Index of /publicDatasets/CTU-Malware-Capture-Botnet-171-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]775b7139d05281094ab6434378770483.exe.zip2016-04-05 19:39 724K 
[   ]2016-05-04_capture-win7.biargus2016-08-05 12:48 99M 
[   ]2016-05-04_capture-win7.binetflow2016-08-05 12:48 65M 
[   ]2016-05-04_capture-win7.capinfos2016-08-05 12:44 762  
[   ]2016-05-04_capture-win7.dnstop2016-08-05 12:42 2.5K 
[TXT]2016-05-04_capture-win7.html2016-08-05 12:48 730K 
[   ]2016-05-04_capture-win7.json2016-08-05 12:48 814K 
[   ]2016-05-04_capture-win7.passivedns2016-08-05 12:42 11K 
[   ]2016-05-04_capture-win7.pcap2016-07-12 07:31 133M 
[   ]2016-05-04_capture-win7.rrd2016-07-12 07:31 8.0M 
[   ]2016-05-04_capture-win7.tcpdstat2016-09-03 16:45 1.8K 
[   ]2016-05-04_capture-win7.weblogng2016-08-05 12:44 604  
[TXT]README.html2017-01-13 14:20 2.4K 
[TXT]README.md2016-05-01 12:19 1.7K 
[DIR]bro/2017-08-31 09:45 -  
[   ]do3aqb.gifv.zip2016-08-05 12:42 277K 
[TXT]fast-flux-dga-first-analysis.txt2017-01-13 14:20 6.4K 

Description

Timeline

Tue Apr 5 00:01:51 CEST 2016

stared win7

Tue Apr 5 00:03:41 CEST 2016

infected

After 13 hours, it successfully connected to the C&C server

Tue Apr 5 19:36:50 CEST 2016

I started the calculator program by hand. To see if the C&C reflects this new process.

Analysis

13:59:39.079194 IP 10.0.2.107.50424 > 77.81.104.169.14221: Flags [P.], seq 15:293, ack 1, win 64240, length 278 CONNECT=P4CK3T=FUCKBOY-9686316$^56^$11:50:22$^[taskmgr] Windows Task Manager^$WIN7$^Microsoft Windows 7 Ultimate 32-bit Desktop^$1.5$^04-05-2016^$N/A$^425d804aa328d98d348f6474b46b914630d5fdfe4b686b3d93ce1a54ef43c3a1^$FUCKBOY$^N^$8_=_8

13:59:39.847525 IP 77.81.104.169.14221 > 10.0.2.107.50424: Flags [P.], seq 1:157, ack 293, win 65535, length 156 C=P4CK3T=1TR4MPanq=()=4TR4MPSTOP=()=6TR4MPN=()=9TR4MP20408|13101|10472|48206|78356|78674|49580|64029|=()=10TR4MPhttp://files.catbox.moe/do3aqb.gifv=()=8_=8SEARCHLOGS=P4CK3T=paypal8=_8

We downloaded this file from outside the vm. do3aqb.gifv

Sun May 1 12:15:24 CEST 2016

I restarted after several weeks to see if the malware activates again. It came alive again! So we will wait...