Index of /publicDatasets/CTU-Malware-Capture-Botnet-192-4

	Name	Last modified	Size	Description
	Parent Directory		-
	2016-12-26_win17.biargus	2016-12-26 15:59	2.8M
	2016-12-26_win17.binetflow	2016-12-26 15:59	1.6M
	2016-12-26_win17.capinfos	2016-12-26 15:59	1.1K
	2016-12-26_win17.dnstop	2016-12-26 15:59	2.7K
	2016-12-26_win17.html	2016-12-26 16:03	353K
	2016-12-26_win17.json	2016-12-26 16:03	2.5K
	2016-12-26_win17.mitm.weblog	2016-12-26 15:59	287
	2016-12-26_win17.passivedns	2016-12-26 15:59	1.4K
	2016-12-26_win17.pcap	2016-12-26 15:53	36M
	2016-12-26_win17.rrd	2016-12-26 15:54	8.0M
	2016-12-26_win17.tcpdstat	2016-12-26 15:59	1.9K
	2016-12-26_win17.weblogng	2016-12-26 15:59	33K
	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe.zip	2016-12-26 16:02	393K
	CTU-Malware-Capture-Botnet-192-4/	2022-01-30 12:06	-
	README.html	2016-12-26 16:02	3.2K
	README.md	2016-12-26 16:02	2.5K
	bro/	2016-12-26 15:59	-
	mitm.out	2016-12-21 23:51	0

Description

• Probable Name: RemoteAdmin.Ammyy
• MD5: 11bc606269a161555431bacf37f7c1e4
• SHA1: 63c52b0ac68ab7464e2cd777442a5807db9b5383
• SHA256: 1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed
• Password of zip file: infected

• Duration: 4 days 16:02:42

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• mitm.out
  • Mitm proxy interception file of http and https
• .mitm.weblog
  • This is the HTTP and HTTPS web log that includes Labels. This is the preferred file for web analysis.
  • This file includes a header with the columns names. There are two new columns defined by us:
    • Column id: This number is unique for all the weblogs generated inside the same TCP connection. When a TCP connection is opened and several GET/POST, etc., requests are made inside it, all of them are assigned the same Id in this file.
    • Column timestamp_end: This is the timestamp when the weblog ended. If you use this with the id column you can compute the total duration of the TCP connection that generated all the weblogs. Similar to the duration of a hypothetical CONNECT request if this would have been done using a proxy.
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic only. Generated with justsniffer
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file. Bidirectional flows, 3600s of report time.
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.
• .uniargus
  • Argus binary file. Unidirectional flows, 5s of report time.
• .uninetflow
  • Argus text file with unidirectional flows. Report time 5 secs. TAB as column separator.

IP Addresses

- Infected host: 192.168.1.127
- Default GW: 192.168.1.2

Timeline

Wed Dec 21 23:51:37 CET 2016

started win17

Wed Dec 21 23:53:16 CET 2016

infected

The program is a type of remote desktop, so it connects to its server on port 443. But since it is a remote administration tool, the content in port 443 is not SSL/TLS, is custom.

Mon Dec 26 15:53:57 CET 2016

power off