Index of /publicDatasets/CTU-Mixed-Capture-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2015-07-28_mixed.before.infection.pcap2015-07-28 09:24 408M 
[   ]2015-07-28_mixed.biargus2016-10-06 16:07 25M 
[   ]2015-07-28_mixed.binetflow2016-10-06 16:07 25M 
[   ]2015-07-28_mixed.binetflow.after.desinfection2016-10-04 09:47 3.1M 
[   ]2015-07-28_mixed.binetflow.after.infection2016-10-04 09:47 12M 
[   ]2015-07-28_mixed.binetflow.before.infection2016-10-04 09:44 4.9M 
[   ]2015-07-28_mixed.capinfos2015-07-28 12:19 719  
[TXT]2015-07-28_mixed.html2015-07-28 13:11 660M 
[   ]2015-07-28_mixed.json2015-07-28 13:11 1.2G 
[   ]2015-07-28_mixed.pcap2015-07-28 10:45 852M 
[   ]2015-07-28_mixed.weblogng2016-06-15 17:42 20M 
[DIR]Binetflows-per-hour/2016-10-10 15:26 -  
[TXT]README.html2017-02-14 09:17 24K 
[TXT]README.md2017-02-14 09:17 16K 
[DIR]bro/2017-08-31 09:45 -  
[IMG]infected-youtube-with-ads-1.png2015-07-28 09:23 694K 
[TXT]list-of-websites-sent-by-the-malware.md2015-07-28 09:24 37K 
[DIR]suricata/2017-09-02 13:12 -  
[IMG]youtube-without-ads-1.png2015-07-28 09:24 523K 

CTU-Mixed-Capture-1

This capture is to have a Normal computer working with a real user for some time, then infect it with the malware 2d17f8f6fab6da5619c7528e9b0ee135, then clean it and continue working normally for some time. The goal is to verify how a detection algorithm can deal with a real infection situation given that the IP address of the computer is the same. That is, any detection algorithm should not say which IP is infected, but when it is infected and more importantly when it is not infected any more.

Capture of the traffic of only the malware

In order to help the analysis of this capture, the malware was also executed alone, without any user interaction. This capture, done with the MD5 2d17f8f6fab6da5619c7528e9b0ee135 can be found in here.

Verification Malware Capture

In order to help the verification of the Mixed capture, another separated windows computer was infected with the Bubble Dock Adware. This control infection shows how the malware behaves when executed alone without any user interaction. It may be helpful to identify the IP addresses and domains used. This capture show be used for control and probably not for creating the detection algorithms. The network environment was different from the Mixed capture.

Cleaning of the Mixed capture

Since the capture was executed in a real environment, there are some privacy issues that must be addressed. Therefore some packets were erased from the capture, notably most multicast and some broadcast traffic. These packets should not be so important to a malware detection algorithm and should not add a strong bias.

List of deleted packets:

The UPNP traffic was left in the capture because it has a strongly periodic behavior that can help confuse some algorithms.

Only clean pcap

Apart from the large pcap file with all the data and before the infection with the Adware, a copy of the pcap file up to that point was done. The file is called capture1.before.infection.pcap and was done to have a complete normal capture without any infection.

Files in the Dataset

Timeline

This is the timeline of the most important actions of the real normal user. Most of the time the programs keep running, like Facebook, Gmail, Skype and Dropbox. When some important action was done we tried to put it here.

Sat Jul 25 17:51:12 CEST 2015

start the Windows 7 computer.

Soft installed before the infection (not exhaustive)

Sat Jul 25 20:47:47 CEST 2015

Sat Jul 25 20:51:50 CEST 2015

Sat Jul 25 21:16:38 CEST 2015

Sat Jul 25 21:18:56 CEST 2015

Sat Jul 25 21:23:16 CEST 2015

Sat Jul 25 21:54:23 CEST 2015

Sat Jul 25 22:12:34 CEST 2015

Sat Jul 25 22:29:44 CEST 2015

Sat Jul 25 22:44:07 CEST 2015

Sat Jul 25 23:01:25 CEST 2015

Sat Jul 25 23:11:25 CEST 2015

Sun Jul 26 13:02:39 CEST 2015

Web Sites accessed prior to any infection for reading news

Sun Jul 26 14:12:10 CEST 2015

Sun Jul 26 14:12:40 CEST 2015

Sun Jul 26 14:13:31 CEST 2015

Sun Jul 26 14:38:15 CEST 2015

Sun Jul 26 14:39:48 CEST 2015

Sun Jul 26 14:41:32 CEST 2015


Infection

Sun Jul 26 14:43:52 CEST 2015

Sun Jul 26 14:48:13 CEST 2015

Sun Jul 26 14:49:01 CEST 2015

Sun Jul 26 14:49:50 CEST 2015

Sun Jul 26 14:53:45 CEST 2015

Sun Jul 26 14:57:28 CEST 2015

Sun Jul 26 15:03:58 CEST 2015

I start IE - Access news.yahoo.com

Sun Jul 26 15:08:05 CEST 2015

I clicked on Facebook on the Bobble Dock - It appears that there is a new "trending games" and "recommended games" in the upper right corner of facebook.

Sun Jul 26 15:17:53 CEST 2015

I clicked on a game on facebook about those recommended by the 'new' part added

Sun Jul 26 15:18:44 CEST 2015

Sun Jul 26 15:20:48 CEST 2015

Sun Jul 26 15:21:35 CEST 2015

Sun Jul 26 15:23:45 CEST 2015

Sun Jul 26 15:26:35 CEST 2015

Sun Jul 26 15:26:58 CEST 2015

Sun Jul 26 15:29:31 CEST 2015

Sun Jul 26 15:31:30 CEST 2015

Sun Jul 26 15:23:17 CEST 2015

Sun Jul 26 15:40:32 CEST 2015

The rest of normal connections keep working: facebook, skype, normal web

pages..

Sun Jul 26 15:43:09 CEST 2015

Sun Jul 26 15:49:50 CEST 2015

Sun Jul 26 15:50:54 CEST 2015

Sun Jul 26 15:56:08 CEST 2015

Sun Jul 26 16:16:15 CEST 2015

Sun Jul 26 16:42:27 CEST 2015

Sun Jul 26 18:05:19 CEST 2015

Sun Jul 26 18:09:15 CEST 2015

Sun Jul 26 20:17:37 CEST 2015

Sun Jul 26 20:39:09 CEST 2015

Sun Jul 26 21:38:12 CEST 2015

Sun Jul 26 21:41:18 CEST 2015

Mon Jul 27 01:07:57 CEST 2015

Mon Jul 27 09:04:24 CEST 2015

Mon Jul 27 09:22:28 CEST 2015

Mon Jul 27 09:23:57 CEST 2015

Mon Jul 27 09:29:31 CEST 2015

Mon Jul 27 09:30:32 CEST 2015

Mon Jul 27 09:43:34 CEST 2015

Mon Jul 27 09:45:04 CEST 2015

Mon Jul 27 10:05:41 CEST 2015

Mon Jul 27 10:20:07 CEST 2015

Mon Jul 27 10:25:35 CEST 2015

Mon Jul 27 10:28:06 CEST 2015

Mon Jul 27 10:53:35 CEST 2015

Mon Jul 27 10:58:41 CEST 2015

Mon Jul 27 10:59:12 CEST 2015

Mon Jul 27 10:59:30 CEST 2015

Mon Jul 27 11:00:31 CEST 2015

Mon Jul 27 11:00:58 CEST 2015

Mon Jul 27 11:01:56 CEST 2015

Mon Jul 27 11:02:32 CEST 2015

Mon Jul 27 11:36:01 CEST 2015

Mon Jul 27 11:36:38 CEST 2015

Mon Jul 27 11:40:41 CEST 2015

Mon Jul 27 12:16:40 CEST 2015

Mon Jul 27 12:16:59 CEST 2015

Mon Jul 27 12:18:02 CEST 2015

Mon Jul 27 13:47:56 CEST 2015

Mon Jul 27 13:51:42 CEST 2015

Mon Jul 27 13:52:13 CEST 2015

Mon Jul 27 14:46:35 CEST 2015

Mon Jul 27 14:46:50 CEST 2015

Mon Jul 27 15:00:36 CEST 2015

Mon Jul 27 15:00:55 CEST 2015

Mon Jul 27 15:01:23 CEST 2015


Cleaning of the malware

To start cleaning it, we follow these steps:

Mon Jul 27 15:01:53 CEST 2015

Mon Jul 27 15:04:45 CEST 2015

Mon Jul 27 15:05:16 CEST 2015

Mon Jul 27 15:05:58 CEST 2015

Mon Jul 27 15:06:43 CEST 2015

Mon Jul 27 15:07:06 CEST 2015

Mon Jul 27 15:07:44 CEST 2015

Mon Jul 27 15:08:22 CEST 2015

Mon Jul 27 15:11:06 CEST 2015

Mon Jul 27 15:13:19 CEST 2015

Mon Jul 27 15:14:03 CEST 2015

Mon Jul 27 15:15:18 CEST 2015

Mon Jul 27 15:19:08 CEST 2015

Mon Jul 27 15:19:26 CEST 2015

Mon Jul 27 15:31:46 CEST 2015

Mon Jul 27 15:32:17 CEST 2015

Mon Jul 27 15:34:48 CEST 2015

Mon Jul 27 15:35:53 CEST 2015

Mon Jul 27 15:47:48 CEST 2015

It booted correctly.

Mon Jul 27 15:51:14 CEST 2015

Mon Jul 27 15:53:57 CEST 2015

Mon Jul 27 15:54:49 CEST 2015

Mon Jul 27 15:54:14 CEST 2015

Mon Jul 27 16:02:52 CEST 2015

Mon Jul 27 16:19:20 CEST 2015

Mon Jul 27 16:19:33 CEST 2015

Tue Jul 28 00:12:54 CEST 2015

Tue Jul 28 00:13:36 CEST 2015

Tue Jul 28 07:40:43 CEST 2015

Tue Jul 28 07:40:58 CEST 2015

Tue Jul 28 07:41:28 CEST 2015

Tue Jul 28 07:42:45 CEST 2015

Tue Jul 28 07:49:58 CEST 2015

Tue Jul 28 07:53:02 CEST 2015

Tue Jul 28 08:17:45 CEST 2015