Index of /publicDatasets/CTU-Malware-Capture-Botnet-83-2

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2014-06-30_capture-win2.biargus2017-01-16 10:11 3.5M 
[   ]2014-06-30_capture-win2.binetflow2017-01-16 10:11 1.5M 
[   ]2014-06-30_capture-win2.capinfos2017-01-16 10:11 1.1K 
[   ]2014-06-30_capture-win2.dnstop2017-01-16 10:11 20K 
[TXT]2014-06-30_capture-win2.html2018-03-14 13:11 66M 
[   ]2014-06-30_capture-win2.json2018-03-14 13:11 121M 
[   ]2014-06-30_capture-win2.passivedns2017-01-16 10:11 441K 
[   ]2014-06-30_capture-win2.pcap2014-06-30 09:25 368M 
[   ]2014-06-30_capture-win2.rrd2014-06-30 11:01 8.0M 
[   ]2014-06-30_capture-win2.tcpdstat2017-01-16 10:11 2.1K 
[   ]2014-06-30_capture-win2.uniargus2017-01-16 10:11 16M 
[   ]2014-06-30_capture-win2.uninetflow2017-01-16 10:11 6.9M 
[   ]2014-06-30_capture-win2.weblogng2016-06-15 17:38 1.3M 
[TXT]README.html2018-03-14 13:04 5.8K 
[TXT]README.md2018-03-14 13:04 6.3K 
[DIR]bro/2018-03-14 12:54 -  
[DIR]suricata/2018-03-14 12:55 -  

Description

Files

IP Addresses

- Infected host: 10.0.2.102
- Default GW: 10.0.2.1

Timeline

Fri, 13 Jun 2014 09:22:10 Approx

started infected

Sun, 22 Jun 2014 20:14:30 GMT

Stopped win2.

Analysis

DGA

Exmple of DNS requests 551165.524933 C3g4OkyKMFazwOfWf 10.0.2.102 61992 8.8.8.8 53 udp 9424 - xivpx1403202.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 551166.611260 COgZ3Ieg1L4feK0K8 10.0.2.102 61344 8.8.8.8 53 udp 50451 - xivpx1403202.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 551169.724672 CPCMog40hBKV3CNpya 10.0.2.102 54704 8.8.8.8 53 udp 14208 - xivpx1403202.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 551173.724929 CPCMog40hBKV3CNpya 10.0.2.102 54704 8.8.8.8 53 udp 14208 - xivpx1403202.br.whoer.net 1 C_INTERNET 1 A - - F F 551170.720904 CugHMb4M0rsZ7hbvMg 10.0.2.102 54704 4.4.4.4 53 udp 14208 - xivpx1403202.br.whoer.net 1 C_INTERNET 1 A - - F F 551171.722160 CugHMb4M0rsZ7hbvMg 10.0.2.102 54704 4.4.4.4 53 udp 14208 - xivpx1403202.br.whoer.net 1 C_INTERNET 1 A - - F F 551173.725016 CugHMb4M0rsZ7hbvMg 10.0.2.102 54704 4.4.4.4 53 udp 14208 - xivpx1403202.br.whoer.net 1 C_INTERNET 1 A - - F F 808196.150642 CqwMV60BOnmu9GRo5 10.0.2.102 59060 8.8.8.8 53 udp 22940 - kpduo1403459.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 808196.491335 CBD1sQ3zkZlX01RjV7 10.0.2.102 60706 8.8.8.8 53 udp 5194 - kpduo1403459.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 808803.633797 CcUjWD1tOI0Dx85U5e 10.0.2.102 59177 8.8.8.8 53 udp 2408 - chgqz1403460.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 808803.909128 Cqac9P37rxoAyHztq4 10.0.2.102 61213 8.8.8.8 53 udp 14256 - chgqz1403460.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 808804.426798 CN8P7y3i12P1DhDPCd 10.0.2.102 57076 8.8.8.8 53 udp 48013 - chgqz1403460.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 808804.666229 CZlwBn2ARK61Ir6cxe 10.0.2.102 53778 8.8.8.8 53 udp 25208 - chgqz1403460.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 810224.561945 Cur8nK2U5EmlCLKlb4 10.0.2.102 51876 8.8.8.8 53 udp 39506 - nteze1403461.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 810224.894741 CMZNU34vCkQhQ0l2xd 10.0.2.102 53750 8.8.8.8 53 udp 51688 - nteze1403461.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 810269.407254 CfUrdS12IV61t3o2Qd 10.0.2.102 60284 8.8.8.8 53 udp 11167 - zrayy1403461.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F 810269.459644 CdhR6Z3KV31AX4xabh 10.0.2.102 51857 8.8.8.8 53 udp 12018 - zrayy1403461.br.whoer.net 1 C_INTERNET 1 A 3 NXDOMAIN F

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz

You are free to use these files as long as you reference this project and the authors as follows: Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org