Index of /publicDatasets/IoTDatasets/CTU-IoT-Malware-Capture-3-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]5ce13670bc875e913e6f087a4ac0a9e343347d5babb3b5c63e1d1b199371f69a.zip2020-02-14 18:20 33K 
[   ]2018-05-21_capture.biargus2019-01-30 17:51 26M 
[   ]2018-05-21_capture.binetflow2019-01-30 17:51 7.9M 
[   ]2018-05-21_capture.capinfos2019-01-30 17:51 1.1K 
[   ]2018-05-21_capture.dnstop2019-01-30 17:51 958  
[   ]2018-05-21_capture.passivedns2019-01-30 17:51 945  
[   ]2018-05-21_capture.pcap2019-01-30 17:51 55M 
[   ]2018-05-21_capture.tcpdstat2019-01-30 17:51 1.8K 
[   ]2018-05-21_capture.uniargus2019-01-30 17:51 43M 
[   ]2018-05-21_capture.uninetflow2019-01-30 17:51 16M 
[   ]2018-05-21_capture.weblogng2019-01-30 17:51 232  
[TXT]README.html2021-01-25 18:06 4.4K 
[TXT]README.md2021-01-25 18:06 3.6K 
[DIR]annas-tool/2020-10-01 16:44 -  
[DIR]bro/2020-10-01 16:30 -  
[   ]fce7b8bbd1c1fba1d75b9dc1a60b25f49f68c9ec16b3656b52ed28290fc93c72.zip2020-02-14 18:19 751K 
[IMG]miro_dashboard_analysis.jpg2019-12-24 18:44 2.9M 
[DIR]suricata/2019-01-30 17:51 -  
[DIR]zeek-3.2.0/2020-10-01 16:31 -  

Description

Description of Files

IP Addresses

- Infected host: 192.168.2.5
- Default GW: 192.168.2.1

Timeline

Sat May 19 20:56:36 CEST 2018

Started rpi

Sat May 19 20:57:40 CEST 2018

Infected

Analysis

Muhstik is a variant of the Tsunami botnet

The IRC channel was connected.

Which seems to be related with Muhstik botnet http://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/ https://exchange.xforce.ibmcloud.com/collection/Muhstik-Botnet-Actively-Exploiting-CVE-2018-7600-0547cbc8eb2dc52c344b5da2b7c4063f

The malware infected the Rpi permanently. - modified the cron $ crontab -l /5 * * * /tmp/fce7b8bbd1c1fba1d75b9dc1a60b25f49f68c9ec16b3656b52ed28290fc93c72 > /dev/null 2>&1 & /5 * * * /dev/shm/fce7b8bbd1c1fba1d75b9dc1a60b25f49f68c9ec16b3656b52ed28290fc93c72 > /dev/null 2>&1 & /5 * * * /var/tmp/fce7b8bbd1c1fba1d75b9dc1a60b25f49f68c9ec16b3656b52ed28290fc93c72 > /dev/null 2>&1 & /5 * * * /var/lock/fce7b8bbd1c1fba1d75b9dc1a60b25f49f68c9ec16b3656b52ed28290fc93c72 > /dev/null 2>&1 &

Listens in port Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:61000 0.0.0.0:* LISTEN 584/eth0

Mon May 21 09:05:05 CEST 2018

poweroff

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic with the support of Avast Software. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz

You are free to use these files as long as you reference this project and the authors as follows: Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org