Tue Nov 12 20:12:26 CET 2013 infected win10 with
c740789d5b226668f8a37626883fd0b7.exe
Tue Nov 12 20:16:05 CET 2013 started win7
Tue Nov 12 20:17:29 CET 2013 infected win7 with
c740789d5b226668f8a37626883fd0b7.exe
Unknown time There was an issue with computer so the vm was powered
down.
Tue Nov 26 10:23:03 CET 2013 win10 is powered on again. Already infected.
Pcap file: 2013-11-25_capture-win10-2.pcap
Tue Nov 26 10:23:03 CET 2013 win7 vm is powered on again.
Mon Dec 2 13:48:06 CET 2013 running graph with rrd file stopped and
started again...
Fri Dec 6 10:48:09 CET 2013 I started win7 again. The linux host was
frozzen.
Fri Dec 6 10:53:06 CET 2013 I started win10 again. The linux host was
frozzen. Pcap file 2013-11-25_capture-win10-3.pcap
Mon Jan 6 12:48:38 CET 2014 I powered off win10 and started it again
infected
Mon Jan 6 12:51:16 CET 2014 I poweredoff the win7 and started again
infected.
Traffic Analysis
The traffic pattern of the files 2013-11-25_capture-win7-3.pcap and
2013-11-25_capture-win10-3.pcap are very similar because they are simoultaneous.
The
Analyzying the 4-tuple 10.0.2.107-192.35.51.30-53-tcp we realized that it is a
DGA algorithm, using TCP DNS queries to an custom DNS server. The requests are
mostly not periodic, and only have a slightly periodicity from time to time. For example:
State=11rrrrrArrrrrrrrAArrrrarrrrrrraAArrrAarrArrrrrrrArrbrrrararrrrrrrrrrrrrArrrrrArrrraAAr
Furthermore, the time differences of these requests seem to be quite random. So
we tested the values of the T1 to see if they follow a distribution. And they seem to
be following a distribution.
Disclaimer
These files were generated as part of the Malware Capture Facility Project in the
CTU University, Prague, Czech Republic. The goal of the project is to store
long-lived real botnet traffic and to generate labeled netflows files. Any question feel
free to contact us to sebastian.garcia@agents.fel.cvut.cz.
You are free to use these files as long as you reference this project andthe authors. See http://mcfp.felk.cvut.cz