Index of /publicDatasets/CTU-Mixed-Capture-9-1

	Name	Last modified	Size	Description
	Parent Directory		-
	2017-08-17_capture.biargus	2018-05-21 11:38	46M
	2017-08-17_capture.binetflow	2018-05-21 11:38	8.3M
	2017-08-17_capture.capinfos	2018-05-21 11:38	1.1K
	2017-08-17_capture.day22-10.40--10.50.pcap	2019-08-02 14:58	72
	2017-08-17_capture.dnstop	2018-05-21 11:34	22K
	2017-08-17_capture.html	2018-05-21 11:51	4.5G
	2017-08-17_capture.json	2018-05-21 11:50	9.6G
	2017-08-17_capture.passivedns	2018-05-21 11:34	1.3M
	2017-08-17_capture.pcap	2018-05-21 11:01	7.7G
	2017-08-17_capture.tcpdstat	2018-05-21 11:38	2.3K
	2017-08-17_capture.weblogng	2018-05-21 11:38	3.9M
	README.html	2018-05-21 11:48	5.3K
	README.md	2020-08-17 17:38	4.8K
	bro/	2018-05-21 11:36	-
	suricata/	2019-03-23 14:42	-

Description

• Description: This capture is a normal computer that started with a lot of programs running, and after some minutes was infected with Emotet malware. Then it continued to have both normal actions and malware actions.
• MD5: 8a5d3cada819fe7fd9db67d8c0af120e
• SHA1: b7dc6cad84c5d644923fe35ff8ac013899841ac6
• SHA256: d004d1a31df6b4abe534040f9561c0e4188ad7f3cab4fecb09064c48f88b9dc2
• Password of zip file: infected
• Duration: ~6days

• Proxy Usage: This capture did not use an intermediate proxy.

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• mitm.out
  • Mitm proxy interception file of http and https
• .mitm.weblog
  • This is the HTTP and HTTPS web log that includes Labels. This is the preferred file for web analysis.
  • This file includes a header with the columns names. There are two new columns defined by us:
    • Column id: This number is unique for all the weblogs generated inside the same TCP connection. When a TCP connection is opened and several GET/POST, etc., requests are made inside it, all of them are assigned the same Id in this file.
    • Column timestamp_end: This is the timestamp when the weblog ended. If you use this with the id column you can compute the total duration of the TCP connection that generated all the weblogs. Similar to the duration of a hypothetical CONNECT request if this would have been done using a proxy.
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic only. Generated with justsniffer
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file. Bidirectional flows, 3600s of report time.
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.
• .uniargus
  • Argus binary file. Unidirectional flows, 5s of report time.
• .uninetflow
  • Argus text file with unidirectional flows. Report time 5 secs. TAB as column separator.

IP Addresses

- Infected host:
- Default GW: 

Timeline

Mon Aug 16 15:01 CEST 2017

Started the windows computer

15:03 download google chrome
15:05 download and install spotify
15:06 logging into to facebook
15:07 start playing spotify
15:08 download and install dropbox
15:09 browse facebook
15:10 do some stupid things
15:11 dropbox started syncing
15:13 download ubuntu
15:14 add extension to chrome
15:15 go to reddit
15:17 read articles
15:23 pause spotify to listen to podcast on soundcloud
15:25 close podcast, turn on spotify
15:26 images/videos on reddit
15:29 add ubuntu to dropbox and leave for a while
15:33 go to gmail
15:34 send an email
15:35 youtube
15:47 google docs
15:49 open some docs on web dropbox
15:50 bbc news and videos
16:00 pause for work 
18:10 wikipedia
18:23 chess game
18:37 facebook
18:38 stackexchange
18:46 irc webnode
18:51 dropbox
18:52 download and upload pdf to dropbox

August 22, continued
9:32 wikipedia article
9:37 gmail
9:39 facebook
9:40 news
9:45 twitter
9:50 youtube
9:51 reddit
9:59 game of chess
10:24 news
10:27 gmail
10:28 google+

Mon Aug 22 10:47 CEST 2017

Infected with malware

Mon Aug 22 10:49 CEST 2017

Continue normal actions

10:49 gmail
10:50 reddit
10:57 articles
11:09 gmail
11:12 download large file
11:15 spotify is damaged by a virus
11:18 put large file to the dropbox folder
11:24 news
11:36 alza
11:42 pause
11:46 twitter
11:53 try to kill virus process
11:55 articles
12:15 pause
August 23, continued
10:00 reddit
10:05 download and install skype
10:09 facebook
10:10 gmail
10:13 youtube video
10:16 google docs
10:20 browsing
10:27 gmail
10:36 google plus
10:40 random browsing
10:51 pause
10:55 browsing

Mon Aug 23 11:00 CEST 2017

power off

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz

You are free to use these files as long as you reference this project and the authors as follows: Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org