{ "flow": { "hosts": { "name": "Client", "children": [ { "name": "www.arcai.com", "children": [ { "name": "www.arcai.com" } ] }, { "name": "www.msftncsi.com" } ] }, "size": 90 }, "info": { "pcap_file": "/opt/Malware-Project/BigDataset/Scenarios/CTU-Malware-Capture-Botnet-211-2//2017-03-02_win2.pcap", "analysis_time": "02/03/17 19:08:26", "captipper_version": "0.2 b10", "traffic_time": "09/23/76 05:29:46" }, "client": { "IP": "192.168.1.112", "MAC": "08:00:27:e1:e3:8a", "USER-AGENT": "AIPS" }, "conversations": [ { "name": "www.arcai.com", "ip": "23.239.9.165:80", "uris": [ { "id": 0, "server_ip": "23.239.9.165:80", "uri": "/netCut/Update3.php?query=bmFtZT1BSVBTOnZlcnNpb249MjE0OmlkPQ==", "short_uri": "/netCut/Up...E0OmlkPQ==", "req_head": "GET /netCut/Update3.php?query=bmFtZT1BSVBTOnZlcnNpb249MjE0OmlkPQ== HTTP/1.1\nUser-Agent: AIPS\nHost: www.arcai.com\nCache-Control: no-cache", "res_body": "VG04PQ0KDQoNCg0K\r\n", "res_base64": "VkcwNFBRMEtEUW9OQ2cwSw0K", "respeek": "VG04PQ0KDQoNCg0K\r\n", "magic_name": "Inconclusive. Probably text", "magic_ext": "TEXT", "res_head": "HTTP/1.1 200 OK\nServer: nginx/1.10.1\nDate: Mon, 26 Dec 2016 15:13:14 GMT\nContent-Type: text/html\nTransfer-Encoding: chunked\nConnection: keep-alive\nX-Powered-By: PHP/5.5.9-1ubuntu4", "res_num": "200 OK", "res_type": "text/html", "host": "www.arcai.com", "referer": "", "filename": "Update3.php", "method": "GET", "epochtime": "09/23/76 05:29:46", "res_len": "18.0 B", "md5": "5ca0a9616d6c0b1324ce4284275feb11", "sha256": "eafe0417ef10e07a75c35daf5e866fea4f56c2726105126f90f9e12509f59cd9" }, { "id": 2, "server_ip": "23.239.9.165:80", "uri": "/netCut/Internet.php?query=ShareNetCut", "short_uri": "/netCut/In...hareNetCut", "req_head": "GET /netCut/Internet.php?query=ShareNetCut HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\nHost: www.arcai.com\nConnection: Keep-Alive", "res_body": "", "res_base64": "", "respeek": "", "magic_name": "", "magic_ext": "", "res_head": "HTTP/1.1 302 Moved Temporarily\nServer: nginx/1.10.1\nDate: Mon, 26 Dec 2016 15:14:09 GMT\nContent-Type: text/html\nTransfer-Encoding: chunked\nConnection: keep-alive\nX-Powered-By: PHP/5.5.9-1ubuntu4\nSet-Cookie: ShareNetCut=http%3A%2F%2Fwww.arcai.com%2FnetCut%2Fsharenetcut.html%0A1482765249%0A; expires=Tue, 27-Dec-2016 15:14:09 GMT; Max-Age=86400\nLocation: http://www.arcai.com/netCut/sharenetcut.html?query=ShareNetCut", "res_num": "302 Moved Temporarily", "res_type": "text/html", "host": "www.arcai.com", "referer": "", "filename": "Internet.php", "method": "GET", "epochtime": "06/15/78 19:04:11", "res_len": "0.0 B", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, { "id": 3, "server_ip": "23.239.9.165:80", "uri": "/netCut/sharenetcut.html?query=ShareNetCut", "short_uri": "/netCut/sh...hareNetCut", "req_head": "GET /netCut/sharenetcut.html?query=ShareNetCut HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\nHost: www.arcai.com\nConnection: Keep-Alive\nCookie: ShareNetCut=http%3A%2F%2Fwww.arcai.com%2FnetCut%2Fsharenetcut.html%0A1482765249%0A", "res_body": "\r\r
\r\r \r \r \r \r \r \r \r \r?Jm$P\u0006\u0019P\u0003H\u0000Hڱ$פ HQ:\f\u0012WZ:ein\u0000kK\u0000\u0007@\u0005\bJ}\u0000ϳ@$T\u0004\u0002\u0006iЬa\u0001-\u0006\f+L@\u0005\u000b\u0010+\u0012+\u0018K\u0000\u001c\u0013\u001eG?\u0006(ۊV\u0005Y T/\u0006GB,\u0002\r \u0010U۴>\u000fX۳!0\u0000\u0011\u0000M{\u0000D\u0011G\u001b\ra\u0003˼\u001c\u001c\u0004t \u0006\u0006-`aQ@@m2\u00175\u0006b@\u0007L`H&yɅ\u001aGV $\u0002? \t\u0001B0vߪ:f8x\r1\u0001T`\u0006gx~\u0018Dn