Description

• Probable Name: Andromeda or CRDF.Gen.Variant-Generic.805592636
• MD5: be8797e324da219fedf06732347c4993
• SHA1: d2656d85d7a7f11b26413a5bd878e7ee19c64639
  
• SHA256: 5174c24353944f27e4a97f6265a5c44da2a6a1f224343791937a179e4bf68d61
  
• Password of zip file: infected

• Duration: 3.8 days

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• 2016-07-30_capture-win1.capinfos
  • Capinfos file
• 2016-07-30_capture-win1.dnstop
  • DNS top file
• 2016-07-30_capture-win1.mitm
  • Mitm proxy interception file of http and https
• 2016-07-30_capture-win1.passivedns
  • Passive DNS file
• 2016-07-30_capture-win1.pcap
  • Original pcap file
• 2016-07-30_capture-win1.rrd
  • RRD file for graphs
• 2016-07-30_capture-win1.weblogng
  • WEB log of http traffic
• be8797e324da219fedf06732347c4993.exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file with all the flows
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.
• .uniargus
  • Argus binary file. Unidirectional flows, 5s of report time.
• .uninetflow
  • Argus text file with unidirectional flows. Report time 5 secs. TAB as column separator.

IP Addresses

- Infected host: 192.168.1.110
- Default GW: 192.168.1.2

Timeline

Sat Jul 30 14:51:09 CEST 2016

started win1

Sat Jul 30 14:54:12 CEST 2016

infected

Wed Aug 3 11:54:39 CEST 2016

power off