Index of /publicDatasets/CTU-Malware-Capture-Botnet-142-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-14 17:05 83K 
[DIR]bro/2017-08-31 09:45 -  
[TXT]README.md2015-10-23 10:13 1.4K 
[TXT]README.html2017-01-14 17:05 1.9K 
[   ]4881c7d89c2b5e934d4741a653fbdaf87cc5e7571b68c723504069d519d8a737.exe.zip2015-12-16 10:26 264K 
[   ]2015-10-23_win7.weblogng2016-06-15 18:49 1.0K 
[   ]2015-10-23_win7.tcpdstat2016-10-11 20:10 1.8K 
[   ]2015-10-23_win7.rrd2015-10-23 10:01 8.0M 
[   ]2015-10-23_win7.pcap2015-09-26 05:46 236M 
[   ]2015-10-23_win7.passivedns2015-10-23 10:14 5.5K 
[   ]2015-10-23_win7.netflow52016-11-04 19:00 5.7M 
[   ]2015-10-23_win7.json2015-10-23 10:26 147K 
[TXT]2015-10-23_win7.html2015-10-23 10:26 422K 
[   ]2015-10-23_win7.dnstop2015-10-23 10:14 14K 
[   ]2015-10-23_win7.capinfos2015-10-23 10:17 755  
[   ]2015-10-23_win7.binetflow2016-12-05 22:28 4.3M 
[   ]2015-10-23_win7.biargus2016-12-05 22:28 7.7M 

Description

Timeline

Fri Sep 25 18:41:02 CEST 2015

started win7

Fri Sep 25 18:45:47 CEST 2015

removed the guest additions and reboot

Fri Sep 25 18:49:15 CEST 2015

Infected

Successful resolved to eboduftazce-ru.com, but port seems filtered.

DGA traffic

Sat Sep 26 5:40:00 CEST 2015 (approx)

The trojan stop sending packets.... Weird because so far it was working..

Sat Sep 26 11:50:25 CEST 2015

The vm was rebooted to see if there was some change

Since the machine didn't generate any packet, we noticed that it loose its network access.

The machine has an IP address and route

Sat Sep 26 11:55:31 CEST 2015

I tried to ping www.google.com Didn't worked.

Sat Sep 26 11:56:12 CEST 2015

I tried to ping 8.8.8.8 Didn't worked.