Index of /publicDatasets/CTU-Mixed-Capture-4

	Name	Last modified	Size	Description
	Parent Directory		-
	suricata/	2019-03-23 14:41	-
	fast-flux-dga-first-analysis.txt	2017-02-14 09:52	220K
	bro/	2017-08-31 09:45	-
	Win-Normal-1.rrd	2016-03-19 14:31	8.0M
	README.md	2017-02-14 09:55	1.8K
	README.html	2017-02-14 09:55	2.5K
	Binetflows-per-hour/	2016-10-10 14:08	-
	141470b7e44308fc541be2476092cfd8f2b6140bc698bd51c088b89331cfd4b5.exe.zip	2016-05-28 12:48	122K
	2015-03-19_capture-win.weblogs	2016-03-19 14:34	238K
	2015-03-19_capture-win.weblogng	2017-02-14 09:51	289K
	2015-03-19_capture-win.tcpdstat	2017-02-14 09:51	2.0K
	2015-03-19_capture-win.pcap	2016-03-19 14:31	161M
	2015-03-19_capture-win.passivedns	2017-02-14 09:51	98K
	2015-03-19_capture-win.json	2016-03-19 14:35	123M
	2015-03-19_capture-win.html	2016-03-19 14:35	62M
	2015-03-19_capture-win.dnstop	2017-02-14 09:51	19K
	2015-03-19_capture-win.capinfos	2017-02-14 09:51	1.1K
	2015-03-19_capture-win.binetflow.extended	2016-08-11 09:20	177K
	2015-03-19_capture-win.binetflow.before.infection	2016-10-04 17:11	332K
	2015-03-19_capture-win.binetflow.after.infection	2016-10-04 17:11	395K
	2015-03-19_capture-win.binetflow	2017-02-14 09:51	298K
	2015-03-19_capture-win.biargus	2017-02-14 09:51	1.1M

Timeline

• This is a normal computer doing normal tasks and then infected with lock ransomware
• Probably Name: Normal + Locky
• MD5: 4d9838607597427f2dd6b1d2092f1e76
  
• SHA1: d99e90f8fdc5a47bbc7efa9caf8aefdc718cfcbe
  

• SHA256: 141470b7e44308fc541be2476092cfd8f2b6140bc698bd51c088b89331cfd4b5

• VirusTotal
• HybridAnalysis

• RobotHash

About the Normal install

• Google Chrome
• Apply itunes
• Office 2007
• Windows updates were not active
• No windows firewall

Only malware capture

In order to better analyze this mixed capture, we also executed the malware alone, without any user interaction. The capture can be found here.

Sat Mar 19 13:54:54 CET 2016

Started win-normal-1

Sat Mar 19 13:56:29 CET 2016

Start chrome

Sat Mar 19 13:56:53 CET 2016

Started skype

Sat Mar 19 13:58:13 CET 2016

Search "other cars" in google

Sat Mar 19 14:00:14 CET 2016

Enter to "gocompare.com"

Sat Mar 19 14:14:50 CET 2016

Infected with 141470b7e44308fc541be2476092cfd8f2b6140bc698bd51c088b89331cfd4b5.exe It is locky ransomware

• First flow 1970/01/01 01:19:44.203488,3.262567,tcp,10.0.2.200,49620, ->,40.84.24.156,443,PA_PA,0,0,7,722,326

Sat Mar 19 14:16:00 CET 2016

Enter to www.confused.com normally

Sat Mar 19 14:20:00 CET 2016

Search something in google

Sat Mar 19 14:20:32 CET 2016

enter www.pgatour.com

Sat Mar 19 14:31:03 CET 2016

Power off windows