GintsEngelen
commented
2 years ago Hi Lisa,
Apologies for the slow reply. Your thorough analysis merits a thorough response, so I'll bring this up with my co-authors and get back to you asap!
Open lisa-lthorrold opened 2 years ago
GintsEngelen
commented
2 years ago Hi Lisa,
Apologies for the slow reply. Your thorough analysis merits a thorough response, so I'll bring this up with my co-authors and get back to you asap!
Botnet traffic occurs from 13:04:13 (UTC) until 14:02:02 (UTC) at which point I suspect the CNC process running on the attacking service is stopped.
However, Bots continue to attempt to make contact with it after that until 20:01:24 (UTC).
The host then appears to go down at around 19:16pm (UTC), and from that point on, we have ICMP Destination unreachable packets responding to the Syn requests from the bot victims. Between process termination and host down, we have connection attempts and RST responses.
Is there any reason your labelling period covers a 3.5 hour period (which provides partial cover of continuation of CNC connection attempts) rather than the nearly full 7 hour period?
Secondly, is there any reason why 52.6.13.28 and 52.7.235.158 is considered malicious?
I can see that the only IP address that 52.7.235.158 interacts with is 192.168.10.17 which is not one of the victim machines
Similarly, 52.6.13.28 interacts with 129.168.10.12, 192.168.10.15, 192.168.10 outside the period of botnet activity as well. From the http payload it looks like commerce cooking tracking behaviour with Criterio
From my analysis of the traffic in the pcaps, the only commands issued by the cnc based on payload inspection is screenshot, dir and netstat so there's no indication why the victim machines would be interacting with other machines that would be labeled under botnet activity