Index of /publicDatasets/CTU-Malware-Capture-Botnet-66-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]66-1.1000p.pcap2018-09-15 13:36 139K 
[   ]2014-04-07_capture-win13.biargus2014-05-16 17:00 241M 
[   ]2014-04-07_capture-win13.binetflow2018-08-05 22:45 153M 
[   ]2014-04-07_capture-win13.capinfos2016-03-30 19:44 769  
[   ]2014-04-07_capture-win13.dnstop2016-03-30 19:38 21K 
[TXT]2014-04-07_capture-win13.html2017-01-07 08:54 215M 
[   ]2014-04-07_capture-win13.json2017-01-07 08:54 324M 
[   ]2014-04-07_capture-win13.passivedns2016-03-30 19:38 62K 
[   ]2014-04-07_capture-win13.pcap2016-03-30 19:42 395M 
[   ]2014-04-07_capture-win13.rrd2014-04-07 11:06 8.0M 
[   ]2014-04-07_capture-win13.short.binetflow2016-09-29 11:33 41M 
[   ]2014-04-07_capture-win13.tcpdstat2016-12-16 15:34 3.6K 
[   ]2014-04-07_capture-win13.uniargus2016-12-16 15:35 333M 
[   ]2014-04-07_capture-win13.uninetflow2016-12-16 15:36 221M 
[   ]2014-04-07_capture-win13.weblogng2016-06-15 18:50 9.2M 
[   ]89828eec51d6fe22768c9364dcbb49b9.exe.zip2015-12-16 10:26 566K 
[TXT]README.html2017-01-15 13:07 1.6K 
[TXT]README.md2016-09-29 10:33 1.2K 
[DIR]bro/2017-08-31 09:45 -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-15 13:07 93K 
[TXT]list.of.web.passwd.txt2018-08-14 01:20 113K 
[DIR]short-version/2018-04-25 17:19 -  

Description

Timeline

Wed Feb 19 20:42:28 CET 2014

started win13, already infected with 89828eec51d6fe22768c9364dcbb49b9

P2P botnet

Urlquery said that: http://urlquery.net/report.php?id=9404817

The url http://www.greenbeach.de/logo.gif?24636=447138 found in this capture was from ET TROJAN W32/Sality Executable Pack Digital Signature ASCII Marker

~Mon Apr 6 8:46:00 CEST 2014

Huge powerdown on Sun 06, at 10am... powering up now.

Analysis

It was cracking Cisco routers web pages!

Sality Botnet, as detected by https://www.virustotal.com/en/file/6fb2f335669405e9c3b7582b524dac22ebff7e5fe1258f25914d7e0e750ca62e/analysis/1400250260/

It uses P2P and "super peers"