Description of Scenario CTU-Malware-Capture-Botnet-31

• Probable Name: Papras Trojan
• c740789d5b226668f8a37626883fd0b7.exe
• MD5: c740789d5b226668f8a37626883fd0b7
• SHA1: dfe0064f936e3645115d0890644be03698bb806a
  
• SHA256: 104428ccf005b36edfb62d110203a43bdbb417052b31eb4646395309645c9944
  

• Duration: 56 days in total. This capture is 8 days.

• VirusTotal
• HybridAnalysis

• RobotHash

Timeline

Tue Nov 26 10:23:03 CET 2013

win10 is powered on again. The computer is started already infected. Pcap file: 2013-11-25capture-win10-2.pcap

Fri Dec 6 10:53:06 CET 2013

The linux host was frozen so the capture was stopped.

Analysis of the Traffic

Infected Machines:

• Windows XP Name: WIN10, IP: 10.0.2.110

Labels assigned to the DNS tuples

• 10.0.2.110-8.8.4.4-53-udp (From-Botnet-UDP-DNS--2203)
  • 172 flows
• 10.0.2.110-8.8.8.8-53-udp (From-Botnet-UDP-DNS--2204)
  • At least 3000 Flows

DGA

The DGA in this malware is somehow hidden. Instead of using the default DNS servers configured in the computer the malware uses its own DNS servers. Moreover, the DNS requests are sent using the TCP protocol, so is highly suspicious. An example of the DNS requests are:

• jusxreer.cc
• jloundwop.cc
• jiatrwqjly.cc
• gcrdumnh.cc
• lfikrlkonpg.cc
• gkftgujt.cc
• mxxywhxoc.cc
• dyybbsux.cc
• jmexlakjdk.cc
• kuhfkadnmaxr.cc
• saxtostfsa.cc
• qudjmojvow.cc
• tqqpteoxlcih.cc
• dhkyhfk.cc
• zlwqpfaav.cc
• hegnriulvcuz.cc
• llmqfpcytxs.cc
• zroinxiijpc.cc
• qazbaanr.cc
• qazbaanr.cc
• qfjcwnp.cc
• cmpzygrl.cc
• cmpzygrl.cc
• juexzkgj.cc
• ioftsmxnkg.cc
• qnpkcfpamzd.cc
• rsefpkktbwch.cc
• imrxesxj.cc
• pikpbckzrc.cc
• gkrpwabree.cc
• gkrpwabree.cc
• oshziujp.cc
• wyfrgexx.cc
• tlkibrweh.cc
• andqkpj.cc
• andqkpj.cc
• sallskvz.cc
• jpeehfaexnw.cc
• bfsazhkgpxy.cc

An example of the DNS servers used are:

• 192.12.94.30
• 192.26.92.30
• 192.31.80.30