Name | Last modified | Size | Description | |
---|---|---|---|---|
Parent Directory | - | |||
README.html | 2023-01-21 12:03 | 5.7K | ||
README.md | 2023-01-21 12:03 | 4.9K | ||
botnet-capture-20110815-fast-flux-2.html | 2015-05-14 13:00 | 22M | ||
botnet-capture-20110815-fast-flux-2.json | 2015-05-14 13:00 | 38M | ||
botnet-capture-20110815-fast-flux-2.pcap | 2011-08-16 09:37 | 109M | ||
bro/ | 2017-04-17 12:56 | - | ||
capture20110815-3.binetflow.2format | 2017-05-08 20:41 | 452M | ||
capture20110815-3.pcap.netflow.labeled | 2011-12-06 17:27 | 123M | ||
capture20110815-3.truncated.pcap.bz2 | 2015-07-21 10:43 | 843M | ||
detailed-bidirectional-flow-labels/ | 2015-05-14 11:55 | - | ||
e4f816462c4fc84bb250e2b1d295bf23_85f9a5247afbe51e64794193f1dd72eb_unpacked.exe.zip | 2015-12-16 10:28 | 290K | ||
ralabel-flowfilter.conf.generic | 2014-07-18 10:29 | 79K | ||
Probable Name: Virut
MD5: 85f9a5247afbe51e64794193f1dd72eb
SHA1: 532f81d162ddb3b3563bbb942f7eb3220f0f604d
SHA256: e8c63b3753504ff27cb93555c62beaaded5f3e485017d950f0aa0831a9c45ac8
Duration: 16 hours, 23 minutes and 0 seconds
Binary used: e4f816462c4fc84bb250e2b1d295bf23_85f9a5247afbe51e64794193f1dd72eb_unpacked.exe
Zip password: infected
RobotHash
capture20110815-3.pcap
It is a pcap capture with all the traffic (background, normal and botnet)
This pcap file was not made public because it contains too much private information about the users of the network.
This file was captures on the main router of the University network.
botnet-capture-20110815-fast-flux-2.pcap
Capture with only the botnet traffic. It is made public.
This file was captured on the interface of the virtual machine being infected.
capture20110815-3.pcap.netflow.labeled
This file has the netflows generated by a unidirectional argus. The labels were assigned as this:
- First put Background to all the flows.
- Put LEGITIMATE to the flows that match some filters.
- Put Botnet to the flows that come to or from the infected IP addresses
bro
detailed-bidirectional-flow-labels
*.html
*.json
*truncated.pcap.bz2
- Infected hosts
- 147.32.84.165: Windows XP English version Name: SARUMAN. Label: Botnet. Amount of bidirectional flows: 40003
- Normal hosts:
- 147.32.84.170 (amount of bidirectional flows: 26846, Label: Normal-V42-Stribrek)
- 147.32.84.134 (amount of bidirectional flows: 948, Label: Normal-V42-Jist)
- 147.32.84.164 (amount of bidirectional flows: 3539, Label: Normal-V42-Grill)
- 147.32.87.36 (amount of bidirectional flows: 422, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver)
- 147.32.80.9 (amount of bidirectional flows: 6, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server)
- 147.32.87.11 (amount of bidirectional flows: 18, Label: MatLab-Server. This normal host is not so reliable since is a matlab server)
Please note that the labels of the flows generated by the malware start with “From-Botnet”. The labels “To-Botnet” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels “From-Normal”. The labels “To-Normal” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.
We started it so we can leave it all night long. We started the overall capture.
We are going to infect the VM with a fast-flux malware. Bandwith will be at 100kBps.
We started the bot
We stopped the VM and both captures.
There is a special connection in this capture, comming from IP 209.173.182.133 to IP 147.32.84.165 port 3389/TCP. This is not a connection generated by the botnet, but a Remote Desktop Protocol scan that by chance found our VirtualBox remote desktop port in the bot. The scan was unsuccessful to login.
These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org