Description

• Probable Name: Andromeda or CRDF.Gen.Variant-Generic.805592636
• MD5: be8797e324da219fedf06732347c4993
• SHA1: d2656d85d7a7f11b26413a5bd878e7ee19c64639
  
• SHA256: 5174c24353944f27e4a97f6265a5c44da2a6a1f224343791937a179e4bf68d61
  
• Password of zip file: infected

• Duration: ~9 days

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• 2016-07-30_capture-win1.capinfos
  • Capinfos file
• 2016-07-30_capture-win1.dnstop
  • DNS top file
• 2016-07-30_capture-win1.mitm
  • Mitm proxy interception file of http and https
• 2016-07-30_capture-win1.passivedns
  • Passive DNS file
• 2016-07-30_capture-win1.pcap
  • Original pcap file
• 2016-07-30_capture-win1.rrd
  • RRD file for graphs
• 2016-07-30_capture-win1.weblogng
  • WEB log of http traffic
• be8797e324da219fedf06732347c4993.exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file with all the flows
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.

IP Addresses

- Infected host: 192.168.1.110
- Default GW: 192.168.1.2

Timeline

Wed Aug 3 11:59:06 CEST 2016

started win1 already infected with be8797e324da219fedf06732347c4993.exe

Fri Aug 12 13:00:00 CEST 2016 approx

power off