Index of /publicDatasets/CTU-Malware-Capture-Botnet-83-1

[ICO]NameLast modifiedSizeDescription
[PARENTDIR]Parent Directory  -  
[ ]2014-06-06_capture-win2.biargus2017-01-16 10:09 1.9M 
[ ]2014-06-06_capture-win2.binetflow2017-01-16 10:09 802K 
[ ]2014-06-06_capture-win2.capinfos2017-01-16 10:09 1.1K 
[ ]2014-06-06_capture-win2.dnstop2017-01-16 10:09 20K 
[TXT]2014-06-06_capture-win2.html2018-03-14 12:52 18M 
[ ]2014-06-06_capture-win2.json2018-03-14 12:52 29M 
[ ]2014-06-06_capture-win2.passivedns2017-01-16 10:09 96K 
[ ]2014-06-06_capture-win2.pcap2014-06-06 00:01 95M 
[ ]2014-06-06_capture-win2.rrd2014-06-06 09:13 8.0M 
[ ]2014-06-06_capture-win2.tcpdstat2017-01-16 10:09 2.0K 
[ ]2014-06-06_capture-win2.weblogng2016-06-15 17:38 1.2M 
[TXT]README.html2018-03-14 13:03 7.2K 
[TXT]README.md2018-03-14 13:03 8.2K 
[DIR]bro/2017-01-16 10:09 -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-16 10:11 160K 
[DIR]suricata/2019-03-23 14:42 -  

Description

Files

IP Addresses

- Infected host: 10.0.2.102
- Default GW: 10.0.2.1

Timeline

Sat, 31 May 2014 02:22:21 GMT

started win2

Thu, 05 Jun 2014 17:00:14 GMT

Stopped win2.

Analysis

Post to youtube, GET /set_awesome?el=embedded&c=web&cver=html5&cbr=Chrome&cbrver=35.0.1916.114&cos=Windows&cosver=6.1&html5=1&video_id=IoafwczHI_Q&eurl=http%3A%2F%2Fwww.siasat.pk%2Fforum%2Fshowthread.php%3F211214-quot-Terrorist-Belongs-to-MQM-Indian-Army-s-arms-recovered-from-MQM-sector-Offi&w=0.7002587705901613&l=257.137799&plid=AAT6u4ZcHLxjhUK2&ei=enaKU-K3MpPr8AOg1YCgCg&tpmt=180.090999&cpn=Cz2SMJnyPrdTmq4Z HTTP/1.1

DGA

Example of DNS requests

71065.537465 CPS4wT2EXWPPFPRPFj 10.0.2.102 52885 8.8.8.8 53 udp 13329 mlfto1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71123.503716 Cf7jqRttrmWx5nWu9 10.0.2.102 60367 8.8.8.8 53 udp 10327 nvall1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71123.888674 CeG8sF4egutVDQMTo8 10.0.2.102 55440 8.8.8.8 53 udp 9109 nvall1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71124.038867 Cmffhq4cr2jkome18f 10.0.2.102 53641 8.8.8.8 53 udp 61694 nvall1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71143.051216 C2UJS62Qe8e1xDi8n4 10.0.2.102 62286 8.8.8.8 53 udp 62997 okwad1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71146.957131 CSXm4V3P9NKVFrUH1d 10.0.2.102 55502 8.8.8.8 53 udp 43106 okwad1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71161.290335 C7xFG9gi00Hpxohh6 10.0.2.102 56559 8.8.8.8 53 udp 50281 zuebm1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71161.735567 C2cjRY3uaWsu8bdhN2 10.0.2.102 53633 8.8.8.8 53 udp 15285 zuebm1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71164.930576 CYurIe3eoj8R5XO8Jk 10.0.2.102 61219 8.8.8.8 53 udp 36323 zuebm1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71200.746053 CkDhGv3ZdYcEuUr9Sg 10.0.2.102 56137 8.8.8.8 53 udp 59454 nktgf1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71213.744024 CLFA9r2Os8KYkIEQe2 10.0.2.102 64121 8.8.8.8 53 udp 29960 vjbrv1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71231.431967 Ci0hQUQQ0fJ62v0W9 10.0.2.102 52032 8.8.8.8 53 udp 21708 fzwkd1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71250.156048 C6zQK71BhJhMJBuha5 10.0.2.102 49560 8.8.8.8 53 udp 53106 hhopx1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71255.043131 CdxRI93Rhd6l2aSHpk 10.0.2.102 62788 8.8.8.8 53 udp 42657 hhopx1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71255.766888 CTDQcZ2eDQK716UeO7 10.0.2.102 50366 8.8.8.8 53 udp 63199 hhopx1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71256.775993 CTOS8I3coJRLG70tWb 10.0.2.102 60817 8.8.8.8 53 udp 49672 hhopx1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71256.887845 CUO41vvBfZMEwMImb 10.0.2.102 57695 8.8.8.8 53 udp 34789 hhopx1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71294.509743 Cg3uUF4q3ZYWPpn1h8 10.0.2.102 60803 8.8.8.8 53 udp 53583 bkuew1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71335.546412 CuIqjO2Hqg2TSkiFz 10.0.2.102 62943 8.8.8.8 53 udp 59421 gsjxr1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71356.218761 C0rjFWyatQmHvnSM9 10.0.2.102 55970 8.8.8.8 53 udp 9488 hhgsf1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71375.414833 CkAb471J2vUFUYuFVg 10.0.2.102 58486 8.8.8.8 53 udp 39230 hoyyk1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71393.423396 CY79Kt3DSSrH3z5Ha6 10.0.2.102 60280 8.8.8.8 53 udp 19134 oldad1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71406.829757 C92Fra6ieomwZzte6 10.0.2.102 59150 8.8.8.8 53 udp 61548 cjmsw1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71409.962450 CvahjGOo8uTYEJaF8 10.0.2.102 56440 8.8.8.8 53 udp 35329 cjmsw1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F 71425.359776 CON7qd2PxZGLa3asR4 10.0.2.102 58626 8.8.8.8 53 udp 32955 xkwvf1401508.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F F

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz

You are free to use these files as long as you reference this project and the authors as follows: Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org