Malware Capture Facility. Scenario CTU-Malware-Capture-Botnet-31

Sebastian Garcia. sebastian.garcia@agents.fel.cvut.cz

August 5, 2014

General Information about the scenario

Files

Details about the files used in this scenario.

1 Pcap file: 2013-11-25_capture-win10-2.pcap

1.1 Generic Info

1.2 Related Files

1.3 Weblogs

Description of the weblogs

1.4 Graphs of the traffic with RRD

PIC

2 Pcap file: 2013-11-25_capture-win10-3.pcap

2.1 Generic Info

2.2 Related Files

2.3 Weblogs

Description of the weblogs

2.4 Graphs of the traffic with RRD

PIC

3 Pcap file: 2013-11-25_capture-win10.pcap

3.1 Generic Info

3.2 Related Files

3.3 Weblogs

Description of the weblogs

3.4 Graphs of the traffic with RRD

PIC

4 Pcap file: 2013-11-25_capture-win7-2.pcap

4.1 Generic Info

4.2 Related Files

4.3 Weblogs

Description of the weblogs

4.4 Graphs of the traffic with RRD

PIC

5 Pcap file: 2013-11-25_capture-win7-3.pcap

5.1 Generic Info

5.2 Related Files

5.3 Weblogs

Description of the weblogs

5.4 Graphs of the traffic with RRD

PIC

6 Pcap file: 2013-11-25_capture-win7.pcap

6.1 Generic Info

6.2 Related Files

6.3 Weblogs

Description of the weblogs

6.4 Graphs of the traffic with RRD

PIC

7 Pcap file: 2014-01-10_capture-win10.pcap

7.1 Generic Info

7.2 Related Files

7.3 Weblogs

Description of the weblogs

7.4 Graphs of the traffic with RRD

PIC

8 Pcap file: 2014-01-10_capture-win7.pcap

8.1 Generic Info

8.2 Related Files

8.3 Weblogs

Description of the weblogs

8.4 Graphs of the traffic with RRD

PIC

Timeline

Tue Nov 12 20:00:29 CET 2013 start win10

Tue Nov 12 20:12:26 CET 2013 infected win10 with c740789d5b226668f8a37626883fd0b7.exe

Tue Nov 12 20:16:05 CET 2013 started win7

Tue Nov 12 20:17:29 CET 2013 infected win7 with c740789d5b226668f8a37626883fd0b7.exe

Unknown time There was an issue with computer so the vm was powered down.

Tue Nov 26 10:23:03 CET 2013 win10 is powered on again. Already infected. Pcap file: 2013-11-25_capture-win10-2.pcap

Tue Nov 26 10:23:03 CET 2013 win7 vm is powered on again.

Mon Dec 2 13:48:06 CET 2013 running graph with rrd file stopped and started again...

Fri Dec 6 10:48:09 CET 2013 I started win7 again. The linux host was frozzen.

Fri Dec 6 10:53:06 CET 2013 I started win10 again. The linux host was frozzen. Pcap file 2013-11-25_capture-win10-3.pcap

Mon Jan 6 12:48:38 CET 2014 I powered off win10 and started it again infected

Mon Jan 6 12:51:16 CET 2014 I poweredoff the win7 and started again infected.

Traffic Analysis

The traffic pattern of the files 2013-11-25_capture-win7-3.pcap and 2013-11-25_capture-win10-3.pcap are very similar because they are simoultaneous. The

2013-11-25_capture-win7-2.pcap 2013-11-25_capture-win10-2.pcap

2013-11-25_capture-win7.pcap 2013-11-25_capture-win10.pcap

2014-01-10_capture-win10.pcap 2014-01-10_capture-win7.pcap

Analyzying the 4-tuple 10.0.2.107-192.35.51.30-53-tcp we realized that it is a DGA algorithm, using TCP DNS queries to an custom DNS server. The requests are mostly not periodic, and only have a slightly periodicity from time to time. For example: State=11rrrrrArrrrrrrrAArrrrarrrrrrraAArrrAarrArrrrrrrArrbrrrararrrrrrrrrrrrrArrrrrArrrraAAr

Furthermore, the time differences of these requests seem to be quite random. So we tested the values of the T1 to see if they follow a distribution. And they seem to be following a distribution.

Disclaimer

These files were generated as part of the Malware Capture Facility Project in the CTU University, Prague, Czech Republic. The goal of the project is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us to sebastian.garcia@agents.fel.cvut.cz.

You are free to use these files as long as you reference this project and the authors. See http://mcfp.felk.cvut.cz