Index of /publicDatasets/CTU-Malware-Capture-Botnet-61-2

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2014-06-06_capture-win13.biargus2017-01-15 16:39 26M 
[   ]2014-06-06_capture-win13.binetflow2017-01-15 16:39 18M 
[   ]2014-06-06_capture-win13.capinfos2017-01-15 16:39 0  
[   ]2014-06-06_capture-win13.dnstop2017-01-15 16:38 9.0K 
[   ]2014-06-06_capture-win13.passivedns2017-01-15 16:38 12K 
[   ]2014-06-06_capture-win13.pcap2014-06-06 08:43 40M 
[   ]2014-06-06_capture-win13.rrd2014-06-06 09:23 8.0M 
[   ]2014-06-06_capture-win13.tcpdstat2017-01-15 16:39 2.5K 
[   ]2014-06-06_capture-win13.weblogng2016-06-15 17:53 712K 
[   ]89828eec51d6fe22768c9364dcbb49b9.exe.zip2015-12-16 10:26 566K 
[DIR]CTU-Malware-Capture-Botnet-61-2/2022-01-30 12:34 -  
[TXT]README.html2017-01-15 16:39 3.0K 
[TXT]README.md2016-03-30 19:38 2.2K 
[DIR]bro/2017-01-15 16:39 -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-15 16:39 26K 
[   ]ra.conf.analysis2014-05-16 16:39 2.0K 
[   ]ralabel-flowfilter.conf.generic2014-05-16 17:09 55K 
[   ]ralabel.conf2014-05-16 17:09 6.1K 

Description

Timeline

Mon Feb 17 09:21:28 CET 2014

started win13

Mon Feb 17 09:23:11 CET 2014

Infected with 89828eec51d6fe22768c9364dcbb49b9

Urlquery said that: http://urlquery.net/report.php?id=9404817

The url http://www.greenbeach.de/logo.gif?24636=447138 found in this capture was from

ET TROJAN W32/Sality Executable Pack Digital Signature ASCII Marker

Wed Feb 19 17:00:00 CET 2014

Near 17.00hs, I accidentaly shutted down win13.

Wed Feb 19 20:42:28 CET 2014

started win13 again, already infected...

Mon Apr 7 10:17:23 CEST 2014

Huge powerdown on Sun 06, at 10am... powering up now.

Analysys

It was cracking Cisco routers web pages!

Sality Botnet, as detected by https://www.virustotal.com/en/file/6fb2f335669405e9c3b7582b524dac22ebff7e5fe1258f25914d7e0e750ca62e/analysis/1400250260/

It uses P2P and "super peers"

Tue Apr 8 12:57:25 CEST 2014

Today I saw that at 11.30hs to 12.20hs approx i was sending spam.

Thu May 29 17:43:53 CEST 2014

reset the pcap in win13 because a full disk.

Fri May 30 10:38:37 CEST 2014

Since cacti is not storing, I have to restart the vm without desinfecting.

Fri May 30 10:39:04 CEST 2014

poweroff win13

Fri May 30 10:40:08 CEST 2014

started win13 already INFECTED

Fri Jun 6 09:14:13 CEST 2014

Jin run out of space. I stopped it without desinfecting. The pcap is safe.

Fri Jun 13 11:14:46 CEST 2014

started win13 infected

Sat Jun 14 15:01:07 CEST 2014

I get inside the vm because it was not doing nothing. I found out that it was not automatically logged. I logged in. Now it started to work... weird.

Mon Jun 30 09:49:12 CEST 2014

poweroff because of change of ip in jin. Still infected.