######################################################## Malware Capture Facility CVUT University, Prague, Czech Republic These files were generated as part of a research project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz Vojtech Uhlir: vojtech.uhlir@agents.fel.cvut.cz Disclaimer: You are free to use these files as long as you reference this project and the authors. ######################################################## CLF === The CLF (Common Log Format) file contains the web logs of the pcap file as extracted by the justsniffer tool. The command used was: justniffer -p "port 80 or port 8080 or port 3128" -f file.pcap > file.clf Weblogs ======= The weblogs are files similar to the CLF file but with another format. They were generated with these command : justniffer -f $1 -p "port 80 or port 8080 or port 3128" -l "%request.timestamp2(%s) %dest.port %response.code %response.size %source.port %request.size http://%request.header.host%request.url %connection.time %dest.ip %source.ip %response.header.content-type %request.header.referer \"%request.header.user-agent\"" |awk '{if ($11 ~ /\;/) print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "$10" "substr($11,1,match($11,/\;/)-1)" "$13" "$14" "substr($0,index($0,$15)); else print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "substr($0,index($0,$10))}'|awk '{printf "%.3f %s %s %s %s %s %s %.0f %s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, substr($0,index($0,$10))}' > $FILE.weblog Netflows ======== The netflows are generated using the 2013-08-12_argus.conf file, the 2013-08-12_ra.conf file and the 2013-08-12_ralabel.conf conf file. We are using bidirectional argus records. The command used is this: 1- argus -F argus.conf -r file.pcap -w file.argus 2- ralabel -f ralabel.conf -r file.argus -w file.argus.labeled 3- mv file.argus.labeled file.argus (this is to add labels to the argus file) 4- ra -F ra.conf -Z b -nr file.argus > file.argus.netflow.labeled If you need the netflows without the labels, just regenerate them without the ralabel command. Pcap ==== The pcap capture files were done by Virtualbox, because the vms were NATed. This means that all the captures start on 19707/1/1 because of a bug in virtualbox. Then, the pcap captures can not be merged. Labels ====== Labels were assigned using the ralabel program from the argus suite. The assignment rules are not being published, but can be requested by mail. Generic info ------------ Binary used: 195d06e60386cfe86f30a2b2ff551b9a.exe Md5: 195d06e60386cfe86f30a2b2ff551b9a Probable Name: ? Virustotal link: https://www.virustotal.com/en/file/bce77e549e38f3de9f5dd4dc4ec70116d3aed837c20d10d845828c8abc2c440c/analysis/ Infected Machines: Windows Name: Win8, IP: 10.0.2.22 (Label: Botnet-V1) Timeline ======== Wed Oct 30 11:57:40 CET 2013 started win8 Wed Oct 30 12:26:17 CET 2013 infected win8 Wed Nov 6 10:28:27 CET 2013 win8 powered off Traffic Analysis ================