Mon Feb 17 09:21:28 CET 2014

started win13

Mon Feb 17 09:23:11 CET 2014

Infected with 89828eec51d6fe22768c9364dcbb49b9

Urlquery said that:

The url found in this capture was from

ET TROJAN W32/Sality Executable Pack Digital Signature ASCII Marker

Wed Feb 19 17:00:00 CET 2014

Near 17.00hs, I accidentaly shutted down win13.

Wed Feb 19 20:42:28 CET 2014

started win13 again, already infected...

Mon Apr 7 10:17:23 CEST 2014

Huge powerdown on Sun 06, at 10am... powering up now.


It was cracking Cisco routers web pages!

Sality Botnet, as detected by

It uses P2P and "super peers"

Tue Apr 8 12:57:25 CEST 2014

Today I saw that at 11.30hs to 12.20hs approx i was sending spam.

Thu May 29 17:43:53 CEST 2014

reset the pcap in win13 because a full disk.

Fri May 30 10:38:37 CEST 2014

Since cacti is not storing, I have to restart the vm without desinfecting.

Fri May 30 10:39:04 CEST 2014

poweroff win13

Fri May 30 10:40:08 CEST 2014

started win13 already INFECTED

Fri Jun 6 09:14:13 CEST 2014

Jin run out of space. I stopped it without desinfecting. The pcap is safe.

Fri Jun 13 11:14:46 CEST 2014

started win13 infected

Sat Jun 14 15:01:07 CEST 2014

I get inside the vm because it was not doing nothing. I found out that it was not automatically logged. I logged in. Now it started to work... weird.

Mon Jun 30 09:49:12 CEST 2014

poweroff because of change of ip in jin. Still infected.