Index of /publicDatasets/CTU-Malware-Capture-Botnet-135-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2015-09-10_winlinux.biargus2015-09-16 16:32 83M 
[   ]2015-09-10_winlinux.binetflow2015-09-16 16:33 84M 
[   ]2015-09-10_winlinux.capinfos2015-09-16 16:00 714  
[   ]2015-09-10_winlinux.dnstop2015-09-16 15:59 1.7K 
[TXT]2015-09-10_winlinux.html2015-09-16 16:04 364K 
[   ]2015-09-10_winlinux.json2015-09-16 16:04 33K 
[   ]2015-09-10_winlinux.passivedns2015-09-16 15:59 1.1K 
[   ]2015-09-10_winlinux.pcap2015-09-16 15:37 497M 
[   ]2015-09-10_winlinux.tcpdstat2016-12-05 22:29 5.0K 
[   ]2015-09-10_winlinux.weblogng2016-06-15 17:55 518  
[TXT]README.html2017-01-14 17:09 8.5K 
[TXT]README.md2015-09-16 16:34 7.9K 
[DIR]analylsis-from-cisco-blog/2015-09-16 15:45 -  
[DIR]bro/2017-08-31 09:45 -  
[TXT]fast-flux-dga-first-analysis.txt2017-01-14 17:09 1.6K 
[DIR]files-downloaded/2015-09-16 15:35 -  
[   ]kquaznzlnt2015-09-16 15:47 611K 

Description

Timeline

Thu Sep 3 08:57:52 CEST 2015

Started kali linux - IP: 10.0.0.41

Thu Sep 3 09:04:27 CEST 2015

Start the pcap capture

Thu Sep 3 09:04:54 CEST 2015

Executed the file "kquaznzlnt" by hand

Thu Sep 3 09:05:43 CEST 2015

Stop the capture and the machine. The DDoS worked. It generated 498M in 48 seconds. - 498 Megabyte/Second (MB/s) - 3.89063 Gigabit/Second (Gbit/s) - 0.486328125 Gigabyte/Second

Analysis

The malware resolved and contacted

cf.gddos.com Which is linked to 8uc.gddos.com, which answered NXDomain 8uc.gddos.com

59.188.242.190

Dig of cf.gddos.com in normal DNS systems

; <<>> DiG 9.9.5-10-Debian <<>> cf.gddos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17623 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;cf.gddos.com. IN A

;; ANSWER SECTION: cf.gddos.com. 599 IN A 59.188.242.190

;; Query time: 568 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Sep 03 09:12:01 CEST 2015 ;; MSG SIZE rcvd: 57

whois 59.188.237.12

% [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '59.188.237.0 - 59.188.237.255'

inetnum: 59.188.237.0 - 59.188.237.255 netname: NWTiDC-HK descr: NWT iDC Data Service country: HK admin-c: NC315-AP admin-c: IDC1-AP tech-c: NC315-AP tech-c: KW315-AP status: ALLOCATED NON-PORTABLE remarks: For network abuse email abuse@newworldtel.com changed: kmmwong@newworldtel.com 20101231 mnt-by: MAINT-HK-NEWWORLDTEL mnt-irt: IRT-NEWWORLDTEL-HK source: APNIC

irt: IRT-NEWWORLDTEL-HK address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong. e-mail: abuse@newworldtel.com abuse-mailbox: abuse@newworldtel.com admin-c: KW315-AP tech-c: IDC1-AP tech-c: NC315-AP auth: # Filtered mnt-by: MAINT-HK-NEWWORLDTEL changed: abuse@newworldtel.com 20101207 source: APNIC

person: internet Data Centre address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay, Hong Kong country: HK phone: +852-2133 4277 e-mail: idc@newworldtel.com nic-hdl: IDC1-AP mnt-by: MAINT-HK-NEWWORLDTEL changed: kmmwong@newworldtel.com 20101004 source: APNIC

person: Kwong Ming Wong nic-hdl: KW315-AP e-mail: kmmwong@newworldtel.com address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong. phone: +852-21300120 fax-no: + 852 - 2133 2175 country: HK changed: kmmwong@newworldtel.com 20060814 mnt-by: MAINT-HK-NEWWORLDTEL source: APNIC

person: Network Management Center nic-hdl: NC315-AP e-mail: nmc_data@newworldtel.com address: 17/F Chevalier Commercial Centre, address: 8 Wang Hoi Road, Kowloon Bay, address: Hong Kong. phone: + 852 - 2130-0120 fax-no: + 852 - 2133 2175 country: HK changed: kmmwong@newworldtel.com 20080804 mnt-by: MAINT-HK-NEWWORLDTEL source: APNIC

% Information related to '59.188.237.0/24AS17444'

route: 59.188.237.0/24 descr: NWT Route Object origin: AS17444 mnt-by: MAINT-HK-NEWWORLDTEL changed: kmmwong@newworldtel.com 20110114 source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

Dig of cf.gddos.com in their own DNS server 59.188.237.12

; <<>> DiG 9.9.5-10-Debian <<>> @59.188.237.12 cf.gddos.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22763 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;cf.gddos.com. IN A

;; AUTHORITY SECTION: com. 3600 IN SOA ed-2a9d9b8a1f05. hostmaster. 12 900 600 86400 3600

;; Query time: 299 msec ;; SERVER: 59.188.237.12#53(59.188.237.12) ;; WHEN: Thu Sep 03 09:12:41 CEST 2015 ;; MSG SIZE rcvd: 105

Dig 8uc.gddos.com in 59.188.237.12

; <<>> DiG 9.9.5-10-Debian <<>> @59.188.237.12 8uc.gddos.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46870 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;8uc.gddos.com. IN A

;; AUTHORITY SECTION: com. 3600 IN SOA ed-2a9d9b8a1f05. hostmaster. 12 900 600 86400 3600

;; Query time: 309 msec ;; SERVER: 59.188.237.12#53(59.188.237.12) ;; WHEN: Thu Sep 03 09:13:05 CEST 2015 ;; MSG SIZE rcvd: 106

Dig 8uc.gddos.com in normal DNS

; <<>> DiG 9.9.5-10-Debian <<>> 8uc.gddos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23748 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;8uc.gddos.com. IN A

;; ANSWER SECTION: 8uc.gddos.com. 527 IN A 59.188.242.190

;; Query time: 81 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Sep 03 09:13:24 CEST 2015 ;; MSG SIZE rcvd: 58

Downloaded the configuration

http://59.188.242.190.8080/cfg.rar

DDoS victims

104.216.132.211:80

With text /root/netstat,/root/sshb,/root/azwen,/tmp/inia,/tmp/ops800,/root/26antian,/tmp/sudp,/root/Linux32,/root/ppsh6,/root/.sa_,/root/anniu filename=/root/anzong118,/root/6ip,/root/g36000,/boot/l24,/etc/Lsy,/root/tufei,/root/man,/root/anzong40026,/root/anzong40018,/root/m,/root/sysyang,/tmp/npc filename=/tmp/system,/root/fyzx,/etc/IptabLIi,/tmp/ljwxudzglh,/tmp/tufei,/etc/1q2w3e,/mnt/Systenm,/root/64mm,/tmp/ccav,/etc/Ldx,/etc/dsgregd,/root/xiaoma32 filename=/bin/ethtool,/usr/local/games/... /-. /ALPHA/ncrack,/root/anzong,/tmp/mini,/etc/sshb,/tmp/iniatwo,/tmp/run/.fresh/hald,/root/L24_24011,/root/helpf filename=/etc/udevd,/boot/ksdrips,/root/kthreado,/tmp/dsgregd,/tmp/wtddiqmzqg,/tmp/udevd,/root/59000,/root/TSmyy,/boot/.IptabLes,/tmp/baba,/boot/.IptabLex filename=/tmp/. /.fresh/hald,/dev/shm/. /.VIPhack/scanssh,/var/tmp/.nynew/b,/var/lib/postgresql/.s/scanssh,/var/tmp/ /. ./check And text ..)h....g.P.g......X...+...........................(.......mission-control.....8......Desktop......L.......pulse-cookie.wz.....X.......pulse.......d.......gvfs ........t.......gnome2..............ICEauthority................dbus..c.............local.v.............xsession-errors.............config..............cache.. .............gconf...............bashrc..............profile.............rnd....inittab.............gdm3..... ......localtime........0......timezone.....@..... .profile.d........P......locale.gen.............default......l......shadow.......|......shadow-.............passwd..............passwd-.............hosts.ou.. ..........hostname............network.............fstab.qs.............java.n..............pwd.lock...............ConsoleKit..............ImageMagick...... ... ...Muttrc.e.....0......Muttrc.d. ...D......NetworkManager...!...T......PackageKit...".........UPower...#...l......X11..$.......

This can be found online