43 CEST 2015

Win3 started

Tue Sep 8 09:13:08 CEST 2015

Open IE

Tue Sep 8 09:15:42 CEST 2015 Access the infected URL

It dowloaded the file Details.zip MD5: f589827c4cf94662544066b80bfda6ab

I click to open the zip file

Tue Sep 8 09:16:16 CEST 2015

Double click the exe file. It seems to fail, because it ask to select a program to open the file. But it actually worked!

231.748|80|302|754|487|49158|565|0|GET|http://singin.loginto.me/050915/dsfihkfisgbdfsdfbsdkfs.php?id=Rand+1106&token1=bW9yaWFiKzk0Ng%3D%3D&token2=cmF2aXZAaHlicmlkc2VjLmNvbQ%3D%3D&C=Click|161|192.161.48.59|10.0.2.103|"text/html; charset=UTF-8"|"-"|"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)" 232.108|80|200|86441|86137|49158|461|0|GET|http://singin.loginto.me/050915/Details.zip|0|192.161.48.59|10.0.2.103|"application/zip" "-"|"Mozilla/4.0|(compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"

Thu Sep 10 14:18:59 CEST 2015

power off win3