Sat Sep 13 01:16:17 CEST 2014 start win2. Sat Sep 13 01:18:34 CEST 2014 /opt/Malware-Project/malware-to-test/shared-folder/3a134fd586d2c3ecd4db7cb0e71aaa45.exe VirusTotal: https://www.virustotal.com/en/file/ee44f7350b2228280febeb7f2bb7d139e703c09095441dbf865ebec142b064c5/analysis/ It seems to be related to Sality, because some of the IPs were seen comming from a sality exe file. https://www.virustotal.com/en/ip-address/113.31.88.172/information/ https://www.virustotal.com/en/file/7df22c79d8255595211022e0285966374c2f2869506ed1d6a5b01f50be078b42/analysis/ https://www.virustotal.com/en/file/ee6af6937be7c2c57de6d79dca1e2b6aabc1d13354f78ccf5cbe6b7d5e8a7f7d/analysis/ It opened several web pages in IE. Download and install some programs in the systray Open some strange program Sun Sep 14 02:30 CEST 2014 Stopped for some reson Pcap file: 2014-09-15_capture-win2.pcap Sun Sep 14 23:30 CEST 2014 Started the win2 again? File name: 2014-09-15_captre-win2.pcap File type: Wireshark/tcpdump/... - libpcap File encapsulation: Ethernet Packet size limit: file hdr: 65535 bytes Packet size limit: inferred: 4 bytes Number of packets: 269 k File size: 261 MB Data size: 257 MB Capture duration: 91014 seconds (1 day) Start time: Thu Jan 1 01:00:00 1970 End time: Fri Jan 2 02:16:54 1970 Data byte rate: 2827 bytes/s Data bit rate: 22 kbps Average packet size: 956.36 bytes Average packet rate: 2 packets/sec SHA1: 54fd8c576cd182761a94f939ca79b18eded08058 RIPEMD160: 0f3cdc03f4bbc404b75c2d02be73dd7ae47f5d90 MD5: db65b1a9d1d9d0889c187253140e23b5 Strict time order: True ---------------------------------------------------------- Unfinish analysis of some 4-tuples Large 4-tuples 4-Tuple State 10.0.2.102-202.108.14.221-80-tcp State:220s0ssss0ssss0ssss0ss0ssssssst0s 10.0.2.102-220.181.184.74-80-tcp State:120ss0s0sss0s0s0s0s0s0s0ss0s0ss0s 10.0.2.102-211.103.159.105-80-tcp State:310r0r0r 10.0.2.102-220.181.109.16-80-tcp State:22sssss0s0s0ssb0ss0sss0s0sssss0ss 10.0.2.102-60.29.246.100-9482-tcp State:210r0a0a0a0a0a0a0a0a0a0a 10.0.2.102-123.125.65.218-80-tcp State:11rrrrrrrrrr 10.0.2.102-180.76.2.46-80-tcp State:11crrcctttrwrrcrrfttrztttttttrttcccccccttCcccccccccccccccccccccccccccccccccccccCCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctttccccccccccccccccccccccarctccc 10.0.2.102-220.181.184.199-80-tcp State:220s0s0s0s0ss0s0s0s0s0ss0s0sss 10.0.2.102-220.181.184.166-80-tcp State:220s0sssbbss0sss0ss0ss0ss0ssssssssss 10.0.2.102-60.28.208.11-80-tcp State:110r0r0B0B0a0a0a0b0a0a0b0a0a0a0a0a0a0a0A0A0A0a0a0A 10.0.2.102-4.4.4.4-53-udp State:11rrrrrrrrrrrrrrrrrrr0rr0rr0rr0r0arrrrrrrr0r0rrrrr0r0rrrrrrr 10.0.2.102-119.188.40.81-80-tcp State:94sBbbbbbbbbbcssbcssbcBCststssbbbbbbbbcssbbbcBBbbbb 10.0.2.102-180.76.22.48-80-tcp State:13tccccccccc 10.0.2.102-106.38.178.106-80-tcp State:110r0r0r0r 10.0.2.102-220.181.109.15-80-tcp State:220ssbs0ss0s0ss0sssssssssbB0ss0s0ssss0s0s 10.0.2.102-202.108.14.236-80-tcp State:22ssss0s0s0sss0sssss 10.0.2.102-113.31.88.172-8822-udp State:330C0c0c0c0c0c0c0c0c0c0c0C0t0C0c0c0c0c0c0c0c0c 10.0.2.102-10.0.2.2--arp State:330t0t0t0t0t0t0t0t0C0C0c0c0c0c0c0C0c0C0C0t0t0t0t 10.0.2.102-202.108.14.219-80-tcp State:22sss0sssssss0ssss0s0ss0ssssss0ssbsb0s 10.0.2.102-202.108.14.19-80-tcp State:22ssss0s0st0ss0sst0s0ss0s0s0ss 10.0.2.102-60.28.208.23-80-tcp State:110r0a0b0a0a0a0a0a0b0c0c0a0c0a0a0a0a0b0a0a0a0a0a 10.0.2.102-125.39.93.62-80-tcp State:33ttt0t0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c 10.0.2.102-123.125.115.130-80-tcp State:11trtarwrtrtrIcrraAarrtrtrrCArtArtrwtttztttrrraaarrraaaArrAaaartttcccccctttccccccccctttttcccftttcccCtttcccccccccctttttccccccccccfcCcccCcccccttttttccccccccccccccccCCcccctttttCCCccccccctttCccccccccCtttttccfcccccccccccccCCccccttttttcc 10.0.2.102-123.125.117.180-80-tcp State:110r0r0r0r 10.0.2.102-123.130.123.46-80-tcp State:11aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadaaaaaaaaaaaaaaaaaaaaaagizrxhAAhAAaahyhhIDrirrixyHhgaDaaaadaaaagirraizuxahHgIzazrraaaaDAadddaaaaaaaagdaaagDAabGErragHGIyxHggghHhhGxghhxzyyHHiHIzygzyxrGIxzxyIryGiyuDhiyzxzxxhyGGhGGggggghGGgghGGhxxhyyGxgggiyyhixyyHaAgIuxdgagADgHhgIxyyHgudIzzzzzizuxGizzIzizzxzxrAAAabrAaaaAAairraaaaiyzzGxahyhIryuxhGDhxDgDGizxzzyrIrxHyHIrrdaagHDuaaaaaaaaaaaaaaaAAaaaaaaaaaaaaaaddaddaddddaddaaadaaadAAaadaaAAaadadAAaaaaadabrrdadaaddaaaaadaaaaagGHGGaaDddddddddddaddADdadaAaAdddddddddddadaaaaaaaaaaaaaaaaaaddddaerudadhxxggHGIyrAbxxgaAaiyzzzurdaizaxgaaggaaaagaaAAaaeADaaaaaaaaaaaaaaaaggggaAgIyygxaAaaaaaghGHyIzyzyyhhHIxzyHhhIzyzHhiHzzzyxAaahzyyhDyAAaahDAagIzGrGgaD 10.0.2.102-111.206.22.77-80-tcp State:22Bbsbssssss0s0sss0ssB0ss0ss0ss 10.0.2.102-220.181.184.75-80-tcp State:220ts0sss0ssss0s0ssss0ss 10.0.2.102-111.206.22.76-80-tcp State:22ssts0s0ss0ss0sss0s0ss0s0ss 10.0.2.102-202.108.14.235-80-tcp State:23b0sss0s0ssss0s0sss0s0s0s 10.0.2.102-202.55.12.17-80-tcp State:43CciiiwwccitwzzzIzzII 10.0.2.102-101.227.12.94-8822-udp State:660w0w0w0f0f0w0w0f0w0w0w0w0f0w0w0f0w0f0w0w0w0f0f 10.0.2.102-211.103.159.95-80-tcp State:110r0r0a0s 10.0.2.102-123.125.117.181-80-tcp State:110r0r0r0r0r 10.0.2.102-211.103.159.91-80-tcp State:110r0r0r0r fe80::6dd3:1409:3456:8562-ff02::1:2-547-udp State:660w0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0F0F0f0f0c 10.0.2.102-61.135.185.123-80-tcp State:99zGziizzzzzzzzzzIzh 10.0.2.102-106.38.178.240-80-tcp State:110r0r0r0r 10.0.2.102-58.56.65.81-80-tcp State:110r0r Analysis of the 4-tuples Considering that only the letters 'a' to 'f' and 'A' to 'F' show periodic flows, we now analyze each of the periodic 4-tuples: 10.0.2.102-60.29.246.100-9482-tcp State:210r0a0a0a0a0a0a0a0a0a0a The following is the flow by flow analysis of this 4-tuple: 1970-01-01 01:18:15.888648 T1=-1 T2=-1 TD= 0.0 1970-01-01 03:23:36.264832 T1=-1 T2=7520.376184 TD= 0.0 1970-01-01 05:23:36.266370 T1=7520.376184 T2=7200.001538 TD=-320.4 1970-01-01 07:23:36.258763 T1=7200.001538 T2=7199.992393 TD= -0.0 1970-01-01 09:23:36.260771 T1=7199.992393 T2=7200.002008 TD= 0.0 1970-01-01 11:23:36.262885 T1=7200.002008 T2=7200.002114 TD= 0.0 1970-01-01 13:23:36.264488 T1=7200.002114 T2=7200.001603 TD= -0.0 1970-01-01 15:23:36.266516 T1=7200.001603 T2=7200.002028 TD= 0.0 (...) Here it can be seen that the periodicity of this 4-tuple is every 2 hours. This is a non-HTTP connection with probably encrypted data. 10.0.2.102-180.76.2.46-80-tcp State:11crrcctttrwrrcrrfttrztttttttrttcccccccttCcccccccccccccccccccccccccccccccccccccCCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctttccccccccccccccccccccccarctccc The following is the flow by flow analysis of this connection: 1970-01-01 01:17:05.213809 T1=-1 T2=-1 TD= 0.0 1970-01-01 01:17:06.174795 T1=-1 T2=0.960986 TD= 0.0 1970-01-01 01:17:07.165414 T1=0.960986 T2=0.990619 TD= 0.0 1970-01-01 01:17:32.218097 T1=0.990619 T2=25.052683 TD= 24.1 1970-01-01 01:17:32.957978 T1=25.052683 T2=0.739881 TD= -24.3 1970-01-01 01:17:33.669560 T1=0.739881 T2=0.711582 TD= -0.0 1970-01-01 01:17:34.318777 T1=0.711582 T2=0.649217 TD= -0.1 1970-01-01 01:18:02.702366 T1=0.649217 T2=28.383589 TD= 27.7 1970-01-01 01:18:02.703286 T1=28.383589 T2=0.00092 TD= -28.4 1970-01-01 01:18:08.746292 T1=0.00092 T2=6.043006 TD= 6.0 1970-01-01 01:18:51.982004 T1=6.043006 T2=43.235712 TD= 37.2 1970-01-01 01:18:52.704219 T1=43.235712 T2=0.722215 TD= -42.5 1970-01-01 01:19:30.887391 T1=0.722215 T2=38.183172 TD= 37.5 1970-01-01 01:19:31.572277 T1=38.183172 T2=0.684886 TD= -37.5 1970-01-01 01:19:32.537965 T1=0.684886 T2=0.965688 TD= 0.3 1970-01-01 01:22:34.774065 T1=0.965688 T2=182.2361 TD= 181.3 1970-01-01 01:22:36.800015 T1=182.2361 T2=2.02595 TD=-180.2 1970-01-01 01:22:37.919603 T1=2.02595 T2=1.119588 TD= -0.9 1970-01-01 01:27:37.443589 T1=1.119588 T2=299.523986 TD= 298.4 1970-01-01 01:37:39.577824 T1=299.523986 T2=602.134235 TD= 302.6 1970-01-01 01:39:44.581086 T1=602.134235 T2=125.003262 TD=-477.1 1970-01-01 01:39:45.280724 T1=125.003262 T2=0.699638 TD=-124.3 1970-01-01 01:42:34.990892 T1=0.699638 T2=169.710168 TD= 169.0 1970-01-01 01:47:42.587865 T1=169.710168 T2=307.596973 TD= 137.9 1970-01-01 01:57:44.743479 T1=307.596973 T2=602.155614 TD= 294.6 1970-01-01 02:02:36.092459 T1=602.155614 T2=291.34898 TD=-310.8 1970-01-01 02:02:53.666531 T1=291.34898 T2=17.574072 TD=-273.8 1970-01-01 02:03:22.800167 T1=17.574072 T2=29.133636 TD= 11.6 1970-01-01 02:04:12.385028 T1=29.133636 T2=49.584861 TD= 20.5 1970-01-01 02:04:50.114534 T1=49.584861 T2=37.729506 TD= -11.9 1970-01-01 02:07:47.748261 T1=37.729506 T2=177.633727 TD= 139.9 1970-01-01 02:17:49.861190 T1=177.633727 T2=602.112929 TD= 424.5 1970-01-01 02:27:51.960894 T1=602.112929 T2=602.099704 TD= -0.0 1970-01-01 02:37:54.120173 T1=602.099704 T2=602.159279 TD= 0.1 1970-01-01 02:47:56.234029 T1=602.159279 T2=602.113856 TD= -0.0 1970-01-01 02:57:58.260828 T1=602.113856 T2=602.026799 TD= -0.1 1970-01-01 03:08:00.208728 T1=602.026799 T2=601.9479 TD= -0.1 1970-01-01 03:18:02.134684 T1=601.9479 T2=601.925956 TD= -0.0 1970-01-01 03:28:04.372335 T1=601.925956 T2=602.237651 TD= 0.3 1970-01-01 03:28:05.960233 T1=602.237651 T2=1.587898 TD=-600.6 1970-01-01 03:38:07.513630 T1=1.587898 T2=601.553397 TD= 600.0 1970-01-01 03:48:10.527974 T1=601.553397 T2=603.014344 TD= 1.5 1970-01-01 03:58:12.366450 T1=603.014344 T2=601.838476 TD= -1.2 1970-01-01 04:08:14.260971 T1=601.838476 T2=601.894521 TD= 0.1 1970-01-01 04:18:16.302530 T1=601.894521 T2=602.041559 TD= 0.1 1970-01-01 04:28:18.399218 T1=602.041559 T2=602.096688 TD= 0.1 1970-01-01 04:38:20.203539 T1=602.096688 T2=601.804321 TD= -0.3 1970-01-01 04:48:22.189628 T1=601.804321 T2=601.986089 TD= 0.2