Index of /publicDatasets/CTU-Mixed-Capture-1
This capture is to have a Normal computer working with a real user for some time, then infect it with the malware 2d17f8f6fab6da5619c7528e9b0ee135, then clean it and continue working normally for some time. The goal is to verify how a detection algorithm can deal with a real infection situation given that the IP address of the computer is the same. That is, any detection algorithm should not say which IP is infected, but when it is infected and more importantly when it is not infected any more.
Capture of the traffic of only the malware
In order to help the analysis of this capture, the malware was also executed alone, without any user interaction. This capture, done with the MD5 2d17f8f6fab6da5619c7528e9b0ee135 can be found in here.
Verification Malware Capture
In order to help the verification of the Mixed capture, another separated windows computer was infected with the Bubble Dock Adware. This control infection shows how the malware behaves when executed alone without any user interaction. It may be helpful to identify the IP addresses and domains used. This capture show be used for control and probably not for creating the detection algorithms. The network environment was different from the Mixed capture.
Cleaning of the Mixed capture
Since the capture was executed in a real environment, there are some privacy issues that must be addressed. Therefore some packets were erased from the capture, notably most multicast and some broadcast traffic. These packets should not be so important to a malware detection algorithm and should not add a strong bias.
List of deleted packets:
- All the packets coming or going to 22.214.171.124
- All the packets coming or going to 255.255.255.255
- All the packets coming or going to 10.0.0.138 port 67
The UPNP traffic was left in the capture because it has a strongly periodic behavior that can help confuse some algorithms.
Only clean pcap
Apart from the large pcap file with all the data and before the infection with the Adware, a copy of the pcap file up to that point was done. The file is called capture1.before.infection.pcap and was done to have a complete normal capture without any infection.
Files in the Dataset
- This is the big and complete pcap file with all the data.
- Duration: ~2.6 days
- This is the only normal traffic from the start up to, but not including, the infection.
- Bidirectional flows binary file of Argus.
- Text file with the bidirectional Argus flows. Includes the first 480 bytes of the payload of the packets on each flow.
- Json summary file of Capptiper.
- Weblogs generated by justsniffer.
- Bro log files run on the pcap file.
This is the timeline of the most important actions of the real normal user. Most of the time the programs keep running, like Facebook, Gmail, Skype and Dropbox. When some important action was done we tried to put it here.
Sat Jul 25 17:51:12 CEST 2015
start the Windows 7 computer.
Soft installed before the infection (not exhaustive)
- Google Chrome
- Apply itunes
- Office 2007
- Windows updates were not active
- No windows firewall
Sat Jul 25 20:47:47 CEST 2015
Sat Jul 25 20:51:50 CEST 2015
- Access Gmail and create a new account
- Password saved in google chrome
- Get a new skype account in the web site
- Save skype password in chrome
- Account on Google plus
Sat Jul 25 21:16:38 CEST 2015
- Try to Create Facebook account
Sat Jul 25 21:18:56 CEST 2015
- Add contacts to skype by searching on some words in the skype directory.
Sat Jul 25 21:23:16 CEST 2015
- Create dropbox account and download
Sat Jul 25 21:54:23 CEST 2015
- Finally able created a Facebook account with a phone number
- Add a lot of friends from people in Facebook directory
Sat Jul 25 22:12:34 CEST 2015
- Create and edit Google drive documents.
- Upload some docs to Google drive.
Sat Jul 25 22:29:44 CEST 2015
- Try to make a Skype call to a non-friend
Sat Jul 25 22:44:07 CEST 2015
- Chat in skype with somebody that added me.
- Some stuff in the middle, hanghouts, chats, Facebook, etc.
Sat Jul 25 23:01:25 CEST 2015
- Try a hangout video chat.
Sat Jul 25 23:11:25 CEST 2015
- Installed candy crush saga (finally I'm gonna try it!) on Facebook
Sun Jul 26 13:02:39 CEST 2015
- Answer some Facebook chats from people that added me
- Add more Facebook friends
Web Sites accessed prior to any infection for reading news
Sun Jul 26 14:12:10 CEST 2015
- At amazon I searched for "watch"
Sun Jul 26 14:12:40 CEST 2015
- At www.bbc.com I searched for "world"
Sun Jul 26 14:13:31 CEST 2015
- Clicked on http://www.bbc.co.uk/programmes/b006qnnh
Sun Jul 26 14:38:15 CEST 2015
- I copied the pcap file so far to have a clean version stored.
Sun Jul 26 14:39:48 CEST 2015
- I attached a shared folder to virtualbox with the malware binary.
Sun Jul 26 14:41:32 CEST 2015
- I copied the malware to the windows
- From now on the computer is infected, but I'm still using it normally.
Sun Jul 26 14:43:52 CEST 2015
- Infection with 2d17f8f6fab6da5619c7528e9b0ee135
Sun Jul 26 14:48:13 CEST 2015
- Access www.google.com and searched for amazon. The access www.amazon.com
Sun Jul 26 14:49:01 CEST 2015
- I search for 'watch' in amazon
Sun Jul 26 14:49:50 CEST 2015
- I clicked on "My documents" in bobble dock
Sun Jul 26 14:53:45 CEST 2015
- I access www.youtube.com and click on a video (I can see an ad, but maybe it is good)
Sun Jul 26 14:57:28 CEST 2015
- I clicked on some ad on youtube. Not sure if it is good or not.
- I linked the ad page to facebook
- I try to play the game. It asked my a username i put pestola
Sun Jul 26 15:03:58 CEST 2015
I start IE - Access news.yahoo.com
Sun Jul 26 15:08:05 CEST 2015
I clicked on Facebook on the Bobble Dock - It appears that there is a new "trending games" and "recommended games" in the upper right corner of facebook.
Sun Jul 26 15:17:53 CEST 2015
I clicked on a game on facebook about those recommended by the 'new' part added
Sun Jul 26 15:18:44 CEST 2015
- Cliked on 'play' on the game. I played i round and leave.
Sun Jul 26 15:20:48 CEST 2015
- Click on meteorology on Bobble Dock
Sun Jul 26 15:21:35 CEST 2015
Sun Jul 26 15:23:45 CEST 2015
- I clicked on 'press cotideane' in Bobble Dock
Sun Jul 26 15:26:35 CEST 2015
- I clicked on 'press cotideane' in Bobble Dock, again
- Then I clicked on Metro news.
Sun Jul 26 15:26:58 CEST 2015
Sun Jul 26 15:29:31 CEST 2015
- Clicked on promos on Bobble Dock
Sun Jul 26 15:31:30 CEST 2015
- Clicked on montagne-vacancies.com on the promos window
Sun Jul 26 15:23:17 CEST 2015
- clicked on bobble dock news, then in a news site, www.20minutes.fr
- There is an ad before the page and it is in french. I clicked on the ad.
Sun Jul 26 15:40:32 CEST 2015
- Click on webradio on Bobble Dock
The rest of normal connections keep working: facebook, skype, normal web
Sun Jul 26 15:43:09 CEST 2015
- Entered to carrefour.fr because it seemed to be filtered by the adware based on some analysis of the current traffic
Sun Jul 26 15:49:50 CEST 2015
- I clicked on the conf of Bobble Dock in the dock. And some windows appeared.
Sun Jul 26 15:50:54 CEST 2015
- I clicked on the "your wifi connection failed" popup from Bobble Dock. It opened a web page that told me to download a repare tool for windows.
Sun Jul 26 15:56:08 CEST 2015
- Downloaded a pdf file from internet and put it in the dropbox sync file.
Sun Jul 26 16:16:15 CEST 2015
Sun Jul 26 16:42:27 CEST 2015
- I think that the adware is injecting ads from www.huffingtonpost.com, because I have on open tab with it, but I can see a non stopping stream of ads in the network.
Sun Jul 26 18:05:19 CEST 2015
- Click on a theguardian.com story from google.com search
Sun Jul 26 18:09:15 CEST 2015
- I clicked on the new york times site, www.nytimes.com from google search
Sun Jul 26 20:17:37 CEST 2015
- I closed the nytimes.com webpage
Sun Jul 26 20:39:09 CEST 2015
- I accessed http://www.bbc.com/news
Sun Jul 26 21:38:12 CEST 2015
- I closed the www.bbc.com/news website
Sun Jul 26 21:41:18 CEST 2015
- I accessed http://news.yahoo.com/
Mon Jul 27 01:07:57 CEST 2015
- I closed http://news.yahoo.com/ and went to sleep
Mon Jul 27 09:04:24 CEST 2015
- I wake up and start using the windows on Monday
Mon Jul 27 09:22:28 CEST 2015
- I got an advertisement from bobble dock (at the bottom) that looked like a skype call, and I clicked on "Repondre" on it (answer).
- The advertisement appear in the last 20 minutes approx. I didn't see it pop up.
- It opened an IE with instantreencontre.com
Mon Jul 27 09:23:57 CEST 2015
- I cliked on "Decliner" on the same ad on bobble dock
- It opened an IE with instantreencontre.com
- I closed this tab on IE.
Mon Jul 27 09:29:31 CEST 2015
- Some facebook browsing and some websites about news
Mon Jul 27 09:30:32 CEST 2015
- I click on dailymail.com.uk new
Mon Jul 27 09:43:34 CEST 2015
- I can see now that in the traffic there are a lot of ads. I think that the adware is waiting some minutes before sending any ads. I didn't click on anything before this timeline and the previous one.
Mon Jul 27 09:45:04 CEST 2015
Mon Jul 27 10:05:41 CEST 2015
- I try to chat someone on gmail without being previously connnected
Mon Jul 27 10:20:07 CEST 2015
- Go around in gmail a little.
Mon Jul 27 10:25:35 CEST 2015
Mon Jul 27 10:28:06 CEST 2015
Mon Jul 27 10:53:35 CEST 2015
- I accessed http://journalauthors.tandf.co.uk/
Mon Jul 27 10:58:41 CEST 2015
- I closed http://journalauthors.tandf.co.uk/
Mon Jul 27 10:59:12 CEST 2015
- I closed http://www.usatoday.com/
Mon Jul 27 10:59:30 CEST 2015
- I closed http://www.dailymail.co.uk/
Mon Jul 27 11:00:31 CEST 2015
- Search on skype people directory
Mon Jul 27 11:00:58 CEST 2015
Mon Jul 27 11:01:56 CEST 2015
- I closed the http://instantrencontre.com web page on IE
Mon Jul 27 11:02:32 CEST 2015
- I entered ebay.com directly
Mon Jul 27 11:36:01 CEST 2015
- I closed ebay.com directly
Mon Jul 27 11:36:38 CEST 2015
- I accessed airbnb.fr (listed in the sites from the malware)
- I clicked around
Mon Jul 27 11:40:41 CEST 2015
- I accessed photobox.fr (listed in the sites from the malware)
Mon Jul 27 12:16:40 CEST 2015
Mon Jul 27 12:16:59 CEST 2015
Mon Jul 27 12:18:02 CEST 2015
- I accesss cdiscount.com (in the malware list)
- Scrolled up and down
Mon Jul 27 13:47:56 CEST 2015
Mon Jul 27 13:51:42 CEST 2015
- I accessed randomwebsite.com and then was redirected to goodquotes.com
Mon Jul 27 13:52:13 CEST 2015
- Then again randomwebsite.com redirected me to contrasts.net
Mon Jul 27 14:46:35 CEST 2015
- search for adidas in google
Mon Jul 27 14:46:50 CEST 2015
Mon Jul 27 15:00:36 CEST 2015
Mon Jul 27 15:00:55 CEST 2015
Mon Jul 27 15:01:23 CEST 2015
- closed http://www.randomwebsite.com/
Cleaning of the malware
To start cleaning it, we follow these steps:
- STEP 1: Uninstall Bubble Dock program from your computer
- STEP 2: Remove Bubble Dock adware with AdwCleaner
- STEP 3: Remove Bubble Dock potentially unwanted programs with Malwarebytes Anti-Malware Free
- STEP 4: Double-check for the Bubble Dock infection with HitmanPro
Mon Jul 27 15:01:53 CEST 2015
- Uninstall the Bubble Dock program from the control panel (there was an access to some bubble dock website)
Mon Jul 27 15:04:45 CEST 2015
Mon Jul 27 15:05:16 CEST 2015
- Uninstall Selection Tools
Mon Jul 27 15:05:58 CEST 2015
- Download of http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner
- It failed
Mon Jul 27 15:06:43 CEST 2015
- Search for adwcleaner in google
Mon Jul 27 15:07:06 CEST 2015
- Go to cnet.com to download it
Mon Jul 27 15:07:44 CEST 2015
- I go to toolslib.net to download it
- It downloaded
Mon Jul 27 15:08:22 CEST 2015
- I run it
- There were some things found. I clean them.
Mon Jul 27 15:11:06 CEST 2015
- It is restarting the computer.
Mon Jul 27 15:13:19 CEST 2015
- Upon restarting there was a flash window and a notepad from adwcleaner
- Click on dont install the flash new version.
Mon Jul 27 15:14:03 CEST 2015
- Access http://malwaretips.com/download-malwarebytes and download the tool
Mon Jul 27 15:15:18 CEST 2015
- Executed the malwarebytes tool
- Install by default.
Mon Jul 27 15:19:08 CEST 2015
Mon Jul 27 15:19:26 CEST 2015
Mon Jul 27 15:31:46 CEST 2015
- Click on remove selected. There were some things found.
Mon Jul 27 15:32:17 CEST 2015
- Without notice the computer was rebooted.
Mon Jul 27 15:34:48 CEST 2015
- Download http://malwaretips.com/download-hitmanpro
- Correct download
Mon Jul 27 15:35:53 CEST 2015
- Run hitmanpro. Install by default.
Mon Jul 27 15:47:48 CEST 2015
- Incredibly, after the hitmanpro, windows gave a blue screen of death.
It booted correctly.
Mon Jul 27 15:51:14 CEST 2015
- Finalization of the adware removal
- From now on it is a clean computer doing normal stuff.
Mon Jul 27 15:53:57 CEST 2015
Mon Jul 27 15:54:49 CEST 2015
Mon Jul 27 15:54:14 CEST 2015
Mon Jul 27 16:02:52 CEST 2015
- Access youtube.com
- Watch a video
Mon Jul 27 16:19:20 CEST 2015
Mon Jul 27 16:19:33 CEST 2015
- Access www.huffingtonpost.com
Tue Jul 28 00:12:54 CEST 2015
- Touch some stuff in facebook
Tue Jul 28 00:13:36 CEST 2015
- Search some stuff in google. Ended up in theguardian.com
Tue Jul 28 07:40:43 CEST 2015
Tue Jul 28 07:40:58 CEST 2015
- I closed www.huffingtonpost.com
Tue Jul 28 07:41:28 CEST 2015
Tue Jul 28 07:42:45 CEST 2015
- I sent some email with gmail web interface
- Mail hi tirope! how are you? i wanted to tell you that I' m very happy and very excited to write you this email. I'm in a good mood and I wanted to tell you. So thanks again for reading this and for helping me. See you Portion
- There were some mistakes that I delete with Backspace
- The message come back because the address do not exists.
Tue Jul 28 07:49:58 CEST 2015
- Click on a facebook video (facbook was opened all the time, just like gmail)
Tue Jul 28 07:53:02 CEST 2015
- Click on a yahoo news new on a site http://www.careerjournalonline.com/
Tue Jul 28 08:17:45 CEST 2015
- Poweroff the windows computer.
- The dataset is over.