Name | Last modified | Size | Description | |
---|---|---|---|---|
Parent Directory | - | |||
2015-09-10_winlinux.biargus | 2015-09-16 16:32 | 83M | ||
2015-09-10_winlinux.binetflow | 2015-09-16 16:33 | 84M | ||
2015-09-10_winlinux.capinfos | 2015-09-16 16:00 | 714 | ||
2015-09-10_winlinux.dnstop | 2015-09-16 15:59 | 1.7K | ||
2015-09-10_winlinux.html | 2015-09-16 16:04 | 364K | ||
2015-09-10_winlinux.json | 2015-09-16 16:04 | 33K | ||
2015-09-10_winlinux.passivedns | 2015-09-16 15:59 | 1.1K | ||
2015-09-10_winlinux.pcap | 2015-09-16 15:37 | 497M | ||
2015-09-10_winlinux.tcpdstat | 2016-12-05 22:29 | 5.0K | ||
2015-09-10_winlinux.weblogng | 2016-06-15 17:55 | 518 | ||
README.html | 2017-01-14 17:09 | 8.5K | ||
README.md | 2015-09-16 16:34 | 7.9K | ||
analylsis-from-cisco-blog/ | 2015-09-16 15:45 | - | ||
bro/ | 2017-08-31 09:45 | - | ||
fast-flux-dga-first-analysis.txt | 2017-01-14 17:09 | 1.6K | ||
files-downloaded/ | 2015-09-16 15:35 | - | ||
kquaznzlnt | 2015-09-16 15:47 | 611K | ||
Started kali linux - IP: 10.0.0.41
Start the pcap capture
Executed the file "kquaznzlnt" by hand
Stop the capture and the machine. The DDoS worked. It generated 498M in 48 seconds. - 498 Megabyte/Second (MB/s) - 3.89063 Gigabit/Second (Gbit/s) - 0.486328125 Gigabyte/Second
The malware resolved and contacted
cf.gddos.com Which is linked to 8uc.gddos.com, which answered NXDomain 8uc.gddos.com
59.188.242.190
; <<>> DiG 9.9.5-10-Debian <<>> cf.gddos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17623 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;cf.gddos.com. IN A
;; ANSWER SECTION: cf.gddos.com. 599 IN A 59.188.242.190
;; Query time: 568 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Sep 03 09:12:01 CEST 2015 ;; MSG SIZE rcvd: 57
% [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '59.188.237.0 - 59.188.237.255'
inetnum: 59.188.237.0 - 59.188.237.255 netname: NWTiDC-HK descr: NWT iDC Data Service country: HK admin-c: NC315-AP admin-c: IDC1-AP tech-c: NC315-AP tech-c: KW315-AP status: ALLOCATED NON-PORTABLE remarks: For network abuse email abuse@newworldtel.com changed: kmmwong@newworldtel.com 20101231 mnt-by: MAINT-HK-NEWWORLDTEL mnt-irt: IRT-NEWWORLDTEL-HK source: APNIC
irt: IRT-NEWWORLDTEL-HK address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong. e-mail: abuse@newworldtel.com abuse-mailbox: abuse@newworldtel.com admin-c: KW315-AP tech-c: IDC1-AP tech-c: NC315-AP auth: # Filtered mnt-by: MAINT-HK-NEWWORLDTEL changed: abuse@newworldtel.com 20101207 source: APNIC
person: internet Data Centre address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay, Hong Kong country: HK phone: +852-2133 4277 e-mail: idc@newworldtel.com nic-hdl: IDC1-AP mnt-by: MAINT-HK-NEWWORLDTEL changed: kmmwong@newworldtel.com 20101004 source: APNIC
person: Kwong Ming Wong nic-hdl: KW315-AP e-mail: kmmwong@newworldtel.com address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong. phone: +852-21300120 fax-no: + 852 - 2133 2175 country: HK changed: kmmwong@newworldtel.com 20060814 mnt-by: MAINT-HK-NEWWORLDTEL source: APNIC
person: Network Management Center nic-hdl: NC315-AP e-mail: nmc_data@newworldtel.com address: 17/F Chevalier Commercial Centre, address: 8 Wang Hoi Road, Kowloon Bay, address: Hong Kong. phone: + 852 - 2130-0120 fax-no: + 852 - 2133 2175 country: HK changed: kmmwong@newworldtel.com 20080804 mnt-by: MAINT-HK-NEWWORLDTEL source: APNIC
% Information related to '59.188.237.0/24AS17444'
route: 59.188.237.0/24 descr: NWT Route Object origin: AS17444 mnt-by: MAINT-HK-NEWWORLDTEL changed: kmmwong@newworldtel.com 20110114 source: APNIC
% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)
; <<>> DiG 9.9.5-10-Debian <<>> @59.188.237.12 cf.gddos.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22763 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;cf.gddos.com. IN A
;; AUTHORITY SECTION: com. 3600 IN SOA ed-2a9d9b8a1f05. hostmaster. 12 900 600 86400 3600
;; Query time: 299 msec ;; SERVER: 59.188.237.12#53(59.188.237.12) ;; WHEN: Thu Sep 03 09:12:41 CEST 2015 ;; MSG SIZE rcvd: 105
; <<>> DiG 9.9.5-10-Debian <<>> @59.188.237.12 8uc.gddos.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46870 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;8uc.gddos.com. IN A
;; AUTHORITY SECTION: com. 3600 IN SOA ed-2a9d9b8a1f05. hostmaster. 12 900 600 86400 3600
;; Query time: 309 msec ;; SERVER: 59.188.237.12#53(59.188.237.12) ;; WHEN: Thu Sep 03 09:13:05 CEST 2015 ;; MSG SIZE rcvd: 106
; <<>> DiG 9.9.5-10-Debian <<>> 8uc.gddos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23748 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;8uc.gddos.com. IN A
;; ANSWER SECTION: 8uc.gddos.com. 527 IN A 59.188.242.190
;; Query time: 81 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Sep 03 09:13:24 CEST 2015 ;; MSG SIZE rcvd: 58
http://59.188.242.190.8080/cfg.rar
104.216.132.211:80
With text /root/netstat,/root/sshb,/root/azwen,/tmp/inia,/tmp/ops800,/root/26antian,/tmp/sudp,/root/Linux32,/root/ppsh6,/root/.sa_,/root/anniu filename=/root/anzong118,/root/6ip,/root/g36000,/boot/l24,/etc/Lsy,/root/tufei,/root/man,/root/anzong40026,/root/anzong40018,/root/m,/root/sysyang,/tmp/npc filename=/tmp/system,/root/fyzx,/etc/IptabLIi,/tmp/ljwxudzglh,/tmp/tufei,/etc/1q2w3e,/mnt/Systenm,/root/64mm,/tmp/ccav,/etc/Ldx,/etc/dsgregd,/root/xiaoma32 filename=/bin/ethtool,/usr/local/games/... /-. /ALPHA/ncrack,/root/anzong,/tmp/mini,/etc/sshb,/tmp/iniatwo,/tmp/run/.fresh/hald,/root/L24_24011,/root/helpf filename=/etc/udevd,/boot/ksdrips,/root/kthreado,/tmp/dsgregd,/tmp/wtddiqmzqg,/tmp/udevd,/root/59000,/root/TSmyy,/boot/.IptabLes,/tmp/baba,/boot/.IptabLex filename=/tmp/. /.fresh/hald,/dev/shm/. /.VIPhack/scanssh,/var/tmp/.nynew/b,/var/lib/postgresql/.s/scanssh,/var/tmp/ /. ./check And text ..)h....g.P.g......X...+...........................(.......mission-control.....8......Desktop......L.......pulse-cookie.wz.....X.......pulse.......d.......gvfs ........t.......gnome2..............ICEauthority................dbus..c.............local.v.............xsession-errors.............config..............cache.. .............gconf...............bashrc..............profile.............rnd....inittab.............gdm3..... ......localtime........0......timezone.....@..... .profile.d........P......locale.gen.............default......l......shadow.......|......shadow-.............passwd..............passwd-.............hosts.ou.. ..........hostname............network.............fstab.qs.............java.n..............pwd.lock...............ConsoleKit..............ImageMagick...... ... ...Muttrc.e.....0......Muttrc.d. ...D......NetworkManager...!...T......PackageKit..."...
......UPower...#...l......X11..$.......