Stratosphere Malware Capture 208-1

Http Referer Graph

Graph of http domains and their referers taken from the bro http log. An arrow means that the first domain was refered by the second domain.

Description

• Probable Name: OpenCandy
• MD5: 5fe59fc57869508e1c84812dbd36ce3b
• SHA1: 74e32c0a7078b749dd72fbf78acbf57a4aed8889
• SHA256: e1557810adb59597366d167efcd85a09d0ae2827f49ef6b8e6a459e56d6e1292
• Password of zip file: infected

• Duration: 26 days 18:26:23

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• .mitm
  • Mitm proxy interception file of http and https
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file. Bidirectional flows, 3600s of report time.
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.
• .uniargus
  • Argus binary file. Unidirectional flows, 5s of report time.
• .uninetflow
  • Argus text file with unidirectional flows. Report time 5 secs. TAB as column separator.

IP Addresses

- Infected host: 192.168.1.128
- Default GW: 192.168.1.2

Timeline

Tue Nov 8 15:31:07 CET 2016

started win18

Tue Nov 8 15:34:17 CET 2016

infected

162.247.242.19: VT: https://www.virustotal.com/en/ip-address/162.247.242.19/information/ PS: Two domains. Not good reputation bam.nr-data.net Periodic: Long:

Mon Dec 5 09:57:30 CET 2016

power off