CapTipper Report

CapTipper

Analysis Info

PCAP File	Analysis Time	CapTipper Version	Traffic Time
/opt/Malware-Project/BigDataset/Scenarios/CTU-Malware-Capture-Botnet-330-1//2018-02-02_win6.pcap	02/02/18 21:19:19	0.3 b13	08/23/13 07:39:17

Flow View

Client Details

IP	192.168.1.116
MAC	08:00:27:5e:a3:27
USER-AGENT	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Conversations

dlg-configs.buzzrin.de (104.40.156.71:80)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

text/html

0.html

200 OK

0.0 B

08/23/13 07:39:17

/config-from-production

text/plain

config-from-production

200 OK

TEXT

3.9 KB

08/24/13 01:18:01

eyJjZXJ0aWZpY2F0ZSI6ImN5YmVyc2VydmljZXMiLCJwcm9kdWN0U2V0dXAiOiJkb3dubG9hZGd1 aWRlL3RlbXAvZTRiOGYzOTctMTAzZi00ZGMyLWI0NjItYTViZjIwNDcxODkwL0RvTm90aGluZy5l eGUiLCJ3aW5kb3dIZWlnaHQiOjM4OSwid2luZG93V2lkdGgiOjUwNiwicHJvZHVjdCI6eyJ2ZXJz aW9uIjoiMS4wIiwiZGlzcGxheU5hbWUiOiJTb2Z0LVdhcmVOZXQiLCJpbnN0YWxsQ29kZUpzIjoi IiwiaW5zdGFsbFRlc3QiOiJ0cnVlIiwiZmlsZXMiOlt7InVybCI6IltjZG5VcmxdL3B1YmxpYy1z b3VyY2UvZG93bmxvYWRndWlkZS9zb2Z0LXdhcmVuZXQvMS4wL2RlZmF1bHQvY2FtcGFpZ25zL3By b2R1Y3Qrd2Vic2l0ZS9leGUvRG9Ob3RoaW5nLmV4ZSIsImxvY2FsRmlsZSI6IkRvTm90aGluZy5l eGUiLCJjbWRQYXJhbWV0ZXJzSnMiOiIiLCJmaWxlVHlwZSI6eyJuYW1lIjoiUHJvZHVjdCIsImFz c2VtYmx5UXVhbGlmaWVkTmFtZSI6IkZyZWVtaXVtLkRvbWFpbi5DYW1wYWlnbi5Qcm9kdWN0LCBG cmVlbWl1bS5Eb21haW4ifSwiZXRhZyI6bnVsbCwiaGFzaCI6bnVsbCwiaXNFeHRlcm5hbEZpbGUi OmZhbHNlLCJyZWdpb24iOiJkZWZhdWx0IiwidmVyc2lvbiI6IjEuMCIsImlkIjoiZG9ub3RoaW5n LzEuMC9kZWZhdWx0IiwibmFtZSI6IkRvTm90aGluZyIsImlzRW5jb2RlZCI6ZmFsc2V9XSwidWlG aWxlIjoiW2NkblVybF0vcHVibGljLXNvdXJjZS9kb3dubG9hZGd1aWRlL3NvZnQtd2FyZW5ldC8x LjAvZGVmYXVsdC9jYW1wYWlnbnMvcHJvZHVjdCt3ZWJzaXRlL3VpL3NvZnQtd2FyZW5ldC1mbG93 LTUtdGV4dC1lbi11cy56aXAiLCJsb2dvIjoiW2NkblVybF0vcHVibGljLXNvdXJjZS9kb3dubG9h ZGd1aWRlL3NvZnQtd2FyZW5ldC8xLjAvZGVmYXVsdC9jYW1wYWlnbnMvcHJvZHVjdCt3ZWJzaXRl L3VpL0RvTm90aGluZy5wbmciLCJpbnN0YWxsYXRpb25QYXRoIjoiIiwiaW5mb1RleHQiOiI8cD5X ZSB3aWxsIG5vdCBzYXZlIGVpdGhlciB5b3VyIElQIGFkZHJlc3Mgb3Igb3RoZXIgdXNlciBkYXRh LiBXZSB3aWxsIG9ubHkgZXZhbHVhdGUgYW5vbnltaXNlZCBzdGF0aXN0aWNzIGZvciB0aGUgb3B0 aW1pemF0aW9uIG9mIHRoZSB1c2FiaWxpdHkgYW5kIG91ciBwcm9kdWN0LiBCeSB1c2luZyB0aGUg ZG93bmxvYWRlciB5b3UgYWdyZWUgdG8gdGhlIHVzYWdlIG9mIHN1Y2ggZGF0YSBhY2NvcmRpbmcg dG8gb3VyIHN0cmljdCBwcml2YWN5IHBvbGljeSBndWlkZWxpbmVzLiBQbGVhc2UgcmVhZCBvdXIg ZGV0YWlsZWQgbGljZW5jZSBhZ3JlZW1lbnQgKEVVTEEpIGFzIHdlbGwuPC9wPjxwPkluIG9yZGVy IHRvIGZpbmFuY2Ugb3VyIHNlcnZpY2Ugd2UgcGVybWl0IHNvZnR3YXJlIHByb2R1Y2VycyB0byBh ZHZlcnRpc2UgdGhlaXIgcHJvZHVjdHMgaW4gdGhlIGRvd25sb2FkZXIuIEJlZm9yZSB0aGUgaW50 ZWdyYXRpb24gZXZlcnkgcHJvZHVjdCBvZiBvdXIgYWR2ZXJ0aXNpbmcgcGFydG5lcnMgaGFzIHRv IHBhc3MgYSBzZWN1cml0eSBjb250cm9sLiBXaXRob3V0IGEgcG9zaXRpdmUgY29uZmlybWF0aW9u IGJ5IGFsbCByZW5vd25lZCBzZWN1cml0eSBzb2Z0d2FyZSBwcm9kdWNlcnMgYSBwcm9tb3Rpb25h bCBvZmZlciB3aWxsIG5vdCBhcHBlYXIgaW4gdGhlIGRvd25sb2FkZXIuIEFsbCBwcm9kdWN0cyBh cmUgZnJlZSBvciBjYW4gYmUgdGVzdGVkIGZvciBmcmVlIGZvciBhIGNlcnRhaW4gcGVyaW9kIG9m IHRpbWUgb3Igd2l0aCBhIGxpbWl0ZWQgcmFuZ2Ugb2YgZnVuY3Rpb25zIHJlc3BlY3RpdmVseS4g WW91IGRvIG5vdCBlbnRlciBhIGNvbW1pdG1lbnQsIGJ1dCB5b3UgY2FuIHRyeSBuZXcgYW5kIGV4 Y2l0aW5nIHNvZnR3YXJlIHByb2R1Y3RzLjwvcD4iLCJpbnN0YWxsUHJvZHVjdEZpcnN0IjpmYWxz ZSwic3RhcnRQcm9kdWN0U2V0dXBPbkxhc3RTY3JlZW4iOmZhbHNlLCJzaG93VmVyc2lvbiI6ZmFs c2UsImlkIjoic29mdC13YXJlbmV0LzEuMC9kZWZhdWx0IiwibmFtZSI6IlNvZnQtV2FyZU5ldCIs ImlzRW5jb2RlZCI6ZmFsc2V9LCJmbG93UGFnZXMiOnsiYmFzZSI6IltjZG5VcmxdL3B1YmxpYy1z b3VyY2UvZG93bmxvYWRndWlkZS9zb2Z0LXdhcmVuZXQvMS4wL2RlZmF1bHQvY2FtcGFpZ25zL3By b2R1Y3Qrd2Vic2l0ZS91aS9iYXNlLnppcCIsImluZm8iOiIiLCJpbnN0YWxsIjoiIiwibGFzdCI6 IltjZG5VcmxdL3B1YmxpYy1zb3VyY2UvZG93bmxvYWRndWlkZS9zb2Z0LXdhcmVuZXQvMS4wL2Rl ZmF1bHQvY2FtcGFpZ25zL3Byb2R1Y3Qrd2Vic2l0ZS91aS9sYXN0LnppcCIsIm9wdGlvbnMiOiIi LCJwcm9ncmVzcyI6IltjZG5VcmxdL3B1YmxpYy1zb3VyY2UvZG93bmxvYWRndWlkZS9zb2Z0LXdh cmVuZXQvMS4wL2RlZmF1bHQvY2FtcGFpZ25zL3Byb2R1Y3Qrd2Vic2l0ZS91aS9wcm9ncmVzcy56 aXAiLCJwcm9kdWN0UG9zaXRpb24iOnsia2V5Ijoic2luZ2xldGV4dHNjcmVlbiIsInZhbHVlIjoi U2luZ2xlIFRleHQifSwid2luZG93SGVpZ2h0IjozODksIndpbmRvd1dpZHRoIjo1MDYsInByZXZp ZXdJbWFnZVVybCI6IiIsIm9mZmVyUG9zaXRpb25zIjpbeyJrZXkiOiJxdWlja3RleHRpbnN0YWxs IiwidmFsdWUiOiJRdWljayBJbnN0YWxsIFRleHQiLCJwcmV2aWV3SW1hZ2VVcmwiOiIiLCJ0eXBl IjoiZGVmYXVsdCIsImlzRW5jb2RlZCI6ZmFsc2V9LHsia2V5Ijoic2luZ2xldGV4dGF2aXJhIiwi dmFsdWUiOiJTaW5nbGUgVGV4dCAoQXZpcmEpIiwicHJldmlld0ltYWdlVXJsIjoiIiwidHlwZSI6 ImRlZmF1bHQiLCJpc0VuY29kZWQiOmZhbHNlfSx7ImtleSI6InNpbmdsZXRleHRhdmlyYSIsInZh bHVlIjoiU2luZ2xlIFRleHQgKEF2aXJhKSIsInByZXZpZXdJbWFnZVVybCI6IiIsInR5cGUiOiJk ZWZhdWx0IiwiaXNFbmNvZGVkIjpmYWxzZX0seyJrZXkiOiJzaW5nbGV0ZXh0YXZpcmEiLCJ2YWx1 ZSI6IlNpbmdsZSBUZXh0IChBdmlyYSkiLCJwcmV2aWV3SW1hZ2VVcmwiOiIiLCJ0eXBlIjoiZGVm YXVsdCIsImlzRW5jb2RlZCI6ZmFsc2V9LHsia2V5Ijoic2luZ2xldGV4dGF2aXJhIiwidmFsdWUi OiJTaW5nbGUgVGV4dCAoQXZpcmEpIiwicHJldmlld0ltYWdlVXJsIjoiIiwidHlwZSI6ImRlZmF1 bHQiLCJpc0VuY29kZWQiOmZhbHNlfSx7ImtleSI6InNpbmdsZXRleHRhdmlyYSIsInZhbHVlIjoi U2luZ2xlIFRleHQgKEF2aXJhKSIsInByZXZpZXdJbWFnZVVybCI6IiIsInR5cGUiOiJkZWZhdWx0 IiwiaXNFbmNvZGVkIjpmYWxzZX1dLCJ1c2VNaWNyb3NvZnRTdHlsZSI6dHJ1ZSwicmVnaW9uIjoi ZW4tdXMiLCJ2ZXJzaW9uIjoiMS4wIiwiaWQiOiJmbG93LTUrdGV4dCthdmlyYS8xLjAvZW4tdXMi LCJuYW1lIjoiRmxvdy01IFRleHQgQXZpcmEiLCJwYXJhbWV0ZXJzIjpbXSwiaXNFbmNvZGVkIjpm YWxzZX0sImJhbm5lciI6eyJodG1sQ29kZSI6IjxhIGhyZWY9XCJodHRwOi8vYnVuZGxpbmctbmV0 d29yay5jb20vdHJhY2tpbmcvZW1waXJlMVwiIHRhcmdldD1cIl9ibGFua1wiPjxpbWcgc3JjPVwi aHR0cDovL3NvZnR3YXJlLWNhbXBhaWduLXJlc291cmNlcy5zMy5hbWF6b25hd3MuY29tL1N1Y2Nl c3NCYW5uZXIvNDhfZW5fZW1fZ2lmXzcyOHg5MC5naWZcIiB3aWR0aD1cIjcyOFwiIGhlaWdodD1c IjkwXCI+PC9hPiIsImlkIjoiZW1waXJlLzEuMC9kZWZhdWx0IiwibmFtZSI6IkVtcGlyZSIsInJl Z2lvbiI6ImRlZmF1bHQiLCJ2ZXJzaW9uIjoiMS4wIiwiaXNFbmNvZGVkIjpmYWxzZX0sIm5lZWRG b3JUcmFjayI6ImZhbHNlIiwiY2FtcGFpZ25SZWdpb24iOiJkZWZhdWx0IiwidGhhbmtZb3VQYWdl IjoiaHR0cDovL3Bpcm9nYS5zcGFjZS9wYWdlcy9TV0RFL1NXVFlQLmh0bWwiLCJjYW5jZWxQYWdl IjoiaHR0cDovL3Bpcm9nYS5zcGFjZS9wYWdlcy9TV0RFL1NXSU5ULmh0bWwiLCJzaG93VmVyc2lv biI6ZmFsc2UsIm9mZmVyc0xpc3QiOltdLCJpY29ucyI6W10sImRpc3BsYXlOYW1lIjoiU29mdC1X YXJlTmV0IDEuMCIsImlzRW5jb2RlZCI6ZmFsc2V9

Download
SHA256	e41dba19bb57b8227dfaa5e8c23201cddbd4b38d4990311c995a57e14834f1e6
Referer
Magic	Inconclusive. Probably text (TEXT)
Request	POST /config-from-production HTTP/1.1 Cache-Control: no-cache Content-Type: application/json User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: dlg-configs.buzzrin.de Content-Length: 205 Connection: Close {"os":"WinNT","osver":"6.1.7600 () SP: 0.0","lang":"en-US","uid":"acc7fe12-3135-466d-a131-c5ba9b41ee06","prod":"soft-warenet/1.0/campaigns/product+website/","expiresOn":"2115-01-17T06:57:42.3291736+00:00"}
Response Header	HTTP/1.1 200 OK Content-Type: text/plain Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Thu, 01 Feb 2018 18:49:43 GMT Connection: close Content-Length: 3963
Response Peek (128 B)	{"certificate":"cyberservices","productSetup":"downloadguide/temp/e4b8f397-103f-4dc2-b462-a5bf20471890/DoNothing.exe","windowHei...

dlg-messages.buzzrin.de (104.45.146.238:80)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

/1/dg/3

text/html

200 OK

0.0 B

09/09/13 08:57:12

Download
SHA256	dc937b59892604f5a86ac96936cd7ff09e25f18ae6b758e8014a24c7fa039e91
Referer
Magic	()
Request	POST /1/dg/3 HTTP/1.1 Cache-Control: no-cache Content-Type: application/json User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: dlg-messages.buzzrin.de Content-Length: 377 Connection: Close {"BuildId":"b0dd8abc-306c-48b2-8572-cf79f61c03f7","Client":"freemium","DlgVersion":"3.1.0.168","Culture":"en-US","LocalTime":"2018-02-01T18:49:43-08:00","SessionId":"80dd61c5-ef79-4fd7-a5b5-464a4ef5ec9b","MessageName":"ApplicationStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product+website","Offer":"","TrackBackUrl":"","SubId":null}
Response Header	HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/8.0 X-Powered-By: ASP.NET Date: Thu, 01 Feb 2018 18:49:42 GMT Connection: close Content-Length: 0

/1/dg/3/error

error

0.0 B

09/09/13 09:07:27

Download
SHA256	3b3fd22b814d7fda008d04f0d55b48e5736faf12f9072df4401d7f16a8895bd6
Referer
Magic	()
Request	POST /1/dg/3/error HTTP/1.1 Cache-Control: no-cache Content-Type: application/json User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: dlg-messages.buzzrin.de Content-Length: 578 Connection: Close {"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.1.0.168","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2018-02-01T18:49:43-08:00","ExceptionName":"","Message":"Product uiFile property is not defined or invalid","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"6.1.7600 () SP: 0.0","StackTrace":"","BuildId":"b0dd8abc-306c-48b2-8572-cf79f61c03f7","SessionId":"80dd61c5-ef79-4fd7-a5b5-464a4ef5ec9b","Product":"soft-warenet","ProductVersion":"1.0","Campaign":"product+website","Offer":"","TrackBackUrl":"","SubId":null}
Response Header
Response Peek (128 B)	{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.1.0.168","Client":"freemium","Culture":"en-US","Region":"default...