![[ICO]](/icons/blank.gif){kind=icon}
![[PARENTDIR]](/icons/back.gif){kind=icon}
![[DIR]](/icons/folder.gif){kind=icon}
![[ ]](/icons/unknown.gif){kind=icon}
![[TXT]](/icons/text.gif){kind=icon}
![[ ]](/icons/compressed.gif){kind=icon}
| Name | Last modified | Size | Description |
|---|---|---|---|---|
| Parent Directory | - | ||
| bro/ | 2017-08-31 09:45 | - | |
| 2016-09-02_win3.capinfos | 2016-09-02 14:17 | 1.1K | |
| README.md | 2016-09-02 14:21 | 1.5K | |
| 2016-09-02_win3.tcpdstat | 2016-09-03 16:45 | 2.1K | |
| README.html | 2017-01-15 16:28 | 2.1K | |
| 2016-09-02_win3.dnstop | 2016-09-02 14:16 | 25K | |
| e12a2c2b633ac12cec3e0d32950dcd5011d2aba4a9b95506c0fd3913446d7c22_miuref.exe.zip | 2016-09-02 14:15 | 87K | |
| fast-flux-dga-first-analysis.txt | 2017-01-15 16:20 | 381K | |
| 2016-09-02_win3.passivedns | 2016-09-02 14:16 | 436K | |
| 2016-09-02_win3.weblogng | 2016-09-02 14:17 | 6.5M | |
| 2016-09-02_win3.rrd | 2016-08-11 23:59 | 8.0M | |
| 2016-09-02_win3.mitm.weblog | 2016-12-06 08:05 | 8.3M | |
| 2016-09-02_win3.biargus | 2016-09-02 14:18 | 42M | |
| 2016-09-02_win3.binetflow | 2016-09-02 14:18 | 43M | |
| 2016-09-02_win3.html | 2016-09-02 14:23 | 114M | |
| 2016-09-02_win3.json | 2016-09-02 14:23 | 178M | |
| mitm.out | 2016-08-11 17:56 | 190M | |
| 2016-09-02_win3.pcap | 2016-08-11 23:59 | 247M | |
Password of zip file: infected
RobotHash
- Infected host: 192.168.1.113
- Default GW: 192.168.1.2started win3
infected
power off
The malware connects to servers using the port 443/TCP, but the traffic is not TLS or SSL. We know it because the mitm proxy was complaining that the handshake was broken and when we checked, the traffic does not have the structure of SSL or TLS.