Index of /publicDatasets/CTU-Malware-Capture-Botnet-78-2

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]5b1e1e909a6efca6cabc0fad8a0458a6.exe.zip2015-12-16 10:26 89K 
[   ]2014-06-06_capture-win8.biargus2015-04-14 16:54 213M 
[   ]2014-06-06_capture-win8.biargus.labeled2015-04-14 17:02 374M 
[   ]2014-06-06_capture-win8.binetflow2015-09-17 16:06 225M 
[   ]2014-06-06_capture-win8.binetflow.labeled2015-04-14 17:04 53M 
[   ]2014-06-06_capture-win8.capinfos2017-01-15 16:38 0  
[   ]2014-06-06_capture-win8.dnstop2017-01-15 16:35 2.6K 
[   ]2014-06-06_capture-win8.passivedns2014-09-15 15:45 3.4K 
[   ]2014-06-06_capture-win8.pcap2014-06-06 00:07 2.4G 
[IMG]2014-06-06_capture-win8.png2015-04-14 17:38 523K 
[   ]2014-06-06_capture-win8.rrd2014-06-06 09:18 8.0M 
[   ]2014-06-06_capture-win8.tcpdstat2017-01-15 16:38 1.8K 
[   ]2014-06-06_capture-win8.uniargus2017-01-15 16:38 94M 
[   ]2014-06-06_capture-win8.uninetflow2017-01-15 16:38 34M 
[   ]2014-06-06_capture-win8.weblogng2016-06-15 19:01 51M 
[TXT]README.html2017-01-15 16:38 2.4K 
[TXT]README.md2015-04-14 17:21 2.0K 
[DIR]bro/2017-01-15 16:38 -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-15 16:38 6.4K 
[   ]ralabel-flowfilter.conf.generic2015-04-14 17:02 78K 
[   ]ralabel.conf2015-04-14 17:02 6.2K 
[IMG]zeus-CC-going-down.png2015-04-14 17:38 715K 

Analysis of Zeus version 2.1.0.1 (http://cybercrime-tracker.net/zbox.php)

Timeline

Fri May 30 10:31:48 CEST 2014

start win8 already INFECTED... win 8 infected with 5b1e1e909a6efca6cabc0fad8a0458a6

It is generating flows in the rrd, so it is ok. I copied the previous pcap file of ~6GB.

Fri Jun 6 09:14:13 CEST 2014

Jin run out of space. I stopped it without desinfecting. The pcap is safe.

CC

The command and control server is 81.88.48.95, port 80/tcp These Netflows are labeled "From-Botnet-TCP-HTTP-Zeus.CC.NonEncrypted-1" in the binetflow file.

In this capture, all the C&C connections are made to a server that is down. It is still an infected Zeus, but the C&C is not working. The connections are like this:

GET /Zz/config.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: eyeofgod1.com
Cache-Control: no-cache

HTTP/1.1 403 Forbidden
Date: Tue 13 May 2014 14:19:10 GMT
Server: Apache
Last-Modified: Tue 24 May 2011 06:44:15 GMT
Accept-Ranges: bytes
Content-Length: 2431
Connection: close
Content-Type: text/html
Content-Language: fr

<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">..<head>...<meta http-equiv=",

This change happened on 1970/01/01 07:03:13.638947 in pcap file, and on Tue 13 May 2014 14:19:10 GMT in real life time.

If you are going to analyze this Zeus behavior, consider that most of the C&C was taken down.

To see a working Zeus C&C see the capture called CTU-Malware-Capture-Botnet-78-1