Index of /publicDatasets/CTU-Malware-Capture-Botnet-169-2

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2016-09-02_win3.biargus2016-09-02 14:18 42M 
[   ]2016-09-02_win3.binetflow2016-09-02 14:18 43M 
[   ]2016-09-02_win3.capinfos2016-09-02 14:17 1.1K 
[   ]2016-09-02_win3.dnstop2016-09-02 14:16 25K 
[TXT]2016-09-02_win3.html2016-09-02 14:23 114M 
[   ]2016-09-02_win3.json2016-09-02 14:23 178M 
[   ]2016-09-02_win3.mitm.weblog2016-12-06 08:05 8.3M 
[   ]2016-09-02_win3.passivedns2016-09-02 14:16 436K 
[   ]2016-09-02_win3.pcap2016-08-11 23:59 247M 
[   ]2016-09-02_win3.rrd2016-08-11 23:59 8.0M 
[   ]2016-09-02_win3.tcpdstat2016-09-03 16:45 2.1K 
[   ]2016-09-02_win3.uniargus2016-12-06 08:05 56M 
[   ]2016-09-02_win3.uninetflow2016-12-06 08:05 32M 
[   ]2016-09-02_win3.weblogng2016-09-02 14:17 6.5M 
[TXT]README.html2017-01-15 16:28 2.1K 
[TXT]README.md2016-09-02 14:21 1.5K 
[DIR]bro/2017-08-31 09:45 -  
[   ]e12a2c2b633ac12cec3e0d32950dcd5011d2aba4a9b95506c0fd3913446d7c22_miuref.exe.zip2016-09-02 14:15 87K 
[TXT]fast-flux-dga-first-analysis.txt2017-01-15 16:20 381K 
[   ]mitm.out2016-08-11 17:56 190M 

Description

Files

IP Addresses

- Infected host: 192.168.1.113
- Default GW: 192.168.1.2

Timeline

Thu Aug 4 14:22:34 CEST 2016

started win3

Thu Aug 4 14:24:53 CEST 2016

infected

???? see capinfos

power off

Analysis

The malware connects to servers using the port 443/TCP, but the traffic is not TLS or SSL. We know it because the mitm proxy was complaining that the handshake was broken and when we checked, the traffic does not have the structure of SSL or TLS.