Index of /publicDatasets/CTU-Malware-Capture-Botnet-31

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2013-11-25_capture-win7-2.3model2014-08-04 22:02 3.1M 
[   ]2013-11-25_capture-win7-2.biargus2014-08-04 17:17 592M 
[   ]2013-11-25_capture-win7-2.biargus.data2014-10-16 12:06 1.3G 
[   ]2013-11-25_capture-win7-2.biargus.labeled2014-08-04 21:39 705M 
[   ]2013-11-25_capture-win7-2.binetflow2014-08-04 21:48 385M 
[   ]2013-11-25_capture-win7-2.pcap2013-12-04 06:19 8.2G 
[   ]2013-11-25_capture-win7-2.pcap.capinfos2014-08-04 17:00 761  
[IMG]2013-11-25_capture-win7-2.png2014-08-04 17:54 555K 
[   ]2013-11-25_capture-win7-2.rrd2014-08-04 17:28 8.0M 
[   ]2013-11-25_capture-win7-2.weblogng2016-06-15 18:59 356M 
[   ]2013-11-25_capture-win7-3.3model2014-08-04 21:51 1.6M 
[   ]2013-11-25_capture-win7-3.192.35.51.30.port53.dns.names2014-08-05 11:02 1.6K 
[   ]2013-11-25_capture-win7-3.192.35.51.30.port53.pcap2014-08-05 10:56 8.0M 
[   ]2013-11-25_capture-win7-3.T12014-08-04 22:03 94K 
[   ]2013-11-25_capture-win7-3.biargus2014-08-04 17:19 287M 
[   ]2013-11-25_capture-win7-3.biargus.labeled2014-08-04 21:36 342M 
[   ]2013-11-25_capture-win7-3.binetflow2014-08-04 21:40 186M 
[   ]2013-11-25_capture-win7-3.pcap2013-12-11 13:28 4.0G 
[   ]2013-11-25_capture-win7-3.pcap.capinfos2014-08-04 16:53 766  
[IMG]2013-11-25_capture-win7-3.png2014-08-04 20:56 386K 
[   ]2013-11-25_capture-win7-3.rrd2014-08-04 17:56 8.0M 
[   ]2013-11-25_capture-win7-3.weblogng2016-06-15 19:00 232  
[   ]2013-11-25_capture-win7.3model2014-08-04 23:01 5.2M 
[   ]2013-11-25_capture-win7.biargus2014-08-04 17:21 1.0G 
[   ]2013-11-25_capture-win7.biargus.labeled2014-08-04 21:45 1.2G 
[   ]2013-11-25_capture-win7.binetflow2014-08-04 21:50 650M 
[   ]2013-11-25_capture-win7.pcap2013-11-25 07:01 14G 
[   ]2013-11-25_capture-win7.pcap.capinfos2014-08-04 17:08 757  
[IMG]2013-11-25_capture-win7.png2014-08-04 21:04 602K 
[   ]2013-11-25_capture-win7.rrd2014-08-04 21:03 8.0M 
[   ]2013-11-25_capture-win7.weblogng2016-06-15 18:53 604M 
[   ]2013-11-25_capture-win10-3.3model2014-08-04 21:54 1.6M 
[   ]2013-11-25_capture-win10-3.biargus2014-08-04 17:04 287M 
[   ]2013-11-25_capture-win10-3.biargus.labeled2014-08-04 21:32 342M 
[   ]2013-11-25_capture-win10-3.binetflow2014-08-04 21:39 187M 
[   ]2013-11-25_capture-win10-3.histogram2014-08-04 21:46 629  
[   ]2013-11-25_capture-win10-3.pcap2013-12-11 13:29 4.0G 
[   ]2013-11-25_capture-win10-3.pcap.capinfos2014-08-04 16:53 767  
[IMG]2013-11-25_capture-win10-3.png2014-08-04 17:16 373K 
[   ]2013-11-25_capture-win10-3.rrd2014-08-04 17:10 8.0M 
[   ]2013-11-25_capture-win10-3.weblogng2016-06-15 19:00 166M 
[   ]2013-11-25_capture-win10.3model2014-08-04 22:13 5.2M 
[   ]2013-11-25_capture-win10.biargus2014-08-04 17:11 1.0G 
[   ]2013-11-25_capture-win10.biargus.labeled2014-08-04 21:41 1.2G 
[   ]2013-11-25_capture-win10.binetflow2014-08-04 21:48 651M 
[   ]2013-11-25_capture-win10.pcap2013-11-25 07:01 14G 
[   ]2013-11-25_capture-win10.pcap.capinfos2014-08-04 17:08 758  
[IMG]2013-11-25_capture-win10.png2014-08-04 17:25 581K 
[   ]2013-11-25_capture-win10.rrd2014-08-04 17:24 8.0M 
[   ]2013-11-25_capture-win10.weblogng2016-06-15 18:56 603M 
[   ]2014-01-10_capture-win7.3model2014-08-04 21:52 909K 
[   ]2014-01-10_capture-win7.biargus2014-08-04 17:26 152M 
[   ]2014-01-10_capture-win7.biargus.labeled2014-08-04 21:35 181M 
[   ]2014-01-10_capture-win7.binetflow2014-08-04 21:40 98M 
[   ]2014-01-10_capture-win7.pcap2014-01-10 12:41 1.8G 
[   ]2014-01-10_capture-win7.pcap.capinfos2014-08-04 16:47 766  
[IMG]2014-01-10_capture-win7.png2014-08-04 21:02 480K 
[   ]2014-01-10_capture-win7.rrd2014-08-04 21:01 8.0M 
[   ]2014-01-10_capture-win7.weblogng2016-06-15 19:00 83M 
[   ]2014-01-10_capture-win10.3model2014-08-04 21:51 906K 
[   ]2014-01-10_capture-win10.biargus2014-08-04 21:01 152M 
[   ]2014-01-10_capture-win10.biargus.labeled2014-08-04 21:34 181M 
[   ]2014-01-10_capture-win10.binetflow2014-08-04 21:40 98M 
[   ]2014-01-10_capture-win10.pcap2014-01-10 12:49 1.8G 
[   ]2014-01-10_capture-win10.pcap.capinfos2014-08-04 16:47 767  
[IMG]2014-01-10_capture-win10.png2014-08-04 21:03 453K 
[   ]2014-01-10_capture-win10.rrd2014-08-04 21:02 8.0M 
[   ]2014-01-10_capture-win10.weblogng2016-06-15 18:57 83M 
[TXT]README.html2014-08-05 13:26 19K 
[   ]README.pdf2014-08-05 13:26 3.6M 
[TXT]README.tex2014-08-05 13:26 10K 
[   ]c740789d5b226668f8a37626883fd0b7.exe.zip2015-12-16 10:26 366K 
[   ]ralabel-flowfilter.conf.generic2014-08-04 17:14 148K 
[   ]ralabel.conf2014-08-04 17:10 6.2K 
[IMG]win-10-daily-5minavg.jpeg2013-11-25 18:02 51K 
[IMG]win-10-montly-2houravg.jpeg2013-11-25 18:02 43K 
[IMG]win-10-weekly-30minavg.jpeg2013-11-25 18:02 49K 

Malware Capture Facility. Scenario CTU-Malware-Capture-Botnet-31

Malware Capture Facility. Scenario CTU-Malware-Capture-Botnet-31

Sebastian Garcia. sebastian.garcia@agents.fel.cvut.cz

August 5, 2014

General Information about the scenario

Files

Details about the files used in this scenario.

1 Pcap file: 2013-11-25_capture-win10-2.pcap

1.1 Generic Info

1.2 Related Files

1.3 Weblogs

Description of the weblogs

1.4 Graphs of the traffic with RRD

PIC

2 Pcap file: 2013-11-25_capture-win10-3.pcap

2.1 Generic Info

2.2 Related Files

2.3 Weblogs

Description of the weblogs

2.4 Graphs of the traffic with RRD

PIC

3 Pcap file: 2013-11-25_capture-win10.pcap

3.1 Generic Info

3.2 Related Files

3.3 Weblogs

Description of the weblogs

3.4 Graphs of the traffic with RRD

PIC

4 Pcap file: 2013-11-25_capture-win7-2.pcap

4.1 Generic Info

4.2 Related Files

4.3 Weblogs

Description of the weblogs

4.4 Graphs of the traffic with RRD

PIC

5 Pcap file: 2013-11-25_capture-win7-3.pcap

5.1 Generic Info

5.2 Related Files

5.3 Weblogs

Description of the weblogs

5.4 Graphs of the traffic with RRD

PIC

6 Pcap file: 2013-11-25_capture-win7.pcap

6.1 Generic Info

6.2 Related Files

6.3 Weblogs

Description of the weblogs

6.4 Graphs of the traffic with RRD

PIC

7 Pcap file: 2014-01-10_capture-win10.pcap

7.1 Generic Info

7.2 Related Files

7.3 Weblogs

Description of the weblogs

7.4 Graphs of the traffic with RRD

PIC

8 Pcap file: 2014-01-10_capture-win7.pcap

8.1 Generic Info

8.2 Related Files

8.3 Weblogs

Description of the weblogs

8.4 Graphs of the traffic with RRD

PIC

Timeline

Tue Nov 12 20:00:29 CET 2013 start win10

Tue Nov 12 20:12:26 CET 2013 infected win10 with c740789d5b226668f8a37626883fd0b7.exe

Tue Nov 12 20:16:05 CET 2013 started win7

Tue Nov 12 20:17:29 CET 2013 infected win7 with c740789d5b226668f8a37626883fd0b7.exe

Unknown time There was an issue with computer so the vm was powered down.

Tue Nov 26 10:23:03 CET 2013 win10 is powered on again. Already infected. Pcap file: 2013-11-25_capture-win10-2.pcap

Tue Nov 26 10:23:03 CET 2013 win7 vm is powered on again.

Mon Dec 2 13:48:06 CET 2013 running graph with rrd file stopped and started again...

Fri Dec 6 10:48:09 CET 2013 I started win7 again. The linux host was frozzen.

Fri Dec 6 10:53:06 CET 2013 I started win10 again. The linux host was frozzen. Pcap file 2013-11-25_capture-win10-3.pcap

Mon Jan 6 12:48:38 CET 2014 I powered off win10 and started it again infected

Mon Jan 6 12:51:16 CET 2014 I poweredoff the win7 and started again infected.

Traffic Analysis

The traffic pattern of the files 2013-11-25_capture-win7-3.pcap and 2013-11-25_capture-win10-3.pcap are very similar because they are simoultaneous. The

2013-11-25_capture-win7-2.pcap 2013-11-25_capture-win10-2.pcap

2013-11-25_capture-win7.pcap 2013-11-25_capture-win10.pcap

2014-01-10_capture-win10.pcap 2014-01-10_capture-win7.pcap

Analyzying the 4-tuple 10.0.2.107-192.35.51.30-53-tcp we realized that it is a DGA algorithm, using TCP DNS queries to an custom DNS server. The requests are mostly not periodic, and only have a slightly periodicity from time to time. For example: State=11rrrrrArrrrrrrrAArrrrarrrrrrraAArrrAarrArrrrrrrArrbrrrararrrrrrrrrrrrrArrrrrArrrraAAr

Furthermore, the time differences of these requests seem to be quite random. So we tested the values of the T1 to see if they follow a distribution. And they seem to be following a distribution.

Disclaimer

These files were generated as part of the Malware Capture Facility Project in the CTU University, Prague, Czech Republic. The goal of the project is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us to sebastian.garcia@agents.fel.cvut.cz.

You are free to use these files as long as you reference this project and the authors. See http://mcfp.felk.cvut.cz