Index of /publicDatasets/CTU-Malware-Capture-Botnet-91

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[TXT]README.html2017-06-27 10:31 9.6K 
[TXT]README.md2017-06-27 10:26 7.9K 
[TXT]all_domains.txt2015-10-16 16:48 1.1M 
[DIR]bro/2017-01-16 09:31 -  
[   ]capture.botnet2.infected.1.biargus2015-08-28 19:16 14M 
[   ]capture.botnet2.infected.1.binetflow2015-09-18 17:25 13M 
[   ]capture.botnet2.infected.1.capinfos2017-01-16 09:31 1.1K 
[   ]capture.botnet2.infected.1.dnstop2015-08-28 18:49 42K 
[TXT]capture.botnet2.infected.1.html2015-08-28 18:47 2.7M 
[   ]capture.botnet2.infected.1.json2015-08-28 18:47 2.3M 
[   ]capture.botnet2.infected.1.only445.pcap2017-06-26 23:16 14M 
[   ]capture.botnet2.infected.1.passivedns2015-08-28 18:48 143K 
[   ]capture.botnet2.infected.1.pcap2012-05-29 02:07 26M 
[   ]capture.botnet2.infected.1.pcap.capinfos2012-05-29 01:42 790  
[   ]capture.botnet2.infected.1.tcpdstat2017-01-16 09:31 3.0K 
[   ]capture.botnet2.infected.1.tcpflow.report.pdf2014-04-09 10:34 24K 
[   ]capture.botnet2.infected.1.uniargus2017-01-16 09:31 13M 
[   ]capture.botnet2.infected.1.uninetflow2017-01-16 09:31 5.8M 
[   ]capture.weblogng2017-01-16 09:31 135K 
[DIR]downloaded-files/2017-06-05 07:39 -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-16 09:33 346K 
[   ]malware.exe.zip2015-12-16 10:26 85K 
[DIR]suricata/2017-06-26 23:00 -  
[DIR]uploaded-infected-files/2017-06-27 10:31 -  

Description

Description

This capture was done in a real network of normal hosts, where we infected some of them with some malware.

Files

IP Addresses

Normal Computers

Total normal hosts in the capture:

Infected Computers

The hosts we infected with the malware are:

DNS connections coming from Normal hosts

DNS connections coming from Botnet hosts:

There is a web page that seems to have all the names of the domains resolved by this malware: ftp://ftp.paudni.kemdiknas.go.id/pub/serbi/_gGg/all_domains.txt

Timeline

Thu Sept 23 12:42:41 ART 2010

Started the experiment

Analysis

This capture contains several infected pcs and normal pcs.

SMB

Conficker attempted to connect port 445/tcp of several computers in the same network. These connections attempted to access the files in other computers and then upload infected exe files.

The file capture.botnet2.infected.1.only445.pcap contains only the packets to port 445/tcp. In this file you can see that

The order of attacks is pretty confusing and it seems that every computer is attacking the rest at some point. However, it is possible to see how they are coping and uploading exe files to other computers. The complete set of files can be found in the folder /uploaded-infected-files/ These files are infected, as it can be seen for the file __CURSO_PC18_WEB__Firefox_Portable_3.0.10_en-us.paf.exe in VirusTotal.

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz

You are free to use these files as long as you reference this project and the authors as follows: Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org