Index of /publicDatasets/CTU-Malware-Capture-Botnet-155-1

Name	Last modified	Size

Parent Directory		-
fast-flux-dga-first-analysis.txt	2017-01-13 22:18	36K
domains-sink	2016-03-28 18:45	22K
domains-histogram.md	2016-03-28 18:49	943
bro/	2017-08-31 09:45	-
README.md	2016-04-20 11:15	2.6K
README.html	2017-01-13 22:18	3.1K
2016-03-26_win3-capture.weblogng.short	2016-06-16 12:08	487K
2016-03-26_win3-capture.weblogng	2016-06-15 18:21	487K
2016-03-26_win3-capture.tcpdstat	2016-09-03 16:53	1.7K
2016-03-26_win3-capture.rrd	2016-04-20 10:47	8.0M
2016-03-26_win3-capture.pcap	2016-04-20 10:42	11M
2016-03-26_win3-capture.passivedns	2016-04-20 10:47	127K
2016-03-26_win3-capture.netflow5	2016-11-04 18:48	334K
2016-03-26_win3-capture.json	2016-04-20 10:53	4.0M
2016-03-26_win3-capture.html	2016-04-20 10:53	4.9M
2016-03-26_win3-capture.dnstop	2016-04-20 10:47	17K
2016-03-26_win3-capture.capinfos	2016-04-20 10:47	759
2016-03-26_win3-capture.binetflow	2016-08-18 09:34	1.7M
2016-03-26_win3-capture.biargus	2016-08-18 09:34	1.8M
1001z.exe.zip	2016-04-20 11:13	270K

Description

Probable name: CRDF/Malware/Trojan Generic
MD5: f4fa08dd11cfa16bb42f2e2fc92d9b99
SHA1: a80f45d1156fe6610e35d1f3c96f16b0f0bb28f2
SHA256: 8a17fcf6eec6f6ddcac7d459ce9b517610b091a242ddcbc88dee0fc68db2e125
Sample provided by Pavel Valach: valach.pavel@gmail.com
Zip password: infected
VirusTotal
HybridAnalysis
RobotHash

Timeline

Sat Mar 26 00:21:10 CET 2016

started win3

Sat Mar 26 00:23:57 CET 2016

Infected

Mon Mar 28 23:00:00 CEST 2016 approx

The machine stop sending TCP and http packets. Not sure why.

Tue Mar 29 23:10:00 CEST 2016 approx

The computer stop connecting

Mon Apr 4 23:16:56 CEST 2016

Restarted to see if it starts working again

It did! Something was broken withe malware?

Wed Apr 20 10:43:27 CEST 2016

Stopped the vm

Analysis

Domain: itemsuofitquestumequequi.com

Domain Name: ITEMSUOFITQUESTUMEQUEQUI.COM
Registrar: TODAYNIC.COM, INC.
Sponsoring Registrar IANA ID: 697
Whois Server: whois.todaynic.com
Name Server: NS1.NEONGIT.AT
Name Server: NS2.NEONGIT.AT
Registry Domain ID: 77428276_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.todaynic.com
Registrar URL: http://www.now.cn/
Registrar: Todaynic.com, Inc.


itemsuofitquestumequequi.com. 137 IN    A   37.115.124.26
descr:          Kyivstar GSM
descr:          Ukrainian mobile phone operator
country:        UA
itemsuofitquestumequequi.com. 137 IN    A   212.92.224.191
descr:          WildPark Co
country:        UA
address:        Nikolaev, Ukraine
itemsuofitquestumequequi.com. 137 IN    A   178.150.24.221
descr:          Kiev , Minskiy
country:        UA
itemsuofitquestumequequi.com. 137 IN    A   178.151.235.213
descr:          Kiev , Vinogradar
country:        UA
itemsuofitquestumequequi.com. 137 IN    A   188.247.99.172
netname:        GTS-NET
descr:          DataGroup-Dnepr
country:        UA
address:        61002 Kharkov, Ukraine
itemsuofitquestumequequi.com. 137 IN    A   178.151.110.15
netname:        TRIOLAN
descr:          Kiev , Harkovsky
country:        UA
address:        Ukraine
itemsuofitquestumequequi.com. 137 IN    A   77.122.19.164
itemsuofitquestumequequi.com. 137 IN    A   95.134.166.81
itemsuofitquestumequequi.com. 137 IN    A   178.93.115.201
itemsuofitquestumequequi.com. 137 IN    A   80.245.94.25