Description

• Probable Name: Vawtrak
• MD5: 9597fc80f793bbeceed69be9b1344fdb
  
• SHA1: b05fe3053fe4e98055a060793c0fd6fd7f7b5f59
  
• SHA256: a32468ee49dad05def0fabc79b44b053490d8ff663ee95007d61bb47a7024bc7
  
• Password of zip file: infected

• Duration : 24 days 03:52:22.

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• .mitm
  • Mitm proxy interception file of http and https
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file with all the flows
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.

IP Addresses

- Infected host: 192.168.1.117
- Default GW: 192.168.1.2

Timeline

Fri Sep 2 13:46:18 CEST 2016

started win7

Fri Sep 2 13:48:04 CEST 2016

executed the malware
nothing happended

Fri Sep 2 13:50:28 CEST 2016

executed the malware
nothing happended

Fri Sep 2 13:53:31 CEST 2016

start IE
The malware started alone!!!

The bot connected to a 443 port, but the domain is sinkholed sinkhole-01.sinkhole.tech

Mon Sep 26 17:37:37 CEST 2016

power off