Name | Last modified | Size | Description | |
---|---|---|---|---|
Parent Directory | - | |||
2016-09-09_win1.biargus | 2016-09-09 11:01 | 3.0M | ||
2016-09-09_win1.binetflow | 2016-09-09 11:01 | 2.9M | ||
2016-09-09_win1.capinfos | 2016-09-09 11:00 | 1.1K | ||
2016-09-09_win1.dnstop | 2016-09-09 11:00 | 6.2K | ||
2016-09-09_win1.mitm.weblog | 2016-12-05 22:14 | 22K | ||
2016-09-09_win1.passivedns | 2016-09-09 11:00 | 9.3K | ||
2016-09-09_win1.pcap | 2016-09-09 10:58 | 5.7M | ||
2016-09-09_win1.rrd | 2016-09-09 10:59 | 8.0M | ||
2016-09-09_win1.tcpdstat | 2016-09-09 11:00 | 1.9K | ||
2016-09-09_win1.weblog | 2016-09-09 11:02 | 20K | ||
2016-09-09_win1.weblogng | 2016-09-09 11:00 | 425K | ||
README.html | 2017-01-13 14:10 | 3.1K | ||
README.md | 2016-09-20 22:13 | 2.5K | ||
bro/ | 2017-08-31 09:45 | - | ||
eb57bcc950cdbfe87743a6335a19aeced27cd9b800da01cd5cf899c7881d6af6.exe.zip | 2016-09-09 11:00 | 7.5M | ||
fast-flux-dga-first-analysis.txt | 2017-01-13 14:10 | 12K | ||
mitm.out | 2016-09-09 10:15 | 949K | ||
Capture generated with a transparent mitmproxy
RobotHash
- Infected host: 192.168.1.112
- Default GW: 192.168.1.2
started win2
infected
Clicked on the Finish button
I think it had some issues with the mitmproxy, maybe some of the connections were not SSL?
Some of the packets were like this: 1970/01/01 01:02:05.190926,1.811655,tcp,192.168.1.112,49201, ->,76.72.165.63,80,FSRPA_FSPA,0,0,15,1267,575,s[185]=HTTP/1.1 005..VERSION: 4.0..PLATFORM: 10..IPADDRESS: 192.168.1.112....HTTP/1.1 051..VER: 7.1.0.0..OBJ: 1..FUNC: 1..NAME: WIN1..ACC: dgardonio@mail.com..SRV: 76.72.165.63..PRODUCT: 0....,d[224]=HTTP/1.1 005..VERSION: 4.0..PLATFORM: 9..IPADDRESS: 76.72.165.63....HTTP/1.1 052..SERVER_NUM: 0..PROXY_IP: 76.72.165.119..PORT: 443..NEXTTIME: 12....HTTP/1.1 003..ERRORLOCATION: TacsCustomProtocol.ReceiveAndProcessData:1....,,s[185]=HTTP/1.1 005..VERSION: 4.0..PLATFORM: 10..IPADDRESS: 192.168.1.112....HTTP/1.1 051..VER: 7.1.0.0..OBJ: 1..FUNC: 1..NAME: WIN1..ACC: dgardonio@mail.com..SRV: 76.72.165.63..PRODUCT: 0....,d[224]=HTTP/1.1 005..VERSION: 4.0..PLATFORM: 9..IPADDRESS: 76.72.165.63....HTTP/1.1 052..SERVER_NUM: 0..PROXY_IP: 76.72.165.119..PORT: 443..NEXTTIME: 12....HTTP/1.1 003..ERRORLOCATION: TacsCustomProtocol.ReceiveAndProcessDa
power off