Index of /publicDatasets/CTU-Malware-Capture-Botnet-155-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]domains-sink2016-03-28 18:45 22K 
[TXT]domains-histogram.md2016-03-28 18:49 943  
[   ]2016-03-26_win3-capture.pcap2016-04-20 10:42 11M 
[   ]2016-03-26_win3-capture.rrd2016-04-20 10:47 8.0M 
[   ]2016-03-26_win3-capture.dnstop2016-04-20 10:47 17K 
[   ]2016-03-26_win3-capture.passivedns2016-04-20 10:47 127K 
[   ]2016-03-26_win3-capture.capinfos2016-04-20 10:47 759  
[   ]2016-03-26_win3-capture.json2016-04-20 10:53 4.0M 
[TXT]2016-03-26_win3-capture.html2016-04-20 10:53 4.9M 
[   ]1001z.exe.zip2016-04-20 11:13 270K 
[TXT]README.md2016-04-20 11:15 2.6K 
[   ]2016-03-26_win3-capture.weblogng2016-06-15 18:21 487K 
[   ]2016-03-26_win3-capture.weblogng.short2016-06-16 12:08 487K 
[   ]2016-03-26_win3-capture.biargus2016-08-18 09:34 1.8M 
[   ]2016-03-26_win3-capture.binetflow2016-08-18 09:34 1.7M 
[   ]2016-03-26_win3-capture.tcpdstat2016-09-03 16:53 1.7K 
[   ]2016-03-26_win3-capture.netflow52016-11-04 18:48 334K 
[TXT]fast-flux-dga-first-analysis.txt2017-01-13 22:18 36K 
[TXT]README.html2017-01-13 22:18 3.1K 
[DIR]bro/2017-08-31 09:45 -  

Description

Timeline

Sat Mar 26 00:21:10 CET 2016

started win3

Sat Mar 26 00:23:57 CET 2016

Infected

Mon Mar 28 23:00:00 CEST 2016 approx

The machine stop sending TCP and http packets. Not sure why.

Tue Mar 29 23:10:00 CEST 2016 approx

The computer stop connecting

Mon Apr 4 23:16:56 CEST 2016

Restarted to see if it starts working again

It did! Something was broken withe malware?

Wed Apr 20 10:43:27 CEST 2016

Stopped the vm

Analysis

Domain: itemsuofitquestumequequi.com

Domain Name: ITEMSUOFITQUESTUMEQUEQUI.COM
Registrar: TODAYNIC.COM, INC.
Sponsoring Registrar IANA ID: 697
Whois Server: whois.todaynic.com
Name Server: NS1.NEONGIT.AT
Name Server: NS2.NEONGIT.AT
Registry Domain ID: 77428276_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.todaynic.com
Registrar URL: http://www.now.cn/
Registrar: Todaynic.com, Inc.


itemsuofitquestumequequi.com. 137 IN    A   37.115.124.26
descr:          Kyivstar GSM
descr:          Ukrainian mobile phone operator
country:        UA
itemsuofitquestumequequi.com. 137 IN    A   212.92.224.191
descr:          WildPark Co
country:        UA
address:        Nikolaev, Ukraine
itemsuofitquestumequequi.com. 137 IN    A   178.150.24.221
descr:          Kiev , Minskiy
country:        UA
itemsuofitquestumequequi.com. 137 IN    A   178.151.235.213
descr:          Kiev , Vinogradar
country:        UA
itemsuofitquestumequequi.com. 137 IN    A   188.247.99.172
netname:        GTS-NET
descr:          DataGroup-Dnepr
country:        UA
address:        61002 Kharkov, Ukraine
itemsuofitquestumequequi.com. 137 IN    A   178.151.110.15
netname:        TRIOLAN
descr:          Kiev , Harkovsky
country:        UA
address:        Ukraine
itemsuofitquestumequequi.com. 137 IN    A   77.122.19.164
itemsuofitquestumequequi.com. 137 IN    A   95.134.166.81
itemsuofitquestumequequi.com. 137 IN    A   178.93.115.201
itemsuofitquestumequequi.com. 137 IN    A   80.245.94.25