Index of /publicDatasets/CTU-Malware-Capture-Botnet-137-1

[ICO]NameLast modifiedSizeDescription
[PARENTDIR]Parent Directory  -  
[DIR]BAB0/2015-10-04 13:36 -  
[ ]2015-10-04.win.biargus2015-10-04 15:12 219K 
[ ]2015-10-04.win.binetflow2015-10-04 15:12 234K 
[ ]2015-10-04.win.pcap2015-10-04 16:03 54M 
[ ]2015-10-04.win.rrd2015-10-04 16:03 8.0M 
[ ]2015-10-04.win.dnstop2015-10-04 16:07 13K 
[ ]2015-10-04.win.passivedns2015-10-04 16:07 21K 
[ ]2015-10-04.win.capinfos2015-10-04 16:07 742  
[ ]2015-10-04.win.weblog2015-10-04 16:07 2.0M 
[ ]2015-10-04.win.json2015-10-04 16:26 122M 
[TXT]2015-10-04.win.html2015-10-04 16:26 57M 
[TXT]README.md2015-10-04 17:11 2.4K 
[ ]babo.exe.zip2015-12-16 10:26 117K 
[ ]2015-10-04.win.tcpdstat2016-12-05 22:29 2.0K 
[ ]2015-10-04.weblogng2017-01-14 17:09 2.3M 
[TXT]fast-flux-dga-first-analysis.txt2017-01-14 17:09 38K 
[TXT]README.html2017-01-14 17:09 3.1K 
[DIR]bro/2017-08-31 09:45 -  

Description

In this capture, be careful to what you consider malicious traffic from the malware. All the traffic BEFORE the infection with the exe file is not generated by the downloaded malicious exe file. The traffic going to the following hosts is not malicious:

The malicious traffic starts on the tcpdump time 02:07:14.952174 to the domain crysys.hu

Timeline

Sun Oct 4 13:44:53 CEST 2015

started winnormal

Sun Oct 4 13:46:26 CEST 2015

started chrome browser It did a lot of communications to ports 443 both TCP and UDP of the IPs - 173.194.122.15 - 173.194.122.24 But these are normal

Sun Oct 4 13:51:28 CEST 2015

Access to the web site were the infected web page is infected https://mcfp.felk.cvut.cz/publicDatasets/BAB0/

Sun Oct 4 13:52:15 CEST 2015

Click on the bab0 image

Sun Oct 4 13:52:59 CEST 2015

It asked to save a binary file on disk. I agree to store it and then execute it. Binary MD5 is d92344249e2b9d340a8127b480d32574

Upon execution, it connected to crysys.hu forum which is the company C&C server.

Sun Oct 4 16:03:39 CEST 2015

poweroff