CapTipper Report

PCAP File	Analysis Time	CapTipper Version	Traffic Time
/opt/Malware-Project/BigDataset/Scenarios/CTU-Malware-Capture-Botnet-202-1//2016-11-17_win20.pcap	11/17/16 19:23:43	0.2 b10	06/03/87 13:10:29

Conversations

ocsp.verisign.com (23.37.43.27:80)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D

application/ocsp-response

MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D

200 OK

BINARY

1.7 KB

06/03/87 13:10:29

MIIG3QoBAKCCBtYwggbSBgkrBgEFBQcwAQEEggbDMIIGvzCBnqIWBBRsBrJUwyM0GKS6Y81LFqrw ACAq9BgPMjAxNjExMDYwOTM5MzNaMHMwcTBJMAkGBSsOAwIaBQAEFLnpsocChQP47KX7QuE+D0nH JCbiBBR/02Wnwt3su/AwCfNDOfoCrzMxMwIQUgDlqiVW/BqG7ZbJ1Eszx4AAGA8yMDE2MTEwNjA5 MzkzM1qgERgPMjAxNjExMTMwOTM5MzNaMA0GCSqGSIb3DQEBBQUAA4IBAQDmNd6fZToIsvxQx0sA AU1nKg79A9UC6B87KJXgdSPlu/pql/yE3jws5hbSkMtVZuhrdFwDws92UxoVF+uYAzaAC39NDqJV sUg7rYYtremXWvtMNSCcnaPKc+44HsKvnwRkpdfStgjgAmb086/E+z45c4Ha5VzPSVRaJ8qypMIy 9KmDZhFZr8j9yRfAoan4GTOv2MJOe6yZFx6k4Rpz4aZDvqX1IKjLdg8pzNQP/iy80MmkrhJIbSga r3pBqKGPNQi+sa2EjzRhq/WzkllG9GH/i64PlCQKBNvDM7rWEsfXtJtSeIg8lNkVEtI2Uehso2O8 GSG2y38HX45xn0vV90MRoIIFBjCCBQIwggT+MIID5qADAgECAhAgkTfpJMdU3zTjH7IawnUDMA0G CSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAd BgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA2IFZlcmlTaWdu LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNz IDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHNTAeFw0xNTExMjQw MDAwMDBaFw0xNjEyMTQyMzU5NTlaMIGOMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMg Q29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxPzA9BgNVBAMTNlN5 bWFudGVjIENsYXNzIDMgUENBIC0gRzUgT0NTUCBSZXNwb25kZXIgQ2VydGlmaWNhdGUgNDCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPAvrIpD424MplJSZC1H+wttQgDXD23mMFHY/15m +ZVB8rkLYXa2OfaswNM/UYEEKPdqKPvTJIkRUIWcP1t2FxES1Dn2IP3O83XF9pDgdhnxLTxs1I37 C167WuRDu2azVheyvSQ35tXlBIf7HtABFvftRwVEHsi4mQZAVHuj2r+vnHyhl5htc1b8iqd75nEU zpcyAtd5wfypBra36Bm5jerZ+yLldZdk53ANJS7q6StVsEmFMIeQMJV4+C1gqZRZadqkBv02nGx3 PKfZowdOzGtcuwyG1cFdc4u+oE/IuJogMKvWtqZUSLxjQvxR8VqJqBh9EeuPcO0xpsb9fz4yILEC AwEAAaOCARgwggEUMAwGA1UdEwEB/wQCMAAwbAYDVR0gBGUwYzBhBgtghkgBhvhFAQcXAzBSMCYG CCsGAQUFBwIBFhpodHRwOi8vd3d3LnN5bWF1dGguY29tL2NwczAoBggrBgEFBQcCAjAcGhpodHRw Oi8vd3d3LnN5bWF1dGguY29tL3JwYTATBgNVHSUEDDAKBggrBgEFBQcDCTAOBgNVHQ8BAf8EBAMC B4AwDwYJKwYBBQUHMAEFBAIFADAgBgNVHREEGTAXpBUwEzERMA8GA1UEAxMIVEdWLUMtNjAwHQYD VR0OBBYEFGwGslTDIzQYpLpjzUsWqvAAICr0MB8GA1UdIwQYMBaAFH/TZafC3ey78DAJ80M5+gKv MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCb+InmcUwcj6qbsFIGxLWJDO3RdaElTevS9Fk2BY+DcP4S 2sGBkc+NL+p2oovgJuse3lfz5W3ZefxBfkzLWppfAzotuqjWGJ0RUIkd7/pQ3hoC18CZjvcZen/F GwljxoTFiZ0asiQ+O8031YEyH9zezCpN7nrME/GYTyQhAUfpdjUPSSfWBqx4QEtpBY8jZHdWSzKy 1e80oh4Gg4PydWtZRg3DtnJkGHxu+w2TPWFct08MHIwVR9YeFRkOaCqXU4IVmoH1aG5hvIISO/Om L0UIeqjdcREZge1F9nt7eeLWU3FC3hMSriFSx4cso7MCAhJ82PQ33XgLev2x3GkchPz7

Download
SHA256	1ad8adf02beb8bc490566b48cf15385b37b4868442c5da6a086d723d589f750b
Referer
Magic	Inconclusive. Probably binary (BINARY)
Request	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1 Cache-Control: max-age = 486600 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 12 May 2013 06:56:34 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
Response Header	HTTP/1.1 200 OK Server: nginx/1.4.7 Content-Type: application/ocsp-response Content-Length: 1761 content-transfer-encoding: binary Cache-Control: max-age=415182, public, no-transform, must-revalidate Last-Modified: Sun, 6 Nov 2016 09:39:33 GMT Expires: Sun, 13 Nov 2016 09:39:33 GMT Date: Tue, 08 Nov 2016 14:23:24 GMT Connection: keep-alive
HEX Peek (128 B)	0000 30 82 06 DD 0A 01 00 A0 82 06 D6 30 82 06 D2 06 0..........0.... 0010 09 2B 06 01 05 05 07 30 01 01 04 82 06 C3 30 82 .+.....0......0. 0020 06 BF 30 81 9E A2 16 04 14 6C 06 B2 54 C3 23 34 ..0......l..T.#4 0030 18 A4 BA 63 CD 4B 16 AA F0 00 20 2A F4 18 0F 32 ...c.K.... *...2 0040 30 31 36 31 31 30 36 30 39 33 39 33 33 5A 30 73 0161106093933Z0s 0050 30 71 30 49 30 09 06 05 2B 0E 03 02 1A 05 00 04 0q0I0...+....... 0060 14 B9 E9 B2 87 02 85 03 F8 EC A5 FB 42 E1 3E 0F ............B.>. 0070 49 C7 24 26 E2 04 14 7F D3 65 A7 C2 DD EC BB F0 I.$&.....e......

/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEF302%2FCXSncz5DqqWgn8tVw%3D

application/ocsp-response

MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEF302%2FCXSncz5DqqWgn8tVw%3D

200 OK

BINARY

1.7 KB

06/06/87 01:08:55

MIIGuQoBAKCCBrIwggauBgkrBgEFBQcwAQEEggafMIIGmzCBnqIWBBQaXftbK6dB+XwxvnJDX0ga NUa3kBgPMjAxNjExMDgwMzA3MDFaMHMwcTBJMAkGBSsOAwIaBQAEFNKpkwbkzxMD2t3ORsKc3C4w B3lWBBTPmanqeyb0S8mOj9fwBSbv49KnnQIQXfTb8JdKdzPkOqpaCfy1XIAAGA8yMDE2MTEwODAz MDcwMVqgERgPMjAxNjExMTUwMzA3MDFaMA0GCSqGSIb3DQEBBQUAA4IBAQAjvrXfCrpTJsJVW+i0 EBviXvGSp7zIPuvAiIEOzg/Dq341L1oZCLrPdiJT5rn5NDc3fYqQ2tkGFGWTb8UJQnOkuCp7CRK7 La3DowzZIopkgZ5F+w2D5n+0q2S50HCRmnYFRqpJzVIU6E33xMW9N6JjfcNGov04haUd4XhGQ2An OuHmImAJKYM3BB51b81V/ZZBiJKYujkfx9eWIysIsS2Gv2apRUQZhKnmQvdU1ka0VMLS9La7HufV SF5/3U/xq2zWSfatlC955tlvEj9LoJAKca+B3u4oO9xULlW/gWIIRHJj4KWBg/jjRsPWfYxZp9ib b2XO30cVgdBZ1WQfI47LoIIE4jCCBN4wggTaMIIDwqADAgECAhAYM+4FLY+9g47Oika8kujPMA0G CSqGSIb3DQEBBQUAMIG0MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAd BgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRlcm1zIG9mIHVzZSBhdCBo dHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTEwMS4wLAYDVQQDEyVWZXJpU2lnbiBDbGFz cyAzIENvZGUgU2lnbmluZyAyMDEwIENBMB4XDTE2MDkyODAwMDAwMFoXDTE2MTIyNzIzNTk1OVow gYMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNp Z24gVHJ1c3QgTmV0d29yazE6MDgGA1UEAxMxVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcg MjAxMCBPQ1NQIFJlc3BvbmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMezMENU U83Bw+GMRDfZPa9zL9GufPOpUPmamG1T/tXBl4Ms6iwpgz9DuLNyOLlI0MrPXfqAGbhStSaUk86i I5O1fQlbRzhDwXxQDFoCCNhb3amR+hayo55Z7m2EnzUJxpgj2nt5cF5kO4fZXuw9Y359UDWrELzX Hz0wywTXVZwXGCIhap4xFCjhUaIapW7yu6/jTzMCLTrAUuo7GxBBAvn6Dp/YDIf57tkfgwyMfZbF 2JSV661KTofsMUWLlZu6SaESIad5tTp1qEp3x/dTtwYBHpmLOMJz6dlQ/KJkErmPsKb9na4gqOl0 0HXfDxK9stRYqGNNo6SqTjofImEry+ECAwEAAaOCARUwggERMAkGA1UdEwQCMAAwgawGA1UdIASB pDCBoTCBngYLYIZIAYb4RQEHFwMwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu LmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidz IENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBMGA1Ud JQQMMAoGCCsGAQUFBwMJMAsGA1UdDwQEAwIHgDAPBgkrBgEFBQcwAQUEAgUAMCIGA1UdEQQbMBmk FzAVMRMwEQYDVQQDEwpUR1YtRC0yMTcwMA0GCSqGSIb3DQEBBQUAA4IBAQBoBFMFGutp/td2oI7K bH9wLCdKT86WF7YqhW1HRmCV1L4ogflNVXyodm4OgbAFDyqfXocyFRGAX6EkB9pqz0RG2L0fQUnk NxWVMVl71c1koS5MynxaCmDjgdX7th1o0+WB1Uc5zqjpKpqYk5ZGP/ZCDX965XERTBmDLDXSCmi/ QG+y/v/hxSFHNqHDPmdAe7vt1Ln1tzky+pKgZX6+7/OL7JSXC2URWZAVmTGfSGcxPbUqTYbn1eEh F2ZmqgvcOTcctoXWM+J8JrSyDLvk4fZjKt3o7QL/sxKqhpcn1/MenYV45mSCCUsbuL4pEXdlGZUK 76QEfCBCYrlcDzRuU19L

Download
SHA256	c05a8df8067fe695c5b1fed3bd053e4887d1df464d551d5c07c61cec418b811c
Referer
Magic	Inconclusive. Probably binary (BINARY)
Request	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEF302%2FCXSncz5DqqWgn8tVw%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
Response Header	HTTP/1.1 200 OK Server: nginx/1.4.7 Content-Type: application/ocsp-response Content-Length: 1725 content-transfer-encoding: binary Cache-Control: max-age=564348, public, no-transform, must-revalidate Last-Modified: Tue, 8 Nov 2016 03:07:01 GMT Expires: Tue, 15 Nov 2016 03:07:01 GMT Date: Tue, 08 Nov 2016 14:23:24 GMT Connection: keep-alive
HEX Peek (128 B)	0000 30 82 06 B9 0A 01 00 A0 82 06 B2 30 82 06 AE 06 0..........0.... 0010 09 2B 06 01 05 05 07 30 01 01 04 82 06 9F 30 82 .+.....0......0. 0020 06 9B 30 81 9E A2 16 04 14 1A 5D FB 5B 2B A7 41 ..0.......].[+.A 0030 F9 7C 31 BE 72 43 5F 48 1A 35 46 B7 90 18 0F 32 .\|1.rC_H.5F....2 0040 30 31 36 31 31 30 38 30 33 30 37 30 31 5A 30 73 0161108030701Z0s 0050 30 71 30 49 30 09 06 05 2B 0E 03 02 1A 05 00 04 0q0I0...+....... 0060 14 D2 A9 93 06 E4 CF 13 03 DA DD CE 46 C2 9C DC ............F... 0070 2E 30 07 79 56 04 14 CF 99 A9 EA 7B 26 F4 4B C9 .0.yV......{&.K.

IP	192.168.1.130
MAC	08:00:27:11:4e:fa
USER-AGENT	Microsoft-CryptoAPI/6.1

Analysis Info

Flow View

Client Details

Conversations