Index of /publicDatasets/CTU-Malware-Capture-Botnet-185-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[DIR]bro/2017-08-31 09:45 -  
[   ]2016-09-09_win1.capinfos2016-09-09 11:00 1.1K 
[   ]2016-09-09_win1.tcpdstat2016-09-09 11:00 1.9K 
[TXT]README.md2016-09-20 22:13 2.5K 
[TXT]README.html2017-01-13 14:10 3.1K 
[   ]2016-09-09_win1.dnstop2016-09-09 11:00 6.2K 
[   ]2016-09-09_win1.passivedns2016-09-09 11:00 9.3K 
[TXT]fast-flux-dga-first-analysis.txt2017-01-13 14:10 12K 
[   ]2016-09-09_win1.weblog2016-09-09 11:02 20K 
[   ]2016-09-09_win1.mitm.weblog2016-12-05 22:14 22K 
[   ]2016-09-09_win1.weblogng2016-09-09 11:00 425K 
[   ]mitm.out2016-09-09 10:15 949K 
[   ]2016-09-09_win1.binetflow2016-09-09 11:01 2.9M 
[   ]2016-09-09_win1.biargus2016-09-09 11:01 3.0M 
[   ]2016-09-09_win1.pcap2016-09-09 10:58 5.7M 
[   ]eb57bcc950cdbfe87743a6335a19aeced27cd9b800da01cd5cf899c7881d6af6.exe.zip2016-09-09 11:00 7.5M 
[   ]2016-09-09_win1.rrd2016-09-09 10:59 8.0M 

Description

Files

IP Addresses

- Infected host: 192.168.1.112
- Default GW: 192.168.1.2

Timeline

Fri Sep 9 10:12:47 CEST 2016

started win2

Fri Sep 9 10:13:50 CEST 2016

infected

Clicked on the Finish button

I think it had some issues with the mitmproxy, maybe some of the connections were not SSL?

Some of the packets were like this: 1970/01/01 01:02:05.190926,1.811655,tcp,192.168.1.112,49201, ->,76.72.165.63,80,FSRPA_FSPA,0,0,15,1267,575,s[185]=HTTP/1.1 005..VERSION: 4.0..PLATFORM: 10..IPADDRESS: 192.168.1.112....HTTP/1.1 051..VER: 7.1.0.0..OBJ: 1..FUNC: 1..NAME: WIN1..ACC: dgardonio@mail.com..SRV: 76.72.165.63..PRODUCT: 0....,d[224]=HTTP/1.1 005..VERSION: 4.0..PLATFORM: 9..IPADDRESS: 76.72.165.63....HTTP/1.1 052..SERVER_NUM: 0..PROXY_IP: 76.72.165.119..PORT: 443..NEXTTIME: 12....HTTP/1.1 003..ERRORLOCATION: TacsCustomProtocol.ReceiveAndProcessData:1....,,s[185]=HTTP/1.1 005..VERSION: 4.0..PLATFORM: 10..IPADDRESS: 192.168.1.112....HTTP/1.1 051..VER: 7.1.0.0..OBJ: 1..FUNC: 1..NAME: WIN1..ACC: dgardonio@mail.com..SRV: 76.72.165.63..PRODUCT: 0....,d[224]=HTTP/1.1 005..VERSION: 4.0..PLATFORM: 9..IPADDRESS: 76.72.165.63....HTTP/1.1 052..SERVER_NUM: 0..PROXY_IP: 76.72.165.119..PORT: 443..NEXTTIME: 12....HTTP/1.1 003..ERRORLOCATION: TacsCustomProtocol.ReceiveAndProcessDa

Fri Sep 9 10:58:29 CEST 2016

power off