Sign in
Follow

ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (com)

 

 IP AddressPortHostname
Source 8.8.4.4 domain (53)  google-public-dns-b.google.com
Destination (local) 1895  

 

000 : 00 00 81 83 00 01 00 00 00 01 00 00 0c 6d 6d 6d .............mmm
010 : 6d 6d 6d 6d 6d 6d 6d 6d 6d 03 63 6f 6d 00 00 0f mmmmmmmmm.com...
020 : 00 01 c0 19 00 06 00 01 00 00 03 83 00 3d 01 61 .............=.a
030 : 0c 67 74 6c 64 2d 73 65 72 76 65 72 73 03 6e 65 .gtld-servers.ne
040 : 74 00 05 6e 73 74 6c 64 0c 76 65 72 69 73 69 67 t..nstld.verisig
050 : 6e 2d 67 72 73 c0 19 57 d8 82 b6 00 00 07 08 00 n-grs..W........
060 : 00 03 84 00 09 3a 80 00 01 51 80 .....:...Q.

 

Description:

 

False Positive:

  • YES
  • This rule detects query responses for second level domain names of length 12 (mmmmmmmmmmmm.com)
  • A real detection would appear random.
  • This is a good IOC, but prone to false positives.

 

Action:

  • None

 

Comments

Powered by Zendesk