Index of /publicDatasets/CTU-Mixed-Capture-5

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]34d8dc64e8e425b5a78799ee124f43c8b4045f611e5187d8266abda6dfb50e45.exe.zip2016-05-28 12:47 157K 
[   ]2015-03-19_winnormal.biargus2016-03-19 16:43 1.0M 
[   ]2015-03-19_winnormal.binetflow2016-03-19 16:43 942K 
[   ]2015-03-19_winnormal.binetflow.after.infection2016-10-04 17:31 364K 
[   ]2015-03-19_winnormal.binetflow.before.infection2016-10-04 17:30 579K 
[   ]2015-03-19_winnormal.capinfos2016-03-19 16:42 755  
[   ]2015-03-19_winnormal.dnstop2016-03-19 16:42 21K 
[TXT]2015-03-19_winnormal.html2016-03-19 16:42 48M 
[   ]2015-03-19_winnormal.json2016-03-19 16:42 97M 
[   ]2015-03-19_winnormal.onlynormal-2.pcap2016-03-29 10:40 107M 
[   ]2015-03-19_winnormal.onlynormal.pcap2016-03-29 10:29 8.8M 
[   ]2015-03-19_winnormal.passivedns2016-03-19 16:42 118K 
[   ]2015-03-19_winnormal.pcap2016-03-19 16:40 173M 
[   ]2015-03-19_winnormal.rrd2016-03-19 16:40 8.0M 
[   ]2015-03-19_winnormal.weblogng2016-06-15 17:55 11K 
[DIR]Binetflows-per-hour/2016-10-10 14:09 -  
[TXT]README.html2017-02-14 09:56 3.0K 
[TXT]README.md2017-02-14 09:56 2.1K 
[DIR]bro/2017-08-31 09:45 -  
[DIR]suricata/2019-03-23 14:41 -  

Description

Only malware capture

In order to better analyze this mixed capture, we also executed the malware alone, without any user interaction. The capture can be found here.

About the Normal install

Timeline

Sat Mar 19 14:38:29 CET 2016

Started win normal

Sat Mar 19 14:39:12 CET 2016

Started google chrome

Sat Mar 19 14:39:46 CET 2016

Started skype

Sat Mar 19 14:40:26 CET 2016

Searched for "more stuff" in google

Sat Mar 19 14:41:13 CET 2016

Enter the www.huffingpost.com

Infection

Sat Mar 19 14:55:28 CET 2016

Infected

First packet after infection (not necessary an infected packet) 1970-01-01 02:22:39.378395 IP 10.0.2.200.61691 > 8.8.8.8.53: 23144+ A? clients2.google.com. (37)

Sat Mar 19 14:57:54 CET 2016

Search "is it infected" on google

Sat Mar 19 14:58:48 CET 2016

Enter normally to www.advancedtissue.com

Sat Mar 19 15:00:12 CET 2016

Search "my bank" in google

Sat Mar 19 15:00:41 CET 2016

enter normally www.mybank.eu

Sat Mar 19 15:01:05 CET 2016

enter normally www.mybank2u.com

Sat Mar 19 15:08:24 CET 2016

Interact with www.mybank2u.com Click on links, ask for loans, download pdfs.

Sat Mar 19 15:13:16 CET 2016

Stop interacting with webpages, but I didn't close any

Sat Mar 19 16:40:57 CET 2016

Poweroff the vm