# Description
- Description: This capture is a normal user doing normal tasks and being infected at the same time. The user works for ~15 minutes, then its infected with the malware, and they continue to work and use the computer normally. We know its normal because we controlled the user completely.
- Probable Malware Name: DarkVNC
- MD5: 01968695156dc80fcbd9a2b43a88d09c
- SHA1: 7c4a3e5ad68b3909edf15ae0763f99917290a9d9
- SHA256: 0d3019f5dfdd7ee6594aaf3ef712e86d0c207ae67e8c1a2cfb7c5e475cfec14a
- Password of zip file: infected
- Duration:  
- Proxy Usage: This capture did [not] use an intermediate proxy.

- [VirusTotal](https://www.virustotal.com/en/file/0d3019f5dfdd7ee6594aaf3ef712e86d0c207ae67e8c1a2cfb7c5e475cfec14a/analysis/)
- [HybridAnalysis](https://www.hybrid-analysis.com/sample/0d3019f5dfdd7ee6594aaf3ef712e86d0c207ae67e8c1a2cfb7c5e475cfec14a?environmentId=2)
- RobotHash

[![](https://robohash.org/01968695156dc80fcbd9a2b43a88d09c)](https://robohash.org)

# Files

- .capinfos
    - Capinfos file
- .dnstop
    - DNS top file
- mitm.out
    - Mitm proxy interception file of http and https
- .mitm.weblog
    - This is the HTTP and HTTPS web log that includes Labels. This is the preferred file for web analysis.
    - This file includes a header with the columns names. There are two new columns defined by us:
        - Column id: This number is unique for all the weblogs generated __inside__ the same TCP connection. When a TCP connection is opened and several GET/POST, etc., requests are made inside it, all of them are assigned the same Id in this file.
        - Column timestamp_end: This is the timestamp when the weblog ended. If you use this with the id column you can compute the total duration of the TCP connection that generated __all__ the weblogs. Similar to the duration of a hypothetical CONNECT request if this would have been done using a proxy.
- .passivedns
    - Passive DNS file
- .pcap
    - Original pcap file
- .rrd
    - RRD file for graphs
- .weblogng
    - WEB log of http traffic only. Generated with justsniffer
- .exe.zip
    - Original malware file
- bro
    - Folder with all the bro output files
- .biargus
    - Argus binary file. Bidirectional flows, 3600s of report time.
- .binetflow
    - Argus text file with bidirectional flows. Report time 3600 secs.
- .uniargus
    - Argus binary file. Unidirectional flows, 5s of report time.
- .uninetflow
    - Argus text file with unidirectional flows. Report time 5 secs. TAB as column separator.

# IP Addresses
    - Infected host: 192.168.1.xx
    - Default GW: 192.168.1.2

# Timeline

# Tue May  1 21:02:28 CEST 2018
Started normal
This is the windows that is full but smaller


Last normal packet  9

# Tue May  1 21:03:42 CEST 2018
Infected with 0d3019f5dfdd7ee6594aaf3ef712e86d0c207ae67e8c1a2cfb7c5e475cfec14a

The CC IP is 37.48.125.108

# Wed May  2 07:56:53 CEST 2018
Normal actions
Last packet before doing normal actions by hand:  
2132  04:00:54.354418 IP6 fe80::353e:6fce:ee32:1a73.51389 > ff02::c.1900: UDP, length 146


We did a lot of normal, google eemail, youtube, download docuemnts, ping www.otro.com from cmd.exe, and google drive.

# Fri May  4 23:45:27 CEST 2018
Power it off

# Disclaimer 
These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz

You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org