Index of /publicDatasets/CTU-Malware-Capture-Botnet-184-1

	Name	Last modified	Size	Description
	Parent Directory		-
	fast-flux-dga-first-analysis.txt	2017-01-24 10:17	62K
	bro/	2017-08-31 09:45	-
	README.md	2016-09-04 20:54	1.5K
	README.html	2017-01-24 10:17	2.1K
	2016-07-29_winn3.weblogng	2017-01-24 10:17	60K
	2016-07-29_winn3.tcpdstat	2017-01-24 10:17	2.1K
	2016-07-29_winn3.rrd	2016-07-30 14:16	8.0M
	2016-07-29_winn3.pcap	2016-07-30 14:16	55M
	2016-07-29_winn3.passivedns	2017-01-24 10:17	26K
	2016-07-29_winn3.json	2016-09-04 20:42	137M
	2016-07-29_winn3.html	2016-09-04 20:42	63M
	2016-07-29_winn3.dnstop	2017-01-24 10:17	10K
	2016-07-29_winn3.capinfos	2017-01-24 10:17	1.1K
	2016-07-29_winn3.binetflow	2017-01-24 10:17	1.3M
	2016-07-29_winn3.biargus	2017-01-24 10:17	2.4M
	34db7f97e0856941ed9c35716700d2a6.exe.zip	2016-09-04 20:40	147K

Description

• Probable Name: Cerber Ransomware
• MD5: 34db7f97e0856941ed9c35716700d2a6
  
• SHA1: f75166ac6fe6a4e191dff9196de726b0ac84b26c
  
• SHA256: d8116ef5a1ac50c41688c9d756389697e2866a763c779cf5e6939a205ba49c88
  
• Password of zip file: infected
• Duration: 23:54:50

• Executed in a normal windows computer with Adobe software. Beware that some connections are normal and not generated by he malware.

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• .mitm
  • Mitm proxy interception file of http and https
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file with all the flows
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.

IP Addresses

- Infected host: 192.168.1.102
- Default GW: 192.168.1.1

Timeline

Fri Jul 29 14:21:24 CEST 2016

started win normal 3

Fri Jul 29 14:23:09 CEST 2016

infected

Connected to 31.184.235.246

Sat Jul 30 14:16:14 CEST 2016

power off