Collection of Pcap files from malware analysis

I did some spring cleaning yesterday and came up with these malware and exploit pcaps. Such pcaps are very useful for IDS and signature testing and development, general education, and malware identification. While there are some online public sandboxes offering pcaps for download like Cuckoo or Anubis but  looking for them is a tedious task and you cannot be totally sure the pcap is for the malware family supposedly analysed - in other words, if the sandbox says it is Zeus does not necessarily mean that it is.

I found some good pcap repositories here (http://www.netresec.com/?page=PcapFiles) but there are very few pcaps from malware.

These are from identified and verified (to the best of my knowledge and belief - email me if you find errors) malware samples.

All of them show the first stage with the initial callback and most have the DNS requests as well. A few pcaps show extended malware runs (e.g. purplehaze pcap is over 500mb).
Most pcaps are mine, a few are from online sandboxes, and one is borrowed from malware.dontneedcoffee.com. That said, I can probably find the corresponding samples for all that have MD5 listed if you really need them. Search contagio, some are posted with the samples.

Each file has the following naming convention:
BIN [RTF, PDF] - the filetype of the dropper used, malware family name, MD5, and year+month of the malware analysis.

I will be adding more pcaps in the future. Please donate your pcaps from identified samples, I am sure many of you have.

Thank you

DeepEnd Research - Library of Malware Traffic Patterns

Update May 6, 2013 We added ability to download corresponding samples and pcaps (when available)

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns and see the trends when they change has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and   POST requests for different malware families with information from open sources. We decided others might find it useful too.

>>  read more on DeepEnd Research

An Overview of Exploit Packs (Update 19.1) April 2013

The Explot Pack Table has been updated and you can view it here.

Exploit Pack Table Update 19.1  - View or Download from Google Apps

If you keep track of exploit packs and can/wish  to contribute and be able to make changes, please contact me (see email in my profile)
I want to thank L0NGC47, Fibon, and Kafeine,  Francois Paget, Eric Romang, and other researchers who sent information for their help.




Update April 28, 2013 - added CVE-2013-2423 (Released April 17, 2013) to several packs. 
Now the following packs serve the latest Java exploit (update your Java!)

1. Styx
2. Sweet Orange
3. Neutrino
4. Sakura
5. Whitehole
6. Cool
7. Safe Pack
8. Crime Boss
9. CritX

Other changes
Updated:

1. Whitehole
2. Redkit
3. Nuclear
4. Sakura
5. Cool Pack
6. Blackhole
7. Gong Da

Added:

1. KaiXin
2. Sibhost
3. Popads 
4. Alpha Pack
5. Safe Pack
6. Serenity
7. SPL Pack
   
   There are 5 tabs in the bottom of the sheet

1. 2011-2013
2. References
3. 2011 and older
4. List of exploit kits
5. V. 16 with older credits

CVE-2013-0640 samples listing

This is a detailed MD5 listing of CVE-2013-0640 pdf files that were posted earlier. I got a few requests for samples that were already posted as a pack in this post ( 16,800 clean and 11,960 malicious files for signature testing and research.)  Now you can see them  in all their glory below.
I can post listings for other malware from that large post if there is need and interest.

PDF
MALWARE PDF NEW -170 FILES MALWARE PDF PRE_04-2011_10982_files

• Vinsula. CVE-2013-0640 – Further Investigation into an Adobe PDF Zero-day Malware Attack
• Kaspersky: The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor  

CVE-2013-0804 Novell GroupWise 2012 Multiple Untrusted Pointer Dereferences Exploitation by Brian Mariani & Frédéric Bourla

This is another excellent publication by Brian Mariani & Frédéric Bourla (High Tech Bridge) describing their discovery and research of  CVE-2013-0804 Novell GroupWise 2012 Multiple Untrusted Pointer Dereferences Exploitation

CVE-2013-0804
The client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference) via unspecified vectors.

You can download it from here: High Tech Bridge Novell GroupWise 2012 Multiple Untrusted Pointer Dereferences Exploitation by Brian Mariani & Frédéric Bourla 

16,800 clean and 11,960 malicious files for signature testing and research.

Signature and security product testing often requires large numbers of sorted malicious and clean files to eliminate false positives and negatives. They are not always easy to find, but here are some that I have.

Clean documents are collected from various open sources. All the copyright rights belong the the authors of each document and file. You must not use the documents for their content but only as samples of particular file types.

DarkSeoul - Jokra - MBR wiper samples

If all you needed for happiness is to destroy a few virtual machines, here are the samples for today's headline maker.
The malware overwrites master boot record (MBR) as described here:
* Trojan.Jokra - Symantec
* DarkSeoul: SophosLabs identifies malware used in South Korean internet attack
* South Korean Banks, Media Companies Targeted by Destructive Malware - McAfee
* South Korean Banks and Broadcasting Organizations Suffer Major Damage from Cyber Attack - Symantec.

Mandiant APT1 samples categorized by malware families

These are the samples described in the Mandiant Report APT1, in the Indicators of Compromise (IOCs). Each file is named according to the malware family, so you can run your own detection and signature tools to see how your naming convention corresponds to the one used by Mandiant.

You can use these binaries to develop signatures, compare to your samples, or study the behavior and evolution of APT1.
I added Contagio samples in several families as well.
The list of binaries and their names, as well as malware families descriptions are provided below for your convenience.

Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9 - sample

Someone shared a sample of the Linux rootkit affecting servers running CloudLinux, CentOS & cPanel.

Here are the links:

• Feb 20-18 - Webhostingtalk SSHD Rootkit Rolling around
• Feb 18, 2013  0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9 http://blog.solidshellsecurity.com/
• Feb 8, 2013 SSHD Spam Rootkit /lib64/libkeyutils.so.1.9

Jan 2013 Shylock (skype version) sample

In January 2013,  Iurii Khvyl and Peter Kruse from CSIS posted analysis of Shylock variant capable of spreading through Skype.

You can read their research here Shylock calling Skype. The sample is below

Jan 2013 - Linux SSHDoor - sample

Just a few accumulated samples here found and shared by others. This one is for Linux SSHDoor malware, which can steal your SSH passwords. ESET covered that in detail in Linux/SSHDoor.A Backdoored SSH daemon that steals passwords ( 24 JAN 2013)

The related Linux.Chapro.A sample was posted earlier this year as well

Manipulating Memory for Fun and Profit by Frédéric Bourla - High-Tech Bridge

I am sure you remember excellent reverse engineering presentations by High-Tech Bridge experts I posted earlier.  High-Tech Bridge presented  at the ISACA event in Luxembourg and you can download their detailed and very interesting presentation:  “Manipulating Memory for Fun and Profit".
The presentation includes detailed memory forensics process using Volatility

by Frédéric BOURLA
Chief Security Specialist
Head of Ethical Hacking & Computer Forensics Departments
High-Tech Bridge SA


Table of Contents
0x00 - About me
0x01 - About this conference
0x02 - Memory introduction
0x03 - Memory manipulation from an offensive angle
0x04 - Memory manipulation from a defensive angle
0x05 - Conclusion


Download the full presentation in PDF 

The text of the presentation (for Google search and to get an idea about the contents:)

Trojan 'Nap" aka Kelihos/Hlux status update by DeepEnd Research and samples

FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with  the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012).  The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again.

Please read the rest of our post here http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html. 

You can download the associated binaries (97 files) and pcap below.

Dec 2012 Batchwiper Samples

Update: Jan 18, 2013 - Here is a nice analysis BatchWiper  Analysis by Emanuele De Lucia
The next time the virus will wake up is Jan 21, 2013. Time to grab it, read and play.

Several people asked for Batchwiper, so here are the samples.
From Maher - Iranian CERT:

Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks. The identified components of this threat are listed in the following table:

Name	MD5
GrooveMonitor.exe [dropper]	f3dd76477e16e26571f8c64a7fd4a97b
juboot.exe	fa0b300e671f73b3b0f7f415ccbe9d41
jucheck.exe	c4cd216112cbc5b8c046934843c579f6
SLEEP.EXE	ea7ed6b50a9f7b31caeea372a327bd37
WmiPrv.exe	b7117b5d8281acd56648c9d08fadf630

Dec. 2012 Skynet Tor botnet / Trojan.Tbot samples

Here are 7 binaries for Skynet Tor botnet aka Trojan.Tbot.  Claudio's analysis is wonderfully detailed, I just added  pcaps  and a few words in the description

Read more here:
Rapid7.  Claudio Guarnieri.  Skynet, a Tor-powered botnet straight from Reddit

ZeroAccess / Sirefef Rootkit - 5 fresh samples

Stocking stuffers.
ZeroAccess rootkit is far from new and exciting but but this is a fresh lot with still active C2 servers.
Although the dropper is detected by at least half of AV engines, post infection detection is another story. I tried Kaspersky TDSS Killer, Avast Rootkit utility and RootRepeal without any success. I used Gmer and LordPE to carve out the hidden file from the memory. You can use Redline or Volatility too.
You can download 5 files below together with pcaps from one of the files and the file dumped from memory. It appears that free videos and apps names are used as the lure in this case.

* * * Merry Christmas and Happy New Year! * * *

More presents to come, pa rum pum pum pum
    rum pum pum pum, rum pum pum pum

Dec 2012 Linux.Chapro - trojan Apache iframer

Here is another notable development of 2012 - Linux malware (see Wirenet trojan posted earlier too)
Research: ESET Malicious Apache module used for content injection: Linux/Chapro.A
All the samples are below. I did not test it thus no pcaps this time.
------Linux/Chapro.A  e022de72cce8129bd5ac8a0675996318
------Injected iframe    111e3e0bf96b6ebda0aeffdb444bcf8d
------Java exploit         2bd88b0f267e5aa5ec00d1452a63d9dc
------Zeus binary         3840a6506d9d5c2443687d1cf07e25d0

Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan

Holiday presents.
Research: Symantec. Trojan.Stabuniq Found on Financial Institution Servers
More research: Stabuniq in-Depth  by Emanuele De Lucia

Here is a another minor news maker of 2012.
It is very well detected by most AV but if you want to play or make IDS or yara signatures, the pcap and the sample is below.

Dec 2012 Dexter - POS Infostealer samples and information

End of the year presents. Point of Sale (POS) infostealer, aka Dexter.
I got 3 more "tester-type" samples and added them below - in addition to the well known 4 samples mentioned by Seculert.
You can read more about it here:
Seculert Dexter - Draining blood out of Point of Sales 
TrendMicro Infostealer Dexter Targets Checkout Systems
Verizon: Dexter: More of the same, or hidden links?
Volatility labs Unpacking Dexter POS "Memory Dump Parsing" Malware
Trustwave labs: The Dexter Malware: Getting Your Hands Dirty
Symantec Infostealer.Dexter