Index of /publicDatasets/CTU-Malware-Capture-Botnet-4

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2013-08-20_capture-win2.biargus2013-10-03 10:53 2.5G 
[   ]2013-08-20_capture-win2.clf2013-11-18 13:13 9.7M 
[   ]2013-08-20_capture-win2.histogram2013-10-03 10:59 255  
[   ]2013-08-20_capture-win2.netflow2013-10-03 10:56 1.6G 
[   ]2013-08-20_capture-win2.pcap2013-08-15 10:56 2.5G 
[   ]2013-08-20_capture-win2.weblog2013-10-03 10:56 11M 
[   ]2013-08-20_capture-win2.weblogng2013-11-28 16:59 12M 
[   ]2013-08-20_capture-win2.weblogng.labeled2013-11-28 17:11 14M 
[   ]2013-08-20_capture-win5.biargus2013-10-03 10:59 9.4M 
[   ]2013-08-20_capture-win5.clf2013-11-18 13:14 573K 
[   ]2013-08-20_capture-win5.histogram2013-10-03 10:59 227  
[   ]2013-08-20_capture-win5.netflow2013-10-03 10:59 6.4M 
[   ]2013-08-20_capture-win5.pcap2013-08-06 12:28 26M 
[   ]2013-08-20_capture-win5.weblog2013-10-03 10:59 630K 
[TXT]README.html2018-09-10 21:30 9.1K 
[TXT]README.md2018-09-10 21:30 8.3K 
[   ]SecureMessage.exe.zip2015-12-16 10:28 102K 
[   ]ralabel-flowfilter.conf2013-10-03 10:51 1.1K 
[   ]ralabel.conf2013-10-03 10:59 6.0K 
[   ]weblabel-rules.conf2013-11-28 17:11 1.1K 

Description

Files

IP Addresses

- Infected hosts: 
    - Windows Name: Win2, IP: 10.0.2.16 (Label: Botnet-V1)  - 2013-08-20_capture-win2
    - Windows Name: Win5, IP: 10.0.2.19 (Label: Botnet-V2)  - 2013-08-20_capture-win5
- Default GW: 192.168.1.X

Timeline

Mon Jul 15 00:42:06 CEST 2013

started win5

capture.pcap

I infected Win2 with the exe file. It started to download more execes and connecting to a lot of hosts.

This file is the mail spam send by the botnet called FzPfH6.exe

Mon Jul 15 01:14:18 CEST 2013

I infected

Traffic Analysis

This malware was sinkholed! X-Sinkhole: malware-sinkhole

It is working, but some CC are not under the real botmaster anymore.

It seems to be a variant of PushDO botnet

Some of the POST data of the suspected CC are: Host: dormfantasies.com fOCI2BUae1cgreMI/KQgRg7vi9wjn3RWGagpXf2rcUd+H58fy+OhW/hDskBU6P5d96omLd7+anB2sbcApsf0q/CVUDZtMcq+m57gnyHiHyNPdlgYZYI6Gt8HkMwQb9Y5OH9EtbIyQ/ieETOlSnli1mS53pfi7PQxzPzH8fCo645TjX8xcvUQS4yVPRaJw7Az yhtrjUdyqASsAukrHQFj4R/afJKEdVZen2Qr3Fye1mg5DX1WSgdKvhFV7uKGsM3AAx98UZbFd9SrN+PbP/HBHvi3ZUzlxRKOmPAz78XMKbnsYlOBZ9wjmoLhhzZubKbDm2/SXRl9t+LWMjqFozXa4tLaX1IXQ23A3md+2yVNcWpSNm3A3u7HVpQJ0TJuiGQf BprmNG9vty9nSJfPIx32/dVWeh9Nu1Uc8/zniPigWedLk8+2iB1WFNb74nfcQCB8TraGbReEuIiYpVvLkSolClszHvH99hx5lS5wiHY3sNLNM1KDrRG0ZIoMwK2tnFZ3wrR722IYaNIM0o9yPBrH

nDlYdStj51n7rKPOAh7lrZQWHFfxNJzbj+/Xw653gCuPrRXSt+NRTYLzqL4kh6/34rmYot084X+ASeK3HJO3R2kRc0ZsnIwQD2hLw9PtDh+s8g8UkNuLQEa5axZ3aBEAQUpaTN6X1pupgGABrqTrUlLe1JBphvypUMOlvBNcLreYnJR62V5XHJTPNogNKI+q92osGsw9E3iI4nFmY12yQ6Z8SQvNeSiHr2qrbII20aW9KIfUFdutTzyxzDXYKJz4MXpc57Y3UacpbPYu3PLMdj7d95JZbu5iC72/FqWZ9+pFcx016aZFYZWcAabU2xRhI5C9Nnz+VF0NA+shaoqON95cQgnLO4lZvS2Fz9C7e7bd3kHvbJAcSZbutRM5yo23vUq4T86AD3n171e7qom2oD6hNA1J99yM8Y6aLuaH5y8NeIdzi2DHwOx85rO4zZgxxAvPmj2wx+AvOC4Jdr3Vr1HyjJkBXpiVERdhH2zYEEBL+W/FykdIVzOQUyT7aPYjDtQGodmWcFtuRy0MA4baVxQwHI/i7BwTWg==

abGDpo2sqCUZou7ZBOSENEa8hCv7juvqEe7btlAle4XQukP0THuD0Z2klotylhTw8jIHzyX0Iu4zHBvnggIR9CuYnKdCX2GoE4BKs1dpj/snPWZ3gxBmQnAjQt0UIiduVmmErrZzSAuVRpoqjsxvADNgMU1zQl06AQ0mMuTvpfo57K1oz58yXVRUMIexLYDO7BQp1IFMDL6ftc6sCptKBfXmZ3kaCa2CbYOiCOEClIrOL8G/8CBHOA33i798IWkAggzYF1Pz8IkZtJtOOz9vff7p3trvCFe3i38sWlv1kTwGuTFXlcCgkg0KAvAhxXnu21JRC/zcOY1cXxVm3qvZMKAhjYr1W3IFRammhoK4nN4tpmua941SW21nvrMx+bUiYWVZtHlnsL4OaNNx0fyF9q6q6Ey7vylc3FiiKEpWQzAuJhbYu43ynF4+DImT926VWJN+6ghUQk/cm/hsmMulNMt9T9FLQojAeDjVW7V4jlJpZkln1alNTijUSlSYR9ePBP+OIMw3bdl+ViI6Q4/cjg==

e5mhY/einyHjYahdZqOXdkCAS6+tHoPxGyYweHdkfHsgADj3DrsbB/gE38BZ4plMQXsLdB8+VYDCwOwEBpMKatORnfGyi4688BngnzRtCcP9oGB1+H1Fzq9rBy3BQzEsfc5poqLuUPh7WICK7id1wQTLVzwiXCsu2wgmYBURRmRRz2hZ91VC1+swGnC+ljYQaCbEK8YdDJKrbF/mb+zbZ6bSsD9x7SOSQy88ZO3gJylMf37BhjJLbYbkf/GEpysLfW7tydgk7yZ+Bq7GZsq/tVcZf/TlayP36kwGNvqYC3XId1yDoCMKoz/D7q2BNuLp1MFpIbWMpeseZtD0bdz2rqf6242FOyyOg1WcGyi3lOpUA/rB14LMy5eh7dV53bQRJ78vX1FZPUSTb4gbfdLjf1BCeH/risJB+rcJXFteEg857SPjT2zqknv/LEdimkzumpyOsATKFg0aaMPaxi4fX/FCAyId0y/BcPYRungUk5IQUGWI7REeN5anvadCSOKt7gysy6ox96d9EngqsmlpQnc5z8Y9

Host: chocolatecovers.com f1eGXmBlYCO+knQBs1kYV5OXYRPI3z21lPps+oHMkdAVd5Xy8RJsulK76A84KeYdKQBngdyL5vzNubptpuqFu8wJl/DocZ7jT7CIp28UVLoy7ih0WN3TGSMUN5uA8PoTFe2+A62ziob/GuDT+HYOQIjh3ltyyeBdAvX1DAT5s/ZMk5C9Zs7gXqG6hK/5jRJZfLXCkX8rFq2jWkOMTlQAiDRfXGx32DsngBzyPCmLfF/I0jBxSc6ywTgvSHqXrV4uTsxRhvoOg2Tm0t2V/kElE2ZH6c+IRMKTgy8O8SwlqoYOMP+7JOswki/faVL3XK3xvshbwwyinuHN6NjZkoTnp8/9u/+3h8VGqj6+3oUkWn3HYTd4n+EtQ5zCRQ6EnAfq/LYUi2W6bAh6fRNP7F7vR3m1eJRxO6EoIqaEuREjS9a4OMmxcoCdSjP+pgb2z75PsTAPYG/TeNm3Q5LAwweojb86ZkP5JD0Q6jCMmuvlkQpQiGTIwzVWoELaSLklKDMG

dSoxdAqjrSQjvvZRbTYwNM1guHS6VxVH3hUqiUvTlkHlWV75VHmQjNL1CsbFkvaP8hdh/WQGQBqaquAon21mBlV56ncd/HZrv6d2Rmx6HupipEoFXriqV9xBFjua4qircJCzo/JNxIjH+3lbcNilyT/kXJjAOIaLCP7Ijx4brrFNfgNl8r5oMOiCqSitdnpZ bgjWu1TtSpznuv5aoVMlHw5m+otr1YsxVuuziOltqCasf1dU4zcDtLtsHv9lt3KNU2RoK1ClhcdjD/EOxtgtLElBeciIuvOsQ7WPVrIFqKPx/BOxOtwwm5dYS8Qci+zv6L3A6si/HmQgD716EW4CnfVIb/3TvVoVcy4iiNfhhY6PYHyR5un5xPpcw0Yl9jh0 nXEpUBVSIdkea3POFZ8sMYUIP4z0zMNqcKZrBYaM/KUzRFfzZy9Y2c6iRLONxjurscJOkENdsaIcHlXoxtELLQn4A+XTPIWo3Zi0WbspJF4kXF7NuTPl9ykOi/UXcQUVccCky++Te9I4+oGmkCl5pozaOKbyuFhku+lmoDbrP2Ru17rfbfQ+jhqmmA5NkSLQBw==

Host: hifuken.com Y116ljsnqCVbLb3P0nNd+iRBU3NBcgfTn2yAWIzZHTIrLc9YffYF/oX2FC1bI2qaCPN+K63Lq7dI4QSgt4w2ucbfIaiuEDWksaBEC9Z4yLK/SnF1VDSRxYVyfKtJMRFdmTEYFgnfbS7IeePvwS0vUQkpFaqRyo1N91J0B+aJhzhdB7xpFe7ArhNElpn6y9Mk5zUAabcVVMQ9fd4rZefUzsbp4XZoWPJg/Qnn0BMQEAug5a0x5sBRl3TWxHSS+mWwl3hMRO2Zo7CQ8JhknQXTzcS9c92P5aH/BJGqzaHLePoUMAT1b1R/i/J6NZvPufyd/1Z3pWVYDTkMr5H1bPG4vJ30myLdV+sgasGRsEwIuDUROz/C2Sv7RPDHd3bjT7ztMfQUz+5z23X2lEOGr3a8ynvPjxd6RjXhNQntTKdmjRRigjH/ncCUjlq/ryeanApy8t9dcqRJ/VWOAY8P0TG9zWvb6xyeqafOyWGNx5EDFD3q494HZj4ueu1ll3wluxK7O73h+tFY3dg=

PjwNT3iJWvWjtGwO+76FMWsLvKPAwRVkLNwEhzieNPYIrgoCfoiGp3QsjxlLRPr/OtokVXt0zxy/hVjRbSbza1veW6hcs6ymiP6vXV5TbVHUAX0YabXbYNR89aN8HDvqC0J0Cd7XU0+XkiUUnz/ghj8bGYb1OOEzEoKBqS0TljNF33W1HRQgJD7QS/4el08/tHRAjwJJInN5VH691Z+IugnIY3wrTiVBg7RUJ76Zx/ECkFEMKPjOtZPjNuAn+f8C5StrUIOpYwsP7X9nlmFd3AkPpV3BgW8Vv0s9eitOUHbdTB0L5luHQiElk/3Nmbgz3AAb2BGRoNGhIoW69WQr+JrZL1fFSgnDFjMHVsVP8s06pZfpariTU9mXUXIwvt0URptKB/5cQ7foRG6Qo9z7jfb9kvpWxY+VTrTs9AeY/RNAjTLJq9QBkvZL1AcZsJDOfI7CRHczHVsOfuaDFe0+kJm0i+B1vCtSGKu+W8AgkEVv83NoiB8ECnjflphWry1LTWWjdsQ=

Host: niray.com.cn

+83bVQ/CWvXUAHYSrsjTzhirP6qlF3vCs2KTyE/uzpF9Of0FICg2Dn7y47WcTn15WEj8mu/iqXLBzuWpukGOzJSMmgmGsRjcn3DlVg+QRqSjkvZ3FDRsh1hkMTCqZliN+nt/rrfTWTpQ+7tfgmFOOCcHiu2KLRTy+A98sphbxZhmOV8K0W0A/5hx+tWvwWcFAAT+k8t1d4S0YSllQK+HeBN3TPDlrcBGQP1oFrZtBXvvCcZ+oGBwq2k+Rs5KUPgGjznj2f83R2W3XZSJFRJ2lnlwkZ/rily3g9q5poCuhIWDnZovEn+lPEVGbNTInZ7WCARQ8Ug3aNNFzgI+GgQ5HE9MZx1X9N6XNwwwQ5xppm7Ye9NtOJn0zWCw6fdLH6DyblbObXp3M7mUHE87a9JiegwQi9Okq5yztqLjTeyTur4hTW7hxlpzUwonkM8ezQE9GyCEcUb4cdOoCl8jr3c60ZOyGuotRpM3xiMWzw==

(date here)

power off

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz

You are free to use these files as long as you reference this project and the authors as follows: Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org