Index of /publicDatasets/CTU-Malware-Capture-Botnet-61-1

	Name	Last modified	Size	Description
	Parent Directory		-
	ralabel.conf	2014-05-16 17:09	6.1K
	ralabel-flowfilter.conf.generic	2014-05-16 17:09	55K
	ra.conf.analysis	2014-05-16 16:39	2.0K
	fast-flux-dga-first-analysis.txt	2017-01-15 13:13	175K
	bro/	2017-01-15 13:11	-
	README.md	2016-03-30 19:38	2.2K
	README.html	2017-01-15 13:13	3.0K
	89828eec51d6fe22768c9364dcbb49b9.exe.zip	2015-12-16 10:26	566K
	2014-05-30_capture-win13.weblogng	2016-06-15 17:53	7.8M
	2014-05-30_capture-win13.tcpdstat	2017-01-15 13:11	3.6K
	2014-05-30_capture-win13.rrd	2014-05-30 10:39	8.0M
	2014-05-30_capture-win13.pcap	2014-05-30 10:39	455M
	2014-05-30_capture-win13.passivedns	2017-01-15 13:07	128K
	2014-05-30_capture-win13.dnstop	2017-01-15 13:07	24K
	2014-05-30_capture-win13.capinfos	2017-01-15 13:11	0
	2014-05-30_capture-win13.binetflow	2017-01-15 13:12	167M
	2014-05-30_capture-win13.biargus	2017-01-15 13:11	246M

Description

• Probable name: Sality
• MD5: 89828eec51d6fe22768c9364dcbb49b9
  
• SHA1: 562c87ba14fc74f230cd8f94b9821752d210a539
  

• SHA256: 6fb2f335669405e9c3b7582b524dac22ebff7e5fe1258f25914d7e0e750ca62e

• VirusTotal
• HybridAnalysis

• RobotHash

Timeline

Mon Feb 17 09:21:28 CET 2014

started win13

Mon Feb 17 09:23:11 CET 2014

Infected with 89828eec51d6fe22768c9364dcbb49b9

Urlquery said that: http://urlquery.net/report.php?id=9404817

The url http://www.greenbeach.de/logo.gif?24636=447138 found in this capture was from

ET TROJAN W32/Sality Executable Pack Digital Signature ASCII Marker

Wed Feb 19 17:00:00 CET 2014

Near 17.00hs, I accidentaly shutted down win13.

Wed Feb 19 20:42:28 CET 2014

started win13 again, already infected...

Mon Apr 7 10:17:23 CEST 2014

Huge powerdown on Sun 06, at 10am... powering up now.

Analysys

It was cracking Cisco routers web pages!

Sality Botnet, as detected by https://www.virustotal.com/en/file/6fb2f335669405e9c3b7582b524dac22ebff7e5fe1258f25914d7e0e750ca62e/analysis/1400250260/

It uses P2P and "super peers"

Tue Apr 8 12:57:25 CEST 2014

Today I saw that at 11.30hs to 12.20hs approx i was sending spam.

Thu May 29 17:43:53 CEST 2014

reset the pcap in win13 because a full disk.

Fri May 30 10:38:37 CEST 2014

Since cacti is not storing, I have to restart the vm without desinfecting.

Fri May 30 10:39:04 CEST 2014

poweroff win13

Fri May 30 10:40:08 CEST 2014

started win13 already INFECTED

Fri Jun 6 09:14:13 CEST 2014

Jin run out of space. I stopped it without desinfecting. The pcap is safe.

Fri Jun 13 11:14:46 CEST 2014

started win13 infected

Sat Jun 14 15:01:07 CEST 2014

I get inside the vm because it was not doing nothing. I found out that it was not automatically logged. I logged in. Now it started to work... weird.

Mon Jun 30 09:49:12 CEST 2014

poweroff because of change of ip in jin. Still infected.