Index of /publicDatasets/CTU-Malware-Capture-Botnet-69

	Name	Last modified	Size	Description
	Parent Directory		-
	24dcfdb1f46e4018500db101234f6cd7.exe.zip	2015-12-16 10:26	226K
	2014-04-07_capture-win17.biargus	2015-09-25 14:49	58M
	2014-04-07_capture-win17.binetflow	2015-09-25 14:49	58M
	2014-04-07_capture-win17.capinfos	2015-08-29 16:47	768
	2014-04-07_capture-win17.dnstop	2015-08-29 16:47	15K
	2014-04-07_capture-win17.html	2015-10-23 17:03	425K
	2014-04-07_capture-win17.json	2015-10-23 17:03	156K
	2014-04-07_capture-win17.passivedns	2015-08-29 16:47	109K
	2014-04-07_capture-win17.pcap	2014-04-06 09:51	650M
	2014-04-07_capture-win17.rrd	2014-04-07 12:12	8.0M
	2014-04-07_capture-win17.tcpdstat	2017-01-16 10:54	1.8K
	2014-04-07_capture-win17.weblogng	2016-06-15 19:06	1.8K
	README.html	2017-01-16 11:11	2.4K
	README.md	2016-03-16 14:48	1.7K
	bro/	2017-08-31 09:45	-
	fast-flux-dga-first-analysis.txt	2017-01-16 11:11	3.8M

Description

• Probable Name: Caphaw or Kazy
• MD5: 24dcfdb1f46e4018500db101234f6cd7
  
• SHA1: 9c4c9360152fb1c636f790a6116974728e1e3ade
  

• SHA256: 9966bc568225c509c3e3b3ff9f548ba59f39908200e3e8511e61a115be750f09

• VirusTotal
• HybridAnalysis

• RobotHash

Analysis

The DNS connections are:

• 10.0.2.117-208.67.222.220-53-udp (From-Botnet-UDP-DNS-Fastflux-1)
  • 633 flows
    
• 10.0.2.117-208.67.222.222-53-udp (From-Botnet-UDP-DNS-Fastflux-3)
  • 600 flows
• 10.0.2.117-8.8.4.4-53-udp (From-Botnet-UDP-DNS-Fastflux-4)
  • 918 flows
• 10.0.2.117-8.8.8.8-53-udp (From-Botnet-UDP-DNS-Fastflux-2)
  • At least 3000 Flows

An example of the DNS domains requested is:

• 3237 smis.cc
• 2674 pcg.su
• 2445 ccl.su
• 853 kirr.cc
• 719 ehk.su
• 708 amia.cc
• 165 sito.su
• 165 eca.su
• 163 leq.su
• 144 many.su
• 143 aqu.su
• 108 jcy.su
• 62 paly.cc

An example of DGA subdomains that got an IP

• 1 yzrw1usxlbz.leq.su 185.27.252.57,180.250.68.124,185.27.252.59,185.9.159.107
• 1 wi0g7o57losfkwp.jcy.su 185.27.252.57,94.250.250.79,185.27.252.59,188.132.197.127,78.135.88.95
• 1 twepb2zm.jcy.su 78.135.88.95,180.250.68.124,185.27.252.57,185.27.252.59
• 1 p4y6da3ypdhvj06w4.jcy.su 185.9.159.107,78.135.88.95,185.27.252.59,185.27.252.57

Timeline

Sun Feb 23 11:44:48 CET 2014

started win17

Sun Feb 23 11:52:50 CET 2014

infected

Mon Apr 7 10:17:23 CEST 2014

Huge powerdown on Sun 06, at 10am... powering up now.