Name | Last modified | Size | Description | |
---|---|---|---|---|
Parent Directory | - | |||
3d3d%3F%3F%3F%3F.xls.exe.zip | 2015-12-16 10:28 | 660K | ||
README.html | 2023-01-21 12:02 | 9.4K | ||
README.md | 2023-01-21 12:02 | 8.4K | ||
WARNING-WRONG-NETFLOW-capture20110818-2.pcap.netflow.labeled | 2014-07-16 09:48 | 37M | ||
botnet-capture-20110819-bot.html | 2016-05-10 10:46 | 15M | ||
botnet-capture-20110819-bot.json | 2016-05-10 10:46 | 28M | ||
botnet-capture-20110819-bot.pcap | 2011-08-19 11:46 | 281M | ||
bro/ | 2017-04-17 12:53 | - | ||
capture20110819.binetflow.2format | 2017-05-08 20:40 | 77M | ||
capture20110819.truncated.pcap.bz2 | 2015-07-21 09:23 | 219M | ||
detailed-bidirectional-flow-labels/ | 2015-05-14 11:55 | - | ||
ralabel-flowfilter.conf.generic | 2015-02-02 09:49 | 220K | ||
Probable Name: NSIS.ay
MD5: eaf85db9898d3c9101fd5fcfa4ac80e4
SHA1: 46c2e00ce75e8d9339bcb3698337206caef11c6d
SHA256: c3deff8018315ddca3adcab04c83bf701cd5c0534c97dba150b09d90918af58f
Password of zip file: infected
Duration: 1 hour, 43 minutes and 0 seconds
Binary used: 3d3d%3F%3F%3F%3F.xls.exe
Zip password: infected
RobotHash
capture20110819.pcap
It is a pcap capture with all the traffic (background, normal and botnet)
This pcap file was not made public because it contains too much private information about the users of the network.
This file was captures on the main router of the University network.
Capture with only the botnet traffic. It is made public.
This file was captured on the interface of the virtual machine being infected.
capture20110819.pcap.netflow.labeled
This file has the netflows generated by a unidirectional argus. The labels were assigned as this:
- First put Background to all the flows.
- Put LEGITIMATE to the flows that match some filters.
- Put Botnet to the flows that come to or from the infected IP addresses
bro
detailed-bidirectional-flow-labels
*.html
*.json
*truncated.pcap.bz2
- Infected hosts
- 147.32.84.165: Windows XP English version Name: SARUMAN. Label: Botnet. Amount of bidirectional flows: 807
- 147.32.84.191: Windows XP English version Name: SARUMAN1. Label: Botnet. Amount of bidirectional flows: 766
- 147.32.84.192: Windows XP English version Name: SARUMAN2. Label: Botnet. Amount of bidirectional flows: 570
- Normal hosts:
- 147.32.84.170 (amount of bidirectional flows: 4359, Label: Normal-V42-Stribrek)
- 147.32.84.134 (amount of bidirectional flows: 2145, Label: Normal-V42-Jist)
- 147.32.84.164 (amount of bidirectional flows: 1075, Label: Normal-V42-Grill)
- 147.32.87.36 (amount of bidirectional flows: 32, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver)
- 147.32.80.9 (amount of bidirectional flows: 3, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server)
- 147.32.87.11 (amount of bidirectional flows: 1, Label: MatLab-Server. This normal host is not so reliable since is a matlab server)
Please note that the labels of the flows generated by the malware start with “From-Botnet”. The labels “To-Botnet” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels “From-Normal”. The labels “To-Normal” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.
We started the overall capture.
Bandwith is 100kbps and burst is 1000kb
We started the bot capture. This malware use to scan UDP ports.
We started the vm saruman.
We infected the vm.
We started saruman1 vm
We infected saruman1 vm
We started saruman2 vm
We infected saruman2 vm.
We changed the bandwith limit to 5000kbps and burst 1000kb But we are not sure it worked. We see no change in the amount of flows. Perhaps we should wait some minutes.
We stopped the vms.
We stopped both captures.
The bot uses P2P protocol.
There is an interesting use of P2P, for example: 2011-08-19 10:44:25.688258 IP 58.153.244.139.7600 > 147.32.84.165.7600: UDP, length 1056
E..<....n.Q/:.... T......(....E.x..YjG|.U..Q.7.2.>..Z........................./html/client/resource_new//p6.gifPK...........r.?..^M.8'...B..%.................../html/client/resource_new//reom.jpgPK...........r.?]..YY...Y...#.............'9..../html/client/resource_new//p
8.gifPK...........r.?]...........(..............9..../html/client/resource_new//gametop.gifPK...........n-=K..........................;..../html/client/resource_new//newmovie-game.gifPK..........6.4=C..ai...V...,..............=..../html/client/resource_new//soft-100920.j
pgPK............5=.........7..'.............~B..../html/client/resource_new//reom-1.jpgPK...........r.?........#...(..............`..../html/client/resource_new//newgame.gifPK...........r.?............)..............b..../html/client/resource_new//newmovie.gifPK.........
..r.?....W...W...#..............e..../html/client/resource_new//p5.gifPK...........r.??.......^...3..............e..../html/client/resource_new//client_YuanZhengol.jpgPK...........r.?3.(:Y^M......3.................../html/client/resource_new//client_WeiBiaoTi-2.jpgPK....
Part of the content of the connection 147.32.84.165.1037 > 91.212.135.158.5678 is:
14:41:31.010119 IP 147.32.84.165.1037 > 91.212.135.158.5678: Flags [S], seq 3086438333, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.2@...0^. T.[.........O.....p...............
14:41:31.068836 IP 91.212.135.158.5678 > 147.32.84.165.1037: Flags [S.], seq 188364771, ack 3086438334, win 65535, options [mss 1460,sackOK,eol], length 0
E..0t.@.1. .[.... T......:7...O.p...S...........
14:41:31.069146 IP 147.32.84.165.1037 > 91.212.135.158.5678: Flags [.], ack 1, win 64240, length 0
E..(.3@...0e. T.[.........O..:7.P.............
14:41:31.069431 IP 147.32.84.165.1037 > 91.212.135.158.5678: Flags [P.], seq 1:8, ack 1, win 64240, length 7
E../.4@...0]. T.[.........O..:7.P.......HALLO
14:41:31.227776 IP 91.212.135.158.5678 > 147.32.84.165.1037: Flags [.], ack 8, win 65535, length 0
E..(v=@.1..[[.... T......:7...O.P.............
14:41:31.228146 IP 147.32.84.165.1037 > 91.212.135.158.5678: Flags [P.], seq 8:128, ack 1, win 64240, length 120
E....5@.../.. T.[.........O..:7.P.......Hash: 66b8864b660eae1bfb9750b1b3e9b449
ID: svchosta
Session:
Domain: NA
RBL: 0
Sent: 0
Failed: 0
Catchall: 0
14:41:31.287662 IP 91.212.135.158.5678 > 147.32.84.165.1037: Flags [.], seq 8:1468, ack 128, win 65535, length 1460
E...v.@.1...[.... T......:7...P=P...W{..Session: bf3028de44a0da8f4f58c3663514c082
IP: 147.32.84.165
Keep-Alive: 1
RBL: bl.spamcop.net
Max-To: 6
Max-Threads: 60
ProxyLock: 0
BlockCatchalls: 0
Clear Buffers
Macro: 26
DIGIT
0
1
2
3
4
5
6
7
8
9
Macro: 385
FMNAME
james
john
robert
michael
william
david
richard
charles
joseph
thomas
(This is the list of users or mabe passwords to crack and send spam probably)
These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org