PCAP-Contagio-BIN_DNSWatch



PCAP Analysis

##################
# MetaData Stuff #
##################

File name:
BIN_DNSWatch_protux_4F8A44EF66384CCFAB737C8D7ADB4BB8_2012-11.pcap

MD5|SHA1|SHA256 Hash:
2379b7b2a9be2d1b986da20f88eca471
166b1ad7726c49026fa3c96224f71d6b6ea82245
386d1a10b291ee74eb5209a8191da2674c3cc7e4c14a4aa53ffe2152b7f98368

Size:
96062

Packets:
424

#####################
# High Level Review #
#####################

This PCAP contains a lengthy listing of files uploaded to an external system. The internal system, 172.16.253[.]130 performed a DNS request to www.dnswatch.info. DNSWatch is a popular DNS Service provider known within the privacy focused circles due to the services lack of keeping log files related to queries. www.dnswatch[.]info resolved to, 82.96.118[.]210 The DNS request to DNSwatch[.]info was for the domain, vcvcvcvc.dyndns[.]org, which resolved to 114.244.44[.]115.



172.16.253[.]130 then successfully connected to 114.244.44[.]115. The internal system then uploaded 122 unique file uploads, within 123 total uploaded file. The files were uploaded to 9 different index files on vcvcvcvc.dyndns[.]org, index.asa, index.asp, index.aspx, index.cgi, index.jsp, index.php, index.pl, index.rb, and index.rby. There was only 1 file, 221445E4.rar, which appeared to be uploaded two times. This file did however had two different upload sizes, 858 and 208 bytes. Also of note, 121 of the 123 files were all 208 bytes in size, with only two files, 5C4C1BE7.pdf and one of the 221445E4.rar files containing more, 272 and 858 bytes respectively. The each of the 208 bytes contain the following string when viewed in ASCII: ".new_host_49....................----------2B9250BB47EE537B--". It does not appear that any additional information was listed within any of the additional file uploads.

Packet #48 which contains the data regarding the 272 byte file, 221445E4.rar. and does not appear to contain hidden data.



ASCII:
............................@...................................@.......6...}....... ...........----------2B9250BB47EE537B

HEX:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:40:00:00:00:e3:e2:eb:eb:ff:f3:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:40:bc:00:00:eb:fb:00:00:36:c0:00:00:7d:f3:00:00:c3:e5:00:00:20:d6:00:00:ac:d2:00:00:84:a8:00:00

Packet #53 contains the the data regarding the 858 byte file, 5C4C1BE7.pdf. It also does not appear to contain hidden data.



ASCII:
----------2B9250BB47EE537B
Content-Disposition: form-data; name="UploadFile"; filename="221445E4.rar"
Content-Type: application/octet-stream

.new_host_49............................................................................................................................................................................................................................................................................................e......................................................&e....... !((<0..........................................(...............................................USVJURJVQWJUWT...hM...-
...L6MD'...L0)MD
SIW\VT5)D'41.3
<4D4......
.
..7...
..D4...DWL&.
.dVRTTM........................................................................................g%^'^ ^!^................VTUVUTVW........

HEX:
2d:2d:2d:2d:2d:2d:2d:2d:2d:2d:32:42:39:32:35:30:42:42:34:37:45:45:35:33:37:42:0d:0a:43:6f:6e:74:65:6e:74:2d:44:69:73:70:6f:73:69:74:69:6f:6e:3a:20:66:6f:72:6d:2d:64:61:74:61:3b:20:6e:61:6d:65:3d:22:55:70:6c:6f:61:64:46:69:6c:65:22:3b:20:66:69:6c:65:6e:61:6d:65:3d:22:32:32:31:34:34:35:45:34:2e:72:61:72:22:0d:0a:43:6f:6e:74:65:6e:74:2d:54:79:70:65:3a:20:61:70:70:6c:69:63:61:74:69:6f:6e:2f:6f:63:74:65:74:2d:73:74:72:65:61:6d:0d:0a:0d:0a:02:6e:65:77:5f:68:6f:73:74:5f:34:39:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:8a:02:00:00:df:d5:df:9b:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:65:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:26:65:00:00:00:00:00:00:00:20:21:28:28:3c:30:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:28:05:11:16:05:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:55:53:56:4a:55:52:4a:56:51:57:4a:55:57:54:00:00:00:68:4d:cb:f8:b8:2d:0a:10:01:08:4c:36:4d:44:27:0b:16:01:4c:30:29:4d:44:0d:53:49:57:5c:56:54:35:29:44:27:34:31:00:33:0d:0a:3c:34:44:34:16:0b:02:01:17:17:0d:0b:0a:05:08:37:01:16:12:0d:07:01:44:34:05:07:0f:44:57:4c:26:11:0d:08:64:56:52:54:54:4d:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:b9:00:9b:67:25:5e:27:5e:20:5e:21:5e:00:00:00:00:00:00:00:00:00:00:00:00:00:00:ce:00:56:54:55:56:55:54:56:57:00:00:00:00:00:00:00:00:0d:0a

Nothing additional looks suspicious outside of the use of dnswatch to mask the dns request for the file upload to a relatively suspicious site of vcvcvcvc.dyndns[.]org, and then of course the file upload of the 123 files. But the files are so small they don't appear to be holding patterned information which would indicate batched data exfiltration.

Bummer...


############
# Analysis #
############

# Communicators #
0.0.0[.]0 - 2 - .47%
4.2.2[.]2 - 6 - 1.42% - Level 3
8.8.8[.]8 - 6 - 1.42% - Google
65.55.21[.]20 - 2 - .44% - Microsoft Corp
82.96.118[.]210 - 9 - 2.12% - Probe Networks
114.244.44[.]115 - 376 - 88.67% - China169 Beijing Province
168.95.1[.]1 - 2 - .47% - Data Communication Business Group
172.16.253[.]130 - 412 - 97.17%
172.16.253[.]254 - 4 - .94%
224.0.0[.]22 - 7 - 1.65%
255.255.255[.]255 - 2 - .47%

# Analysis of Events #

The PCAP contains three unique DNS requests
Packet 15 - time.windows[.]com
- Resolved to 65.55.21[.]20
Packet 27 - www.dnswatch[.]info
- Resolved to 82.96.118[.]210
Packet 29 - cvcvcvc.dyndns[.]org
- Resolved to 114.244.44[.]115

Internal System 172.16.253[.]130 performed a GET requestion to:
- http://www.dnswatch[.]info/dns/dnslookup?la=en&host=vcvcvcvc.dyndns[.]org&type=A&submit=Resolve
- User-Agent string:
- Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0)
- Length: 564
- The page returned in a 403 Forbidden page.

Internal System 172.16.253[.]130 then performed a POST request to:
- http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=<VARIABLE> HTTP/1.1
- User-Agent String:
- Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
- The POST session included a number of files being uploaded to external system, 114.244.44[.]115.
- Total Number of files: 123 posts

The list of uploaded files:
Filename: Size: Uploaded to:
5C4C1BE7.pdf 272 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=21378
221445E4.rar 858 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=21381
221445E4.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=21381
736C43D9.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=21391
44C541CE.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=21401
161D3FC3.png 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=21410
67763DB8.jpg 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=21420
38CE3BAE.zip 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=21430
0A2739A3.mov 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=21440
21486195.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=21453
72A05F8A.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=21463
43F95D7F.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=21473
15515B74.png 208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=21482
66AA5969.jpg 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=21492
3802575F.zip 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=21502
4F237F50.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=21515
207B7D46.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=21525
71D47B3B.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=21535
08F5232C.mov 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=21548
5A4D2122.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=21557
2BA61F17.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=21567
7CFE1D0C.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=21577
4E571B01.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=21587
1FAF18F6.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=21597
710816EC.pdf 208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=21606
426014E1.avi 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=21616
13B912D6.png 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=21626
651110CB.jpg 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=21636
366A0EC1.zip 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=21646
07C20CB6.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=21655
591B0AAB.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=21665
2A7308A0.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=21675
7BCC0695.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=21685
4D24048B.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=21695
1E7D0280.mov 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=21704
6FD50075.pdf 208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=21714
06F62867.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=21727
584E265C.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=21737
29A72451.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=21747
7AFF2246.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=21757
4C58203C.zip 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=21766
1DB11E31.mov 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=21776
6F091C26.pdf 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=21786
40621A1B.avi 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=21796
11BA1810.png 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=21806
63131606.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=21815
346B13FB.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=21825
05C411F0.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=21835
571C0FE5.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=21845
28750DDB.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=21855
79CD0BD0.jpg 208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=21864
4B2609C5.zip 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=21874
1C7E07BA.mov 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=21884
6DD705AF.pdf 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=21894
3F2F03A5.avi 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=21904
1088019A.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=21913
61E07F8F.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=21923
79012781.jpg 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=21936
4A592576.zip 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=21946
1BB2236B.mov 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=21956
6D0A2160.pdf 208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=21966
3E631F56.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=21975
0FBB1D4B.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=21985
61141B40.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=21995
326D1935.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=22005
03C5172A.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=22015
551E1520.avi 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=22024
26761315.png 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=22034
77CF110A.jpg 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=22044
49270EFF.zip 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=22054
1A800CF5.mov 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=22064
6BD80AEA.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=22073
3D3108DF.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=22083
0E8906D4.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=22093
5FE204C9.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=22103
313A02BF.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=22113
029300B4.pdf 208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=22122
53EB7EA9.avi 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=22132
6B0C269B.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=22145
3C642490.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=22155
0DBD2285.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=22165
5F15207A.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=22175
306E1E70.mov 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=22184
478F4661.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=22197
18E74456.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=22207
6A40424C.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=22217
3B984041.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=22227
0CF13E36.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=22237
5E493C2B.zip 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=22246
2FA23A21.mov 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=22256
00FA3816.pdf 208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=22266
5253360B.avi 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=22276
23AB3400.png 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=22286
750431F5.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=22295
465C2FEB.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=22305
17B52DE0.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=22315
690D2BD5.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=22325
3A6629CA.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=22335
0BBE27C0.jpg 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=22344
22DF4FB1.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=22357
74384DA6.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=22367
45904B9C.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=22377
16E94991.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=22387
68414786.mp3 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=22397
399A457B.png 208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=22406
0AF24370.jpg 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=22416
5C4B4166.zip 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=22426
2DA33F5B.mov 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=22436
7EFC3D50.pdf 208 http://vcvcvcvc.dyndns[.]org:8080/index.jsp?id=22446
50543B45.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=22455
21AD393B.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.asa?id=22465
73053730.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.rby?id=22475
445E3525.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=22485
15B6331A.bmp 208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=22495
670F310F.avi 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=22504
7E2F5901.pdf 208 http://vcvcvcvc.dyndns[.]org:8080/index.pl ?id=22518
4F8856F6.rm  208 http://vcvcvcvc.dyndns[.]org:8080/index.rb ?id=22527
20E054EB.dat 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=22537
723952E1.dcm 208 http://vcvcvcvc.dyndns[.]org:8080/index.aspx?id=22547
439150D6.rar 208 http://vcvcvcvc.dyndns[.]org:8080/index.cgi?id=22557
14EA4ECB.pdf 208 http://vcvcvcvc.dyndns[.]org:8080/index.php?id=22566
66434CC0.avi 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=22576
379B4AB6.png 208 http://vcvcvcvc.dyndns[.]org:8080/index.asp?id=22586

Comments