CapTipper Report

CapTipper

Analysis Info

PCAP File	Analysis Time	CapTipper Version	Traffic Time
/opt/Malware-Project/BigDataset/Scenarios/CTU-Malware-Capture-Botnet-272-1//2017-06-24_win11.pcap	08/17/17 11:34:19	0.3 b13	03/15/77 03:44:55

Flow View

Client Details

IP	192.168.1.121
MAC	08:00:27:5d:86:c6
USER-AGENT	Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)

Conversations

82.165.142.107:443 (82.165.142.107:443)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

0.html

502 Bad Gateway

HTML

362.0 B

03/15/77 03:44:55

Download
SHA256	14efcf41a110314eb41f8a66ba1b5833759d5650dde77a5ea20d1036d35071af
Referer
Magic	HyperText Markup Language (HTML)
Request	GET / HTTP/1.1 Cookie: 3041=iFWIBMVzxgy6++5lbHI7hZY1ROQ8CljIPFlAOIuZzqvtGYDoTeUyeKtoWElILmCPlo2ll5huvBsjT4zAJWIrWKSdAEz5YBRrmfnu6G1PXUFCQuwWjsVR2tcXAV+B5qz7kJjtqUMDmkNLawAV7+yhvqHi9r7Z0llOvqpTKNJWPn+9ln7+/1+qu7zGIsV7vEmiFK5PGLNSVUDewPnn0qsGpq4eEr487ZMyCE+kDe3n8HupzfWCYpFICAq0cAH0cIB+hQxrFuHZ320E8R9JCh0JuyfGhUB74QXbQe2m6JuVMiohLKHkPdDwmgGtXTHynvANLAQXMP0o2Cs1H9mfiFqyYWv6tKfJ5K/TqwGfU3uftOZpckR/DYVuZLhiHDUcD1YLudedifQQF7AAnkzpVUnWinJcNHTQA3bJFAhiz8mI08nfMHigiP5ZCVphpretKEpsw7oxL77GEwHafuXaM+htdh5fIgvJ2Mq+POgBaT6dsXJj4bb5DStv2iGj6RWmlWqkgBkdXQ== User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) Host: 82.165.142.107:443 Connection: Keep-Alive Cache-Control: no-cache
Response Header	HTTP/1.1 502 Bad Gateway Server: mitmproxy 2.0.1 Content-Length: 362 Content-Type: text/html Connection: close
Response Peek (128 B)	<html> <head> <title>502 Bad Gateway</title> </head> <body> <h1>...

103.4.18.170:443 (103.4.18.170:443)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

1.html

400 Bad Request

HTML

362.0 B

04/18/78 05:24:33

Download
SHA256	315b5579f75a8f732a18222b87bc50a81b03ce28aee9d7518ecb9288f38a9fdd
Referer
Magic	HyperText Markup Language (HTML)
Request	GET / HTTP/1.1 Cookie: CC1B=fkzPpVmn34j44+cuYGexgtQXjbS4I8gIjkfc6o+X68a2yk8hjSSVh//2mYj7YxIklkPxw+aHjvVCnRBlID/7tgnSOSlNQckvBoMC2GswhjkpdiM+mPO7s6Jq58ePZe7ikJjtqUMDmkNLawAV7+yhvqHi9r7Z0llOvqpTKNJWPn+9ln7+/1+qu7zGIsV7vEmiFK5PGLNSVUDewPnn0qsGpq4eEr487ZMyCE+kDe3n8HupzfWCYpFICAq0cAH0cIB+hQxrFuHZ320E8R9JCh0JuyfGhUB74QXbQe2m6JuVMiohLKHkPdDwmgGtXTHynvANLAQXMP0o2Cs1H9mfiFqyYWv6tKfJ5K/TqwGfU3uftOZpckR/DYVuZLhiHDUcD1YLudedifQQF7AAnkzpVUnWinJcNHTQA3bJFAhiz8mI08nfMHigiP5ZCVphpretKEpsw7oxL77GEwHafuXaM+htdh5fIgvJ2Mq+POgBaT6dsXJj4bb5DStv2iGj6RWmlWqkgBkdXQ== User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) Host: 103.4.18.170:443 Connection: Keep-Alive Cache-Control: no-cache
Response Header	HTTP/1.1 400 Bad Request Date: Thu, 08 Jun 2017 19:03:29 GMT Server: Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips Content-Length: 362 Connection: close Content-Type: text/html; charset=iso-8859-1
Response Peek (128 B)	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1...

46.163.78.94:443 (46.163.78.94:443)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

2.html

502 Bad Gateway

HTML

358.0 B

05/29/79 16:50:08

Download
SHA256	38ad3045d17b80939af39b849f42f235f16a5cf7a00082dc514b1d82ee400bb1
Referer
Magic	HyperText Markup Language (HTML)
Request	GET / HTTP/1.1 Cookie: 554C=YEGzq7DvGEk3GSm9CLK3gcPB2LFXmLc1UrqbhAoNGtpwuzPWjP58kepeIrYYP1Gyz7Upks6T18gZi+tG25Q2gMyYCmwRhRd0rILY8lHPdAx8SR1VBtMROZEDKccUxL6HkJjtqUMDmkNLawAV7+yhvqHi9r7Z0llOvqpTKNJWPn+9ln7+/1+qu7zGIsV7vEmiFK5PGLNSVUDewPnn0qsGpq4eEr487ZMyCE+kDe3n8HupzfWCYpFICAq0cAH0cIB+hQxrFuHZ320E8R9JCh0JuyfGhUB74QXbQe2m6JuVMiohLKHkPdDwmgGtXTHynvANLAQXMP0o2Cs1H9mfiFqyYWv6tKfJ5K/TqwGfU3uftOZpckR/DYVuZLhiHDUcD1YLudedifQQF7AAnkzpVUnWinJcNHTQA3bJFAhiz8mI08nfMHigiP5ZCVphpretKEpsw7oxL77GEwHafuXaM+htdh5fIgvJ2Mq+POgBaT6dsXJj4bb5DStv2iGj6RWmlWqkgBkdXQ== User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) Host: 46.163.78.94:443 Connection: Keep-Alive Cache-Control: no-cache
Response Header	HTTP/1.1 502 Bad Gateway Server: mitmproxy 2.0.1 Content-Length: 358 Content-Type: text/html Connection: close
Response Peek (128 B)	<html> <head> <title>502 Bad Gateway</title> </head> <body> <h1>...

81.88.24.211:443 (81.88.24.211:443)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

3.html

502 Bad Gateway

HTML

358.0 B

07/01/80 15:53:04

Download
SHA256	a6c8905a5d2211435c5f230c52b3056ae02a671aedb6ebc65546a438cbe8d020
Referer
Magic	HyperText Markup Language (HTML)
Request	GET / HTTP/1.1 Cookie: DBF2=cZU38hAraH1HWTWHJAKp8cNDgcw+7xiKcsTVenAWfwmoOAqWSC/EsNe+lriHzyHG8EPynpVOUe0XoiJROsqfh4WoedkDzp+5aOpYtc0MfCoA5W6vHy77AKy85KMF2LwquEhQSUjD7LzUT6h+M3wlDScUBdeA0EXDheuid4EK+u2YidO0mHbZIFK9eG30kBmnP9wp9bnhFtjOYmdiIiI7X7eLa5JS6q0Ut7CDELcVPjF5wZby/P/T3ed9Iv8t60knYIXtNIo91mHDHO+TSXI4s8Dn3en3N8ag0+TT0Gv/c1r20ixK6sFmDQH92vqagqUc8rY0GJmtdgTVVsRKCrV69THthf0D3nWVR5UU9JSihk3eocjzGrTm5FqBoCLyKpGrq0cN0W3qIL2sV9CQ6rOquJP6e5m8J5xQhiWOiPgkv2HaWCr4Y2Z0jZdlw/X0Ru+FH//lQK6T5IqcZyA2OaFS+OgDFzPNr6/cwjD3U1qBYK0ipsmz User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) Host: 81.88.24.211:443 Connection: Keep-Alive Cache-Control: no-cache
Response Header	HTTP/1.1 502 Bad Gateway Server: mitmproxy 2.0.1 Content-Length: 358 Content-Type: text/html Connection: close
Response Peek (128 B)	<html> <head> <title>502 Bad Gateway</title> </head> <body> <h1>...

45.79.186.178:8080 (45.79.186.178:8080)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

4.html

0.0 B

08/04/81 14:37:28

87.106.77.193:8080 (87.106.77.193:8080)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

5.html

404 Not Found

HTML

564.0 B

08/06/83 11:02:29

Download
SHA256	0b52c5338af355699530a47683420e48c7344e779d3e815ff9943cbfdc153cf2
Referer
Magic	HyperText Markup Language (HTML)
Request	GET / HTTP/1.1 Cookie: 5998=QyUj7vqezm8M0AiLzvsU6yxMsf/iilMnl7p80vLwDUowWclM9ca+6TZf7m0Bl1SWZ/CxU2lhvPhlrxca132CQnNd/kK9oVRMdx5v9Mbnc5/uYg9JDmxtObPFOfg3mITDuEhQSUjD7LzUT6h+M3wlDScUBdeA0EXDheuid4EK+u2YidO0mHbZIFK9eG30kBmnP9wp9bnhFtjOYmdiIiI7X7eLa5JS6q0Ut7CDELcVPjF5wZby/P/T3ed9Iv8t60knYIXtNIo91mHDHO+TSXI4s8Dn3en3N8ag0+TT0Gv/c1r20ixK6sFmDQH92vqagqUc8rY0GJmtdgTVVsRKCrV69THthf0D3nWVR5UU9JSihk3eocjzGrTm5FqBoCLyKpGrq0cN0W3qIL2sV9CQ6rOquJP6e5m8J5xQhiWOiPgkv2HaWCr4Y2Z0jZdlw/X0Ru+FH//lQK6T5IqcZyA2OaFS+OgDFzPNr6/cwjD3U1qBYK0ipsmz User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) Host: 87.106.77.193:8080 Connection: Keep-Alive Cache-Control: no-cache
Response Header	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 08 Jun 2017 19:06:16 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive
Response Peek (128 B)	<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>...

62.75.145.252:8080 (62.75.145.252:8080)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

6.html

502 Bad Gateway

HTML

361.0 B

09/11/84 12:47:14

Download
SHA256	1e6794c766602557015064115c0dec844d15acf521da5d5fe89b13481b8f99a1
Referer
Magic	HyperText Markup Language (HTML)
Request	GET / HTTP/1.1 Cookie: E14C=HiTVAHfw9lEorozgtuwmtEY6uupIH9fwB9hTiOTbkplZoCPv6dYQBgzeXpoH+z17YatTi/ltBIytz1JgRu2HtQYAKQlqWJax+jJnzF4xuVxbeMzTW35pVVRB2m6LUwu/uEhQSUjD7LzUT6h+M3wlDScUBdeA0EXDheuid4EK+u2YidO0mHbZIFK9eG30kBmnP9wp9bnhFtjOYmdiIiI7X7eLa5JS6q0Ut7CDELcVPjF5wZby/P/T3ed9Iv8t60knYIXtNIo91mHDHO+TSXI4s8Dn3en3N8ag0+TT0Gv/c1r20ixK6sFmDQH92vqagqUc8rY0GJmtdgTVVsRKCrV69THthf0D3nWVR5UU9JSihk3eocjzGrTm5FqBoCLyKpGrq0cN0W3qIL2sV9CQ6rOquJP6e5m8J5xQhiWOiPgkv2HaWCr4Y2Z0jZdlw/X0Ru+FH//lQK6T5IqcZyA2OaFS+OgDFzPNr6/cwjD3U1qBYK0ipsmz User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) Host: 62.75.145.252:8080 Connection: Keep-Alive Cache-Control: no-cache
Response Header	HTTP/1.1 502 Bad Gateway Server: mitmproxy 2.0.1 Content-Length: 361 Content-Type: text/html Connection: close
Response Peek (128 B)	<html> <head> <title>502 Bad Gateway</title> </head> <body> <h1>...

178.79.172.45:8080 (178.79.172.45:8080)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

7.html

0.0 B

10/15/85 11:37:32

192.155.83.86:8080 (192.155.83.86:8080)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

8.html

0.0 B

10/11/87 18:25:07

95.110.231.207:8080 (95.110.231.207:8080)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

9.html

502 Bad Gateway

HTML

363.0 B

10/07/89 01:13:45

Download
SHA256	f7bc62d8a837324099113a4083065df97b5e225367d6446570a1a401b9000ff7
Referer
Magic	HyperText Markup Language (HTML)
Request	GET / HTTP/1.1 Cookie: 5231=ZPS1OkE+btIjl2DfMcxHFOz8Fz5DJLgO5z3MeAAFMZcfriwkYzOFx+UDBB2EYumOrgYvpkDvufvAy8OyuMwFRiTi4n8xFwNiq/QnE4l7r/Cz0NSgkBsaS4ZVTRVa44E3uEhQSUjD7LzUT6h+M3wlDScUBdeA0EXDheuid4EK+u2YidO0mHbZIFK9eG30kBmnP9wp9bnhFtjOYmdiIiI7X7eLa5JS6q0Ut7CDELcVPjF5wZby/P/T3ed9Iv8t60knYIXtNIo91mHDHO+TSXI4s8Dn3en3N8ag0+TT0Gv/c1r20ixK6sFmDQH92vqagqUc8rY0GJmtdgTVVsRKCrV69THthf0D3nWVR5UU9JSihk3eocjzGrTm5FqBoCLyKpGrq0cN0W3qIL2sV9CQ6rOquJP6e5m8J5xQhiWOiPgkv2HaWCr4Y2Z0jZdlw/X0Ru+FH//lQK6T5IqcZyA2OaFS+OgDFzPNr6/cwjD3U1qBYK0ipsmz User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) Host: 95.110.231.207:8080 Connection: Keep-Alive Cache-Control: no-cache
Response Header	HTTP/1.1 502 Bad Gateway Server: mitmproxy 2.0.1 Content-Length: 363 Content-Type: text/html Connection: close
Response Peek (128 B)	<html> <head> <title>502 Bad Gateway</title> </head> <body> <h1>...

66.175.215.16:8080 (66.175.215.16:8080)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

10.html

502 Bad Gateway

HTML

361.0 B

11/10/90 08:18:15

Download
SHA256	fa5a16d0f8ba0ee6563b9e28d8fba393a6a573e68f0f383dd68a54c1f68ff3af
Referer
Magic	HyperText Markup Language (HTML)
Request	GET / HTTP/1.1 Cookie: D8F5=A+LL7UktLz/Ca18M7sEfHiqmpcXFeOqyl7CnZcUP1hnRUCBuqG1SdelXtYqORsQlQXIMDt1EogmSDtb0xAjkN9KIvpOZ2k87/cMOujhi5Zy1bmJNbhEMpxZRud+K1UQyuEhQSUjD7LzUT6h+M3wlDScUBdeA0EXDheuid4EK+u2YidO0mHbZIFK9eG30kBmnP9wp9bnhFtjOYmdiIiI7X7eLa5JS6q0Ut7CDELcVPjF5wZby/P/T3ed9Iv8t60knYIXtNIo91mHDHO+TSXI4s8Dn3en3N8ag0+TT0Gv/c1r20ixK6sFmDQH92vqagqUc8rY0GJmtdgTVVsRKCrV69THthf0D3nWVR5UU9JSihk3eocjzGrTm5FqBoCLyKpGrq0cN0W3qIL2sV9CQ6rOquJP6e5m8J5xQhiWOiPgkv2HaWCr4Y2Z0jZdlw/X0Ru+FH//lQK6T5IqcZyA2OaFS+OgDFzPNr6/cwjD3U1qBYK0ipsmz User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) Host: 66.175.215.16:8080 Connection: Keep-Alive Cache-Control: no-cache
Response Header	HTTP/1.1 502 Bad Gateway Server: mitmproxy 2.0.1 Content-Length: 361 Content-Type: text/html Connection: close
Response Peek (128 B)	<html> <head> <title>502 Bad Gateway</title> </head> <body> <h1>...

62.210.36.193:8080 (62.210.36.193:8080)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

11.html

502 Bad Gateway

HTML

361.0 B

12/15/91 05:22:30

Download
SHA256	da05a2d6a5bb56b487c896b7791c63ad5e08c8e67aebe7b9ea2407569e3b1fac
Referer
Magic	HyperText Markup Language (HTML)
Request	GET / HTTP/1.1 Cookie: 5FEC=I+V4u+u9o/7PJYVt/G2gZrvZjCdjngItC5sm0qmMuF2I3aaX0T8zy1lpNxs0Z0dOAdprEEBH2DSENoOHt2OTFSQP/jPkLcl0J5T5nnugdFxoOttMebIfa2dCjhRmrziRuEhQSUjD7LzUT6h+M3wlDScUBdeA0EXDheuid4EK+u2YidO0mHbZIFK9eG30kBmnP9wp9bnhFtjOYmdiIiI7X7eLa5JS6q0Ut7CDELcVPjF5wZby/P/T3ed9Iv8t60knYIXtNIo91mHDHO+TSXI4s8Dn3en3N8ag0+TT0Gv/c1r20ixK6sFmDQH92vqagqUc8rY0GJmtdgTVVsRKCrV69THthf0D3nWVR5UU9JSihk3eocjzGrTm5FqBoCLyKpGrq0cN0W3qIL2sV9CQ6rOquJP6e5m8J5xQhiWOiPgkv2HaWCr4Y2Z0jZdlw/X0Ru+FH//lQK6T5IqcZyA2OaFS+OgDFzPNr6/cwjD3U1qBYK0ipsmz User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) Host: 62.210.36.193:8080 Connection: Keep-Alive Cache-Control: no-cache
Response Header	HTTP/1.1 502 Bad Gateway Server: mitmproxy 2.0.1 Content-Length: 361 Content-Type: text/html Connection: close
Response Peek (128 B)	<html> <head> <title>502 Bad Gateway</title> </head> <body> <h1>...

119.59.124.163:8080 (119.59.124.163:8080)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

12.html

502 Bad Gateway

HTML

363.0 B

01/17/93 06:51:39

Download
SHA256	f3bf42393d5d1ad4f18d501d400b3efef846c001a8f574eeb9ae79b9c6e981c2
Referer
Magic	HyperText Markup Language (HTML)
Request	GET / HTTP/1.1 Cookie: E69B=heNcpSlJtbZp7pySKQnDJuw/zu0lTfmyS8gbzFg4gjfyp0Oq8r09fDEKIdF97s5bwFCkDb98OxxXHZN8Js6sEZ6kzwieo5GWsgAbPJywDZnZAZqw8YToYOIm3k1pJhd2uEhQSUjD7LzUT6h+M3wlDScUBdeA0EXDheuid4EK+u2YidO0mHbZIFK9eG30kBmnP9wp9bnhFtjOYmdiIiI7X7eLa5JS6q0Ut7CDELcVPjF5wZby/P/T3ed9Iv8t60knYIXtNIo91mHDHO+TSXI4s8Dn3en3N8ag0+TT0Gv/c1r20ixK6sFmDQH92vqagqUc8rY0GJmtdgTVVsRKCrV69THthf0D3nWVR5UU9JSihk3eocjzGrTm5FqBoCLyKpGrq0cN0W3qIL2sV9CQ6rOquJP6e5m8J5xQhiWOiPgkv2HaWCr4Y2Z0jZdlw/X0Ru+FH//lQK6T5IqcZyA2OaFS+OgDFzPNr6/cwjD3U1qBYK0ipsmz User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) Host: 119.59.124.163:8080 Connection: Keep-Alive Cache-Control: no-cache
Response Header	HTTP/1.1 502 Bad Gateway Server: mitmproxy 2.0.1 Content-Length: 363 Content-Type: text/html Connection: close
Response Peek (128 B)	<html> <head> <title>502 Bad Gateway</title> </head> <body> <h1>...

172.93.54.93:8080 (172.93.54.93:8080)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

13.html

0.0 B

02/22/94 13:24:19