Index of /publicDatasets/CTU-Malware-Capture-Botnet-25-5

	Name	Last modified	Size	Description
	Parent Directory		-
	bro/	2017-08-31 09:45	-
	2014-03-12_capture-win3.capinfos	2015-08-29 17:16	766
	README.md	2016-03-16 14:57	1.0K
	README.html	2016-03-16 14:57	1.4K
	weblogs.filter	2013-12-09 12:06	1.9K
	ra.conf.publish	2013-11-06 15:43	2.0K
	ra.conf.analysis	2013-11-06 15:44	2.0K
	ralabel.conf	2013-11-06 15:43	6.0K
	argus_bi.conf	2013-11-06 15:43	20K
	2014-03-12_capture-win3.dnstop	2015-08-29 17:13	21K
	2014-03-12_capture-win3.passivedns	2015-08-29 17:13	47K
	ralabel-flowfilter.conf	2014-04-15 17:46	51K
	e1090d7126dd88d0d1d39b68ea3aae11.exe.zip	2015-12-16 10:26	273K
	2014-03-12_capture-win3.weblogng	2016-06-15 18:47	1.7M
	2014-03-12_capture-win3.rrd	2014-03-12 08:41	8.0M
	2014-03-12_capture-win3.html	2015-06-01 15:12	16M
	2014-03-12_capture-win3.json	2015-06-01 15:12	21M
	2014-03-12_capture-win3.biargus	2015-09-25 17:13	250M
	2014-03-12_capture-win3.binetflow	2015-09-25 17:14	263M
	2014-03-12_capture-win3.pcap	2014-03-12 08:40	282M

Description

• Probable Name: Zbot at first, then others probably.
• Binary used: yL0T.exe
• MD5: e1090d7126dd88d0d1d39b68ea3aae11
• SHA1: e0513664515eacc65e9530afe665619f2bce3802
  
• SHA256: 3fc6bef5eac0656be77f8e96f2b7e08cadb418c11430e8c3d53b33788a93c86a
  
• VirusTotal
• HybridAnalysis
• RobotHash

• Infected Machines:
  • Windows Name: Win3, IP: 10.0.2.103
• Duration: 29.9 days

Analysis of DNS connections and Labels

• 10.0.2.103-4.4.4.4-53-udp (From-Botnet-UDP-DNS-DGA-16)
  • 1312 flows
• 10.0.2.103-8.8.8.8-53-udp (From-Botnet-UDP-DNS-DGA-17)
  • 3000 flows (Original amount of flows: 792097)

Timeline

Mon, 10 Feb 2014 09:36:05 GMT (approx)

Win3 infected

Wed, 12 Mar 2014 07:50:42 GMT (approx)

stopped win3