Description

• Probable Name: Miuref
• MD5: 8dc809e0f25220e1d6b578eee2e80c33
  
• SHA1: 44a1c528c97771a3281422abbf4389bba171017d
  
• SHA256: e12a2c2b633ac12cec3e0d32950dcd5011d2aba4a9b95506c0fd3913446d7c22
  
• Password of zip file: infected
• This capture was not intercepted by the mitmproxy

• Duration: 8.13 days

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• .mitm
  • Mitm proxy interception file of http and https
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file with all the flows
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.
• .uniargus
  • Argus binary file. Unidirectional flows, 5s of report time.
• .uninetflow
  • Argus text file with unidirectional flows. Report time 5 secs. TAB as column separator.

IP Addresses

- Infected host: 192.168.1.114
- Default GW: 192.168.1.2

Timeline

Wed Aug 3 20:41:06 CEST 2016

started win4

Wed Aug 3 20:43:42 CEST 2016

infected

Thu Aug 11 12:59:00 CEST 2016

power off

Analysis

The malware connects to servers using the port 443/TCP, but the traffic is not TLS or SSL.