Name | Last modified | Size | Description | |
---|---|---|---|---|
Parent Directory | - | |||
2013-11-25_capture-win10-2.biargus | 2015-03-20 21:18 | 1.6G | ||
2013-11-25_capture-win10-2.biargus.labeled | 2014-08-04 17:59 | 704M | ||
2013-11-25_capture-win10-2.binetflow | 2015-09-16 17:18 | 1.7G | ||
2013-11-25_capture-win10-2.capinfos | 2016-03-16 15:02 | 762 | ||
2013-11-25_capture-win10-2.dnstop | 2016-03-16 14:35 | 10K | ||
2013-11-25_capture-win10-2.histogram | 2014-08-04 21:38 | 897 | ||
2013-11-25_capture-win10-2.passivedns | 2016-03-16 14:36 | 532K | ||
2013-11-25_capture-win10-2.pcap | 2013-12-04 06:19 | 8.2G | ||
2013-11-25_capture-win10-2.pcap.capinfos | 2014-08-04 17:00 | 762 | ||
2013-11-25_capture-win10-2.png | 2014-08-04 17:08 | 504K | ||
2013-11-25_capture-win10-2.rrd | 2014-08-04 17:06 | 8.0M | ||
2013-11-25_capture-win10-2.tcpdstat | 2017-01-15 13:16 | 2.1K | ||
README.html | 2017-01-15 13:21 | 3.0K | ||
README.md | 2016-03-16 15:03 | 2.1K | ||
bro/ | 2017-08-31 09:45 | - | ||
c740789d5b226668f8a37626883fd0b7.exe.zip | 2015-12-16 10:26 | 366K | ||
fast-flux-dga-first-analysis.txt | 2017-01-15 13:21 | 116K | ||
histogram.of.dns.queries.in.the.dga.txt | 2015-04-01 11:11 | 22K | ||
Duration: 56 days in total. This capture is 8 days.
RobotHash
win10 is powered on again. The computer is started already infected. Pcap file: 2013-11-25capture-win10-2.pcap
The linux host was frozen so the capture was stopped.
The DGA in this malware is somehow hidden. Instead of using the default DNS servers configured in the computer the malware uses its own DNS servers. Moreover, the DNS requests are sent using the TCP protocol, so is highly suspicious. An example of the DNS requests are:
An example of the DNS servers used are: