Description

• Probable Name: Caphaw or Kazy
• MD5: 24dcfdb1f46e4018500db101234f6cd7
  
• SHA1: 9c4c9360152fb1c636f790a6116974728e1e3ade
  

• SHA256: 9966bc568225c509c3e3b3ff9f548ba59f39908200e3e8511e61a115be750f09

• VirusTotal
• HybridAnalysis

• RobotHash

Analysis

The DNS connections are:

• 10.0.2.117-208.67.222.220-53-udp (From-Botnet-UDP-DNS-Fastflux-1)
  • 633 flows
    
• 10.0.2.117-208.67.222.222-53-udp (From-Botnet-UDP-DNS-Fastflux-3)
  • 600 flows
• 10.0.2.117-8.8.4.4-53-udp (From-Botnet-UDP-DNS-Fastflux-4)
  • 918 flows
• 10.0.2.117-8.8.8.8-53-udp (From-Botnet-UDP-DNS-Fastflux-2)
  • At least 3000 Flows

An example of the DNS domains requested is:

• 3237 smis.cc
• 2674 pcg.su
• 2445 ccl.su
• 853 kirr.cc
• 719 ehk.su
• 708 amia.cc
• 165 sito.su
• 165 eca.su
• 163 leq.su
• 144 many.su
• 143 aqu.su
• 108 jcy.su
• 62 paly.cc

An example of DGA subdomains that got an IP

• 1 yzrw1usxlbz.leq.su 185.27.252.57,180.250.68.124,185.27.252.59,185.9.159.107
• 1 wi0g7o57losfkwp.jcy.su 185.27.252.57,94.250.250.79,185.27.252.59,188.132.197.127,78.135.88.95
• 1 twepb2zm.jcy.su 78.135.88.95,180.250.68.124,185.27.252.57,185.27.252.59
• 1 p4y6da3ypdhvj06w4.jcy.su 185.9.159.107,78.135.88.95,185.27.252.59,185.27.252.57

Timeline

Sun Feb 23 11:44:48 CET 2014

started win17

Sun Feb 23 11:52:50 CET 2014

infected

Mon Apr 7 10:17:23 CEST 2014

Huge powerdown on Sun 06, at 10am... powering up now.