CapTipper Report

CapTipper

Analysis Info

PCAP File	Analysis Time	CapTipper Version	Traffic Time
/opt/Malware-Project/BigDataset/Scenarios/CTU-Malware-Capture-Botnet-337-1//2018-02-23_win11.pcap	02/23/18 20:22:35	0.3 b13	07/11/79 15:54:18

Flow View

Client Details

IP	192.168.1.121
MAC	08:00:27:5d:86:c6
USER-AGENT	Microsoft-CryptoAPI/6.1

Conversations

crt.comodoca.com (104.16.93.188:80)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

/COMODORSAAddTrustCA.crt

application/x-x509-ca-cert

COMODORSAAddTrustCA.crt

200 OK

BINARY

1.4 KB

07/11/79 15:54:18

Download
SHA256	4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
Referer
Magic	Inconclusive. Probably binary (BINARY)
Request	GET /COMODORSAAddTrustCA.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crt.comodoca.com
Response Header	HTTP/1.1 200 OK Date: Tue, 13 Feb 2018 16:39:26 GMT Content-Type: application/x-x509-ca-cert Content-Length: 1400 Connection: keep-alive Set-Cookie: __cfduid=def745e8b4f5e8a98912ca5fe572ce89f1518539966; expires=Wed, 13-Feb-19 16:39:26 GMT; path=/; domain=.crt.comodoca.com; HttpOnly Last-Modified: Tue, 30 May 2000 10:48:38 GMT ETag: "39339c86-578" X-CCACDN-Mirror-ID: rmdccacrl3 Cache-Control: public, max-age=3600 CF-Cache-Status: HIT Expires: Tue, 13 Feb 2018 17:39:26 GMT Accept-Ranges: bytes Server: cloudflare CF-RAY: 3ec93943e7c30aa2-PRG
HEX Peek (128 B)	0000 30 82 05 74 30 82 04 5C A0 03 02 01 02 02 10 27 0..t0..\.......' 0010 66 EE 56 EB 49 F3 8E AB D7 70 A2 FC 84 DE 22 30 f.V.I....p...."0 0020 0D 06 09 2A 86 48 86 F7 0D 01 01 0C 05 00 30 6F ...*.H........0o 0030 31 0B 30 09 06 03 55 04 06 13 02 53 45 31 14 30 1.0...U....SE1.0 0040 12 06 03 55 04 0A 13 0B 41 64 64 54 72 75 73 74 ...U....AddTrust 0050 20 41 42 31 26 30 24 06 03 55 04 0B 13 1D 41 64 AB1&0$..U....Ad 0060 64 54 72 75 73 74 20 45 78 74 65 72 6E 61 6C 20 dTrust External 0070 54 54 50 20 4E 65 74 77 6F 72 6B 31 22 30 20 06 TTP Network1"0 .

ocsp.usertrust.com (178.255.83.1:80)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D

application/ocsp-response

MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D

200 OK

BINARY

471.0 B

07/20/79 15:13:53

Download
SHA256	2b27b2dd62db5b06bcdf8ecedeab57fb595b54ae7ec58e7be99923c30b442886
Referer
Magic	Inconclusive. Probably binary (BINARY)
Request	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.usertrust.com
Response Header	HTTP/1.1 200 OK Date: Tue, 13 Feb 2018 16:39:26 GMT Server: Apache Last-Modified: Mon, 12 Feb 2018 11:30:53 GMT Expires: Mon, 19 Feb 2018 11:30:53 GMT ETag: A32733318C0757E7E15BCFE416EE0611FBC2B84D Cache-Control: max-age=499286,public,no-transform,must-revalidate X-OCSP-Reponder-ID: rmdccaocsp16 Content-Length: 471 Connection: close Content-Type: application/ocsp-response
HEX Peek (128 B)	0000 30 82 01 D3 0A 01 00 A0 82 01 CC 30 82 01 C8 06 0..........0.... 0010 09 2B 06 01 05 05 07 30 01 01 04 82 01 B9 30 82 .+.....0......0. 0020 01 B5 30 81 9E A2 16 04 14 AD BD 98 7A 34 B4 26 ..0.........z4.& 0030 F7 FA C4 26 54 EF 03 BD E0 24 CB 54 1A 18 0F 32 ...&T....$.T...2 0040 30 31 38 30 32 31 32 31 31 33 30 35 33 5A 30 73 0180212113053Z0s 0050 30 71 30 49 30 09 06 05 2B 0E 03 02 1A 05 00 04 0q0I0...+....... 0060 14 7C B1 66 54 9C AB DB 44 EE 62 26 16 AD F4 65 .\|.fT...D.b&...e 0070 7B F7 7A D5 94 04 14 AD BD 98 7A 34 B4 26 F7 FA {.z.......z4.&..

ocsp.comodoca.com (178.255.83.1:80)

URI

RESPONSE TYPE

FILENAME

RESPONSE CODE

MAGIC

SIZE

TIME

/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D

application/ocsp-response

MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D

200 OK

BINARY

727.0 B

07/26/79 10:18:12

Download
SHA256	eef22e8d94f3632276ba60a42ee6be9edbde089d278d881088cccfe0f1282a52
Referer
Magic	Inconclusive. Probably binary (BINARY)
Request	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.comodoca.com
Response Header	HTTP/1.1 200 OK Date: Tue, 13 Feb 2018 16:39:27 GMT Server: Apache Last-Modified: Mon, 12 Feb 2018 11:30:53 GMT Expires: Mon, 19 Feb 2018 11:30:53 GMT ETag: 0AF89B42FA1F582863132B3B88056ED7681B3DFB Cache-Control: max-age=499285,public,no-transform,must-revalidate X-OCSP-Reponder-ID: rmdccaocsp16 Content-Length: 727 Connection: close Content-Type: application/ocsp-response
HEX Peek (128 B)	0000 30 82 02 D3 0A 01 00 A0 82 02 CC 30 82 02 C8 06 0..........0.... 0010 09 2B 06 01 05 05 07 30 01 01 04 82 02 B9 30 82 .+.....0......0. 0020 02 B5 30 81 9E A2 16 04 14 BB AF 7E 02 3D FA A6 ..0........~.=.. 0030 F1 3C 84 8E AD EE 38 98 EC D9 32 32 D4 18 0F 32 .<....8...22...2 0040 30 31 38 30 32 31 32 31 31 33 30 35 33 5A 30 73 0180212113053Z0s 0050 30 71 30 49 30 09 06 05 2B 0E 03 02 1A 05 00 04 0q0I0...+....... 0060 14 5E 02 1B 68 6C 5C D3 BE 16 91 99 57 89 DF C4 .^..hl\.....W... 0070 14 72 16 3D 03 04 14 BB AF 7E 02 3D FA A6 F1 3C .r.=.....~.=...<

/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEQDLpMOcaG63Ewf2u1tuHhYM

application/ocsp-response

MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEQDLpMOcaG63Ewf2u1tuHhYM

200 OK

BINARY

472.0 B

07/28/79 00:26:38

Download
SHA256	b60b1309139413b68820b0f90706a3c0539a04e82b30390d531eef86a50102bf
Referer
Magic	Inconclusive. Probably binary (BINARY)
Request	GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEQDLpMOcaG63Ewf2u1tuHhYM HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.comodoca.com
Response Header	HTTP/1.1 200 OK Date: Tue, 13 Feb 2018 16:39:27 GMT Server: Apache Last-Modified: Sat, 10 Feb 2018 12:08:35 GMT Expires: Sat, 17 Feb 2018 12:08:35 GMT ETag: 4287F0BAA043E8AE259FD6BC52732BF636E65552 Cache-Control: max-age=328747,public,no-transform,must-revalidate X-OCSP-Reponder-ID: rmdccaocsp16 Content-Length: 472 Connection: close Content-Type: application/ocsp-response
HEX Peek (128 B)	0000 30 82 01 D4 0A 01 00 A0 82 01 CD 30 82 01 C9 06 0..........0.... 0010 09 2B 06 01 05 05 07 30 01 01 04 82 01 BA 30 82 .+.....0......0. 0020 01 B6 30 81 9F A2 16 04 14 29 91 60 FF 8A 4D FA ..0......).`..M. 0030 EB F9 A6 6A B8 CF F9 E6 4B BD 49 CE 12 18 0F 32 ...j....K.I....2 0040 30 31 38 30 32 31 30 31 32 30 38 33 35 5A 30 74 0180210120835Z0t 0050 30 72 30 4A 30 09 06 05 2B 0E 03 02 1A 05 00 04 0r0J0...+....... 0060 14 92 77 15 DD 1B 8E 3B CA 69 11 34 F5 55 89 42 ..w....;.i.4.U.B 0070 EF DE B9 01 CD 04 14 29 91 60 FF 8A 4D FA EB F9 .......).`..M...