Description
- Probable Name: Miuref
- MD5: 8dc809e0f25220e1d6b578eee2e80c33
- SHA1: 44a1c528c97771a3281422abbf4389bba171017d
- SHA256: e12a2c2b633ac12cec3e0d32950dcd5011d2aba4a9b95506c0fd3913446d7c22
- Password of zip file: infected
This capture was done by intercepting all the packets going to ports 80,8080,8000,443,8443 and redirecting them to a mitmproxy.
- VirusTotal
- HybridAnalysis
RobotHash

Files
- .capinfos
- .dnstop
- .mitm
- Mitm proxy interception file of http and https
- .passivedns
- .pcap
- .rrd
- .weblogng
- .exe.zip
- bro
- Folder with all the bro output files
- .biargus
- Argus binary file with all the flows
- .binetflow
- Argus text file with bidirectional flows. Report time 3600 secs.
IP Addresses
- Infected host: 192.168.1.113
- Default GW: 192.168.1.2
Timeline
Wed Aug 3 20:27:56 CEST 2016
started win3
Wed Aug 3 20:29:45 CEST 2016
infected
Thu Aug 4 2016
power off
Analysis
The malware connects to servers using the port 443/TCP, but the traffic is not TLS or SSL. We know it because the mitm proxy was complaining that the handshake was broken and when we checked, the traffic does not have the structure of SSL or TLS.