Index of /publicDatasets/CTU-Malware-Capture-Botnet-186-1

Name	Last modified	Size

Parent Directory		-
99b84137b5b8b3c522414e332526785e506ed2dbe557eafc40a7bcf47b623d88.exe.zip	2016-09-14 14:23	726K
2016-09-14_win18.biargus	2016-09-14 14:30	1.6M
2016-09-14_win18.binetflow	2016-09-14 14:30	1.6M
2016-09-14_win18.capinfos	2016-09-14 14:26	1.1K
2016-09-14_win18.dnstop	2016-09-14 14:26	22K
2016-09-14_win18.html	2016-09-14 14:25	8.3M
2016-09-14_win18.json	2016-09-14 14:25	15M
2016-09-14_win18.mitm.weblog	2016-12-05 22:14	892K
2016-09-14_win18.passivedns	2016-09-14 14:26	56K
2016-09-14_win18.pcap	2016-09-14 14:21	46M
2016-09-14_win18.rrd	2016-09-14 14:21	8.0M
2016-09-14_win18.tcpdstat	2016-09-14 14:26	2.0K
2016-09-14_win18.weblogng	2016-09-14 14:26	208K
README.html	2017-01-13 14:10	4.2K
README.md	2016-09-14 14:30	2.7K
bro/	2017-08-31 09:45	-
fast-flux-dga-first-analysis.txt	2017-01-13 14:10	91K
mitm.out	2016-09-14 14:14	45M

Description

Probable Name: A normal computer that is infected later with the malware
MD5: 54d07ec77e3daaf32b2ba400f34dd370
SHA1: 3a99641ba00047e1be23dfae4fcf6242b8b8eb10
SHA256: 99b84137b5b8b3c522414e332526785e506ed2dbe557eafc40a7bcf47b623d88
Password of zip file: infected
Duration: 02:11:56
VirusTotal
HybridAnalysis
RobotHash

Files

.capinfos
- Capinfos file
.dnstop
- DNS top file
.mitm
- Mitm proxy interception file of http and https
.passivedns
- Passive DNS file
.pcap
- Original pcap file
.rrd
- RRD file for graphs
.weblogng
- WEB log of http traffic
.exe.zip
- Original malware file
bro
- Folder with all the bro output files
.biargus
- Argus binary file with all the flows
.binetflow
- Argus text file with bidirectional flows. Report time 3600 secs.

IP Addresses

- Infected host: 192.168.1.128
- Default GW: 192.168.1.2

Timeline

Wed Sep 14 12:09:17 CEST 2016

started win18

Wed Sep 14 12:11:54 CEST 2016

started ie

Wed Sep 14 12:12:06 CEST 2016

www.google.com

Wed Sep 14 12:12:22 CEST 2016

search "my normal behavior"

Wed Sep 14 12:12:42 CEST 2016

www.healthychildren.org

Wed Sep 14 12:13:12 CEST 2016

search videos about behavior in bing

Wed Sep 14 12:13:26 CEST 2016

access a youtube video

Wed Sep 14 12:15:16 CEST 2016

Click a link in healthychildren.org

Wed Sep 14 12:15:54 CEST 2016

click on www.officialmbmusic.com from bing

Wed Sep 14 12:19:27 CEST 2016

clicks on healthchildre

Wed Sep 14 12:20:13 CEST 2016

click on a video on officialmusic

Wed Sep 14 12:21:50 CEST 2016

search on bing "twitter behavior"

Wed Sep 14 12:22:06 CEST 2016

click on link to a twitter account

Wed Sep 14 12:23:18 CEST 2016

more clicks on healthchildren

Wed Sep 14 12:40:27 CEST 2016

go for lunch

Wed Sep 14 13:48:27 CEST 2016

click more on web pages normally Specially in wikipedia, some twitters accounts

Infection

Wed Sep 14 13:55:18 CEST 2016

infected

Wed Sep 14 14:00:57 CEST 2016

Normal activities in the web page some requests to facebook

Wed Sep 14 14:05:25 CEST 2016

Normal from twitter open a site in france

Wed Sep 14 14:07:44 CEST 2016

normal click from twitter to vimeo

Wed Sep 14 14:10:12 CEST 2016

From now on, no more normal clicks and interactions. Just what is already opened.

Wed Sep 14 14:21:11 CEST 2016

power off