Index of /publicDatasets/CTU-Malware-Capture-Botnet-31-1

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2013-11-25_capture-win10-2.pcap2013-12-04 06:19 8.2G 
[   ]2013-11-25_capture-win10-2.pcap.capinfos2014-08-04 17:00 762  
[   ]2013-11-25_capture-win10-2.rrd2014-08-04 17:06 8.0M 
[IMG]2013-11-25_capture-win10-2.png2014-08-04 17:08 504K 
[   ]2013-11-25_capture-win10-2.biargus.labeled2014-08-04 17:59 704M 
[   ]2013-11-25_capture-win10-2.histogram2014-08-04 21:38 897  
[   ]2013-11-25_capture-win10-2.biargus2015-03-20 21:18 1.6G 
[TXT]histogram.of.dns.queries.in.the.dga.txt2015-04-01 11:11 22K 
[   ]2013-11-25_capture-win10-2.binetflow2015-09-16 17:18 1.7G 
[   ]c740789d5b226668f8a37626883fd0b7.exe.zip2015-12-16 10:26 366K 
[   ]2013-11-25_capture-win10-2.dnstop2016-03-16 14:35 10K 
[   ]2013-11-25_capture-win10-2.passivedns2016-03-16 14:36 532K 
[   ]2013-11-25_capture-win10-2.capinfos2016-03-16 15:02 762  
[TXT]README.md2016-03-16 15:03 2.1K 
[   ]2013-11-25_capture-win10-2.tcpdstat2017-01-15 13:16 2.1K 
[TXT]fast-flux-dga-first-analysis.txt2017-01-15 13:21 116K 
[TXT]README.html2017-01-15 13:21 3.0K 
[DIR]bro/2017-08-31 09:45 -  

Description of Scenario CTU-Malware-Capture-Botnet-31

Timeline

Tue Nov 26 10:23:03 CET 2013

win10 is powered on again. The computer is started already infected. Pcap file: 2013-11-25capture-win10-2.pcap

Fri Dec 6 10:53:06 CET 2013

The linux host was frozen so the capture was stopped.

Analysis of the Traffic

Infected Machines:

Labels assigned to the DNS tuples

DGA

The DGA in this malware is somehow hidden. Instead of using the default DNS servers configured in the computer the malware uses its own DNS servers. Moreover, the DNS requests are sent using the TCP protocol, so is highly suspicious. An example of the DNS requests are:

An example of the DNS servers used are: