Index of /publicDatasets/CTU-Malware-Capture-Botnet-78-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]5b1e1e909a6efca6cabc0fad8a0458a6.exe.zip2015-12-16 10:26 89K 
[   ]2014-05-30_capture-win8.biargus2015-04-14 14:28 502M 
[   ]2014-05-30_capture-win8.biargus.labeled2015-04-14 17:01 521M 
[   ]2014-05-30_capture-win8.binetflow2015-09-17 16:02 530M 
[   ]2014-05-30_capture-win8.binetflow.labeled2015-04-14 17:03 64M 
[   ]2014-05-30_capture-win8.capinfos2016-06-23 09:40 0  
[   ]2014-05-30_capture-win8.dnstop2016-06-23 09:35 2.5K 
[TXT]2014-05-30_capture-win8.html2015-09-17 17:40 260M 
[   ]2014-05-30_capture-win8.json2015-09-17 17:40 183M 
[   ]2014-05-30_capture-win8.passivedns2016-06-23 09:35 3.6K 
[   ]2014-05-30_capture-win8.pcap2014-05-30 10:30 6.0G 
[   ]2014-05-30_capture-win8.pcap.fixed2016-06-27 13:03 5.7G 
[IMG]2014-05-30_capture-win8.png2015-04-14 17:38 127K 
[   ]2014-05-30_capture-win8.rrd2014-05-30 10:29 8.0M 
[   ]2014-05-30_capture-win8.tcpdstat2017-01-15 13:06 1.9K 
[   ]2014-05-30_capture-win8.uniargus2017-01-15 13:07 224M 
[   ]2014-05-30_capture-win8.uninetflow2017-01-15 13:07 81M 
[   ]2014-05-30_capture-win8.weblogng2016-06-15 18:21 120M 
[TXT]README.html2017-01-15 13:07 3.3K 
[TXT]README.md2015-04-14 17:21 2.7K 
[DIR]bro/2017-08-31 09:45 -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-15 13:07 6.8K 
[   ]ralabel-flowfilter.conf.generic2015-04-14 16:56 78K 
[   ]ralabel.conf2014-09-15 13:48 6.2K 
[IMG]zeus-CC-going-down.png2015-04-14 17:38 715K 

Analysis of Zeus version 2.1.0.1 (http://cybercrime-tracker.net/zbox.php)

Timeline

Tue May 13 10:02:46 CEST 2014

win8 started

Tue May 13 10:05:47 CEST 2014

win 8 infected with 5b1e1e909a6efca6cabc0fad8a0458a6

Thu May 29 17:06:42 CEST 2014

restart of pcap because of space run out

Fri May 30 10:30:38 CEST 2014

poweroff win8. It is generating flows in the rrd, so it is ok.

Fri Jun 6 09:14:13 CEST 2014

The server run out of space. I stopped it without desinfecting. The pcap is safe.

C&C Channel

The command and control server is 81.88.48.95, port 80/tcp These Netflows are labeled "From-Botnet-TCP-HTTP-Zeus.CC.NonEncrypted-1" in the binetflow file.

At first the C&C is up and running, with HTTP requets like

GET /Zz/config.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: eyeofgod1.com
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue 13 May 2014 08:19:07 GMT
Server: Apache
Last-Modified: Tue 06 May 2014 23:40:30 GMT
Accept-Ranges: bytes
Content-Length: 34406
Connection: close
Content-Type: application/octet-stream
Content-Language: fr

` ....!....2g.U.^.'.!...cM.K.XN^............m....*.x.O.Ah..(.eui.:2..S..Y.9Q....Q...n.0..<P....%$3.K.a..b......7[B...nN.~.q.5.Q...../..!...gD..._..S.(M......Qdd...u"l;.DP.......o.u..t...2k....p.H.).~+TG.......W0T0.%.zP.A...Q....I....S.ux.,

But then the C&C server went down (probably taken down) so the behavior changed.

GET /Zz/config.bin HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: eyeofgod1.com Cache-Control: no-cache

HTTP/1.1 403 Forbidden Date: Tue 13 May 2014 14:19:10 GMT Server: Apache Last-Modified: Tue 24 May 2011 06:44:15 GMT Accept-Ranges: bytes Content-Length: 2431 Connection: close Content-Type: text/html Content-Language: fr

<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">..<head>...<meta http-equiv=",

This change happened on 1970/01/01 07:03:13.638947 in pcap file, and on Tue 13 May 2014 14:19:10 GMT in real life time.

If you are going to analyze this Zeus behavior, consider that most of the C&C was taken down.