######################################################## Malware Capture Facility CVUT University, Prague, Czech Republic These files were generated as part of a research project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz Vojtech Uhlir: vojtech.uhlir@agents.fel.cvut.cz Disclaimer: You are free to use these files as long as you reference this project and the authors. ######################################################## CLF === The CLF (Common Log Format) file contains the web logs of the pcap file as extracted by the justsniffer tool. The command used was: justniffer -f file.pcap -p "port 80 or port 8080 or port 3128" > file.clf Weblogs ======= The weblogs are files similar to the CLF file but with another format. They were generated with these command : justniffer -f $1 -p "port 80 or port 8080 or port 3128" -l "%request.timestamp2(%s) %dest.port %response.code %response.size %source.port %request.size http://%request.header.host%request.url %connection.time %dest.ip %source.ip %response.header.content-type %request.header.referer \"%request.header.user-agent\"" |awk '{if ($11 ~ /\;/) print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "$10" "substr($11,1,match($11,/\;/)-1)" "$13" "$14" "substr($0,index($0,$15)); else print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "substr($0,index($0,$10))}'|awk '{printf "%.3f %s %s %s %s %s %s %.0f %s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, substr($0,index($0,$10))}' > $FILE.weblog Netflows ======== The netflows are generated using the 2013-08-12_argus.conf file, the 2013-08-12_ra.conf file and the 2013-08-12_ralabel.conf conf file. We are using bidirectional argus records. The command used is this: 1- argus -F argus.conf -r file.pcap -w file.argus 2- ralabel -f ralabel.conf -r file.argus -w file.argus.labeled 3- mv file.argus.labeled file.argus (this is to add labels to the argus file) 4- ra -F ra.conf -Z b -nr file.argus > file.argus.netflow.labeled If you need the netflows without the labels, just regenerate them without the ralabel command. Pcap ==== The pcap capture files were done by Virtualbox, because the vms were NATed. This means that all the captures start on 19707/1/1 because of a bug in virtualbox. Then, the pcap captures can not be merged. Labels ====== Labels were assigned using the ralabel program from the argus suite. The assignment rules are not being published, but can be requested by mail. Generic info ------------ Binary used: adb0250bcab420e93d94f95d97d51113.exe Md5: adb0250bcab420e93d94f95d97d51113 Probable Name: ? Virustotal link: https://www.virustotal.com/en/file/f2d69dfe907d09b21ae116de366ef05d1d8256da1a5df54a40bff480e3851e1b/analysis/ Infected Machines: Windows Name: Win10, IP: 10.0.2.110 (Label: Botnet-V1) Windows Name: Win11, IP: 10.0.2.111 (Label: Botnet-V2) Timeline ======== Wed Oct 16 15:18:50 CEST 2013 Win10 started Wed Oct 16 15:20:14 CEST 2013 Infected win10 with adb0250bcab420e93d94f95d97d51113.exe Wed Oct 16 16:30:08 CEST 2013 started win11 Wed Oct 16 16:33:33 CEST 2013 Infected win11 with adb0250bcab420e93d94f95d97d51113.exe Thu Oct 17 09:33:08 CEST 2013 Yesterday at 0hs it seems that the malware stop doing things. Today the rdesktop was not working. Thu Oct 17 09:43:44 CEST 2013 I realized that the vm of win10 was aborted!!! I don't know what happened. Thu Oct 17 09:58:00 CEST 2013??? I restarted win10. Without restoring the snapshop. Thu Oct 17 10:04:50 CEST 2013 I poweroff and restarted win11. Without restoring the snapshot. Fri Oct 18 09:40:42 CEST 2013 The vms worked fine until yesterday near 18hs. Then the windows vm froze. Maybe it is a matter of memory issues??? Fri Oct 18 09:42:06 CEST 2013 I stopped win10 and give it 512MB of RAM. Only for this run. Fri Oct 18 09:44:50 CEST 2013 I started Win10 again. Without deinfecting it. I just restarted it with more memory. Fri Oct 18 09:50:47 CEST 2013 After some minutes, the win10 was aborted again in virtualbox. Maybe there is something wrong with the malware. I will stop the experiments here. Traffic Analysis ================