Index of /publicDatasets/CTU-Malware-Capture-Botnet-187-1

	Name	Last modified	Size	Description
	Parent Directory		-
	bro/	2017-08-31 09:45	-
	2016-09-19_win1.weblogng	2016-09-19 15:53	232
	2016-09-19_win1.capinfos	2016-09-19 15:53	1.1K
	README.md	2016-09-19 16:30	1.4K
	2016-09-19_win1.tcpdstat	2016-09-19 15:53	2.0K
	README.html	2017-01-13 14:10	2.0K
	2016-09-19_win1.passivedns	2016-09-19 15:53	3.5K
	2016-09-19_win1.dnstop	2016-09-19 15:53	6.1K
	fast-flux-dga-first-analysis.txt	2017-01-13 14:10	10K
	2016-09-19_win1.mitm.weblog	2016-12-05 22:14	15K
	mitm.out	2016-09-06 18:50	673K
	daf0b1d58c8b8fd7d08bc237c5cdb31d.exe.zip	2016-09-19 15:55	760K
	2016-09-19_win1.rrd	2016-09-19 15:38	8.0M
	2016-09-19_win1.biargus	2016-09-19 16:18	18M
	2016-09-19_win1.binetflow	2016-09-19 16:18	20M
	2016-09-19_win1.pcap	2016-09-19 15:26	58M

Description

• Probable Name: Trojan LuminosityLink
• MD5: daf0b1d58c8b8fd7d08bc237c5cdb31d
• SHA1: 9d2daf868b8638fb8b35102d6a3f716561838bfb
• SHA256: 9a3427871fa6383e3395a6f366d0575e8a2a7baa794ac16c1f35769a9b27e506
  
• Password of zip file: infected

• Duration: 12 days 22:26:38

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• .mitm
  • Mitm proxy interception file of http and https
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file with all the flows
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.

IP Addresses

- Infected host: 192.168.1.110
- Default GW: 192.168.1.2

Timeline

Tue Sep 6 16:59:20 CEST 2016

started win1

Check if we used IE to google

Tue Sep 6 17:19:39 CEST 2016

infected

Mon Sep 19 15:25:58 CEST 2016

power off