######################################################## Malware Capture Facility CVUT University, Prague, Czech Republic These files were generated as part of a research project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz Vojtech Uhlir: vojtech.uhlir@agents.fel.cvut.cz Disclaimer: You are free to use these files as long as you reference this project and the authors. ######################################################## CLF === The CLF (Common Log Format) file contains the web logs of the pcap file as extracted by the justsniffer tool. The command used was: justniffer -p "port 80 or port 8080 or port 3128" -f file.pcap > file.clf Weblogs ======= The weblogs are files similar to the CLF file but with another format. They were generated with these command : justniffer -f $1 -p "port 80 or port 8080 or port 3128" -l "%request.timestamp2(%s) %dest.port %response.code %response.size %source.port %request.size http://%request.header.host%request.url %connection.time %dest.ip %source.ip %response.header.content-type %request.header.referer \"%request.header.user-agent\"" |awk '{if ($11 ~ /\;/) print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "$10" "substr($11,1,match($11,/\;/)-1)" "$13" "$14" "substr($0,index($0,$15)); else print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "substr($0,index($0,$10))}'|awk '{printf "%.3f %s %s %s %s %s %s %.0f %s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, substr($0,index($0,$10))}' > $FILE.weblog Netflows ======== The netflows are generated using the 2013-08-12_argus.conf file, the 2013-08-12_ra.conf file and the 2013-08-12_ralabel.conf conf file. We are using bidirectional argus records. The command used is this: 1- argus -F argus.conf -r file.pcap -w file.argus 2- ralabel -f ralabel.conf -r file.argus -w file.argus.labeled 3- mv file.argus.labeled file.argus (this is to add labels to the argus file) 4- ra -F ra.conf -Z b -nr file.argus > file.argus.netflow.labeled If you need the netflows without the labels, just regenerate them without the ralabel command. Pcap ==== The pcap capture files were done by Virtualbox, because the vms were NATed. This means that all the captures start on 19707/1/1 because of a bug in virtualbox. Then, the pcap captures can not be merged. Labels ====== Labels were assigned using the ralabel program from the argus suite. The assignment rules are not being published, but can be requested by mail. Generic info ------------ Binary used: yyqzdjhy.exe, Md5: 2df134e2acc9ce4aa473cea5c6f980de Probable Name: Virustotal link: https://www.virustotal.com/en/file/63e4a882a2578b43e7cda71d03ab85222f65701867b90b3dc709abb4400ae14b/analysis/ Infected Machines: Windows Name: Win8, IP: 10.0.2.118 (Label: Botnet-V1) Timeline ======== Fri Oct 18 15:06:38 CEST 2013 Win18 infected There was an chinese/weird coding, a window has appeared and a IE with NOT found web site has been opened. There is a lot of web connection in the traffic, kept running.. Wed Nov 6 14:56:25 CET 2013 win18 stopped Traffic Analysis ================