Index of /publicDatasets/CTU-Malware-Capture-Botnet-188-2

	Name	Last modified	Size	Description
	Parent Directory		-
	2016-09-22_win3.pcap	2016-09-22 19:59	171M
	2016-09-22_win3.rdd	2016-09-22 19:59	8.0M
	2016-09-22_win3.dnstop	2016-09-22 20:18	13K
	2016-09-22_win3.passivedns	2016-09-22 20:18	33K
	2016-09-22_win3.capinfos	2016-09-22 20:19	1.1K
	2016-09-22_win3.weblogng	2016-09-22 20:19	13K
	2016-09-22_win3.tcpdstat	2016-09-22 20:19	2.1K
	48616dd47e12e369feef53a57830158a.exe.zip	2016-09-22 20:21	7.5M
	2016-09-22_win3.json	2016-09-22 20:26	2.5M
	2016-09-22_win3.html	2016-09-22 20:26	1.5M
	2016-09-22_win3.biargus	2016-09-22 20:39	23M
	2016-09-22_win3.binetflow	2016-09-22 20:39	25M
	fast-flux-dga-first-analysis.txt	2017-01-15 16:19	49K
	README.html	2017-01-15 16:28	2.2K
	README.md	2017-03-10 13:50	1.5K
	bro/	2017-08-31 09:45	-

Description

• Probable Name: Trojan.Rasftuby?
• MD5: 48616dd47e12e369feef53a57830158a
  
• SHA1: e411689b8c9192b421b9864087f8b7bf91491465
  
• SHA256: eb57bcc950cdbfe87743a6335a19aeced27cd9b800da01cd5cf899c7881d6af6
  
• Password of zip file: infected

• Duration: 13 days 08:28:34

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• .mitm
  • Mitm proxy interception file of http and https
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file with all the flows
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.

IP Addresses

- Infected host: 192.168.1.113
- Default GW: 192.168.1.2

Timeline

Fri Sep 9 11:30:46 CEST 2016

started win3

Fri Sep 9 11:31:28 CEST 2016

infected

This time the Flash sign is correct and giving options

Fri Sep 9 11:32:44 CEST 2016

Click on "Allow adobe to install updates"

Fri Sep 9 11:34:54 CEST 2016

Click on Finished

Thu Sep 22 19:58:45 CEST 2016

power off