Index of /publicDatasets/CTU-Malware-Capture-Botnet-183-1

	Name	Last modified	Size	Description
	Parent Directory		-
	4adfc91f1cc5545b6903a300d11dd3b0.exe.zip	2016-09-04 20:37	178K
	2016-07-29_win.biargus	2016-09-04 20:20	67K
	2016-07-29_win.binetflow	2016-09-04 20:20	68K
	2016-07-29_win.capinfos	2016-09-04 20:19	1.1K
	2016-07-29_win.dnstop	2016-09-04 20:19	11K
	2016-07-29_win.html	2016-09-04 20:19	1.5M
	2016-07-29_win.json	2016-09-04 20:19	3.0M
	2016-07-29_win.passivedns	2016-09-04 20:19	16K
	2016-07-29_win.pcap	2016-07-29 14:10	1.1M
	2016-07-29_win.rrd	2016-07-29 14:11	8.0M
	2016-07-29_win.tcpdstat	2016-09-04 20:19	1.9K
	2016-07-29_win.weblogng	2016-09-04 20:19	3.0K
	README.html	2017-01-13 14:10	2.0K
	README.md	2016-09-04 20:24	1.4K
	bro/	2017-08-31 09:45	-
	fast-flux-dga-first-analysis.txt	2017-01-13 14:10	23K

Description

• Probable Name: Locky Ransomware
• MD5: 4adfc91f1cc5545b6903a300d11dd3b0
  
• SHA1: eda7667e1081397ba43ccc5d6ba6d76434e05403
  
• SHA256: 35a9ffbbe20f8d4ed483916e15052df53714b7d5fb57fa0326cd0b138c4b73a6
  
• Password of zip file: infected
• Duration: 00:10:44

• It is possible that mitm proxy was configured in the windows machine

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• .mitm
  • Mitm proxy interception file of http and https
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file with all the flows
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.

IP Addresses

- Infected host: 192.168.1.102
- Default GW: 192.168.1.1

Timeline

Fri Jul 29 13:59:45 CEST 2016

Started win normal 3

Fri Jul 29 14:00:56 CEST 2016

infected

Fri Jul 29 14:11:20 CEST 2016

poweroff