Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

PUBLIC PAGE

<Click here: to download BotHunter>

20 June 2008
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:32:00 Win2K-f 61.221.250.18 (HINET.NET):
DATA COMMUNICATION BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
TW. n/a US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33
none 53bfe15e91
[Firefox:73 hits: 06-17 to 06-19]
57ce4acac2
[Firefox:12 hits: 06-17 to 06-19]
b5919931fe
NEW none[4]
57ce4acac2[1]
b5919931fe[1]
b5919931fe[1] none:none
ASM:Graph
ASM:Graph
tElock|
Armadillo|
ASProtect| none
lines=81
lines=90 trace
trace
trace

01:31:00 Win2K-f 218.210.225.206 (SPARQNET.NET):
NEW CENTURY INFOCOMM TECH CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com
US:download.microsoft.com
US:64.62.216.10:80 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
[Firefox:73 hits: 06-17 to 06-19]
73f1082158
[Firefox:21 hits: 06-18 to 06-19] none[4]
73f1082158[1]
73f1082158[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=81 trace
trace

01:39:00 WinXP 68.146.169.119 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
1039 lines Yeah : 1.3
profile none summary
tarball none dd3f647f74
NEW none [3] none:none
PolyEnE| none trace

T:02:46:00 Win2K-f 4.232.69.16 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
FONTANA, CALIFORNIA, US. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
17 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

02:50:00 WinXP 219.116.255.155 (INFOWEB.NE.JP):
INFOWEB-CIDR-BLK,
TOKYO, TOKYO, JP. (DIAL) n/a US:microsoft.com
US:download.microsoft.com
US:198.78.220.126:80
US:199.93.41.124:80
US:207.123.37.126:80 135 pcap raw alerts
ruleset other
113 lines Yeah : 1.3
profile none summary
tarball none
none 33575aa644
NEW
c7001e5413
NEW 33575aa644 [1]
none [4] ASM:Graph
none:none
Armadillo|
tElock| lines=82
none trace
trace

02:56:00 Win2K-f 61.229.38.244 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a
CZ:217.170.244.2:443
CZ:82.114.64.251:443 445 pcap raw alerts
ruleset shell
ftp
17 lines Yeah : 1.3
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2658 hits: 12-31 to 06-19] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

03:10:00 WinXP 93.156.48.58 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. n/a UA:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:3066 hits: 12-31 to 06-19] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

03:11:00 WinXP 118.237.46.42 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
13 lines Yeah : 0.8
profile none summary
tarball none 27b945de66
NEW none [4] none:none
none|none none trace

T:03:48:00 Win2K-f 125.225.17.52 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 217.170.244.2:443 445 pcap raw alerts
ruleset shell
ftp
irc
27 lines Yeah : 1.8
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2658 hits: 12-31 to 06-19] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

03:56:00 Win2K-f 122.50.160.62 (EXATT.NET):
INTERNET SERVICE PROVIDER,
BHUBANESHWAR, ORISSA, IN. n/a 135 pcap raw alerts
ruleset other
19 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

04:00:00 Win2K-f 211.58.220.94 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a :proxima.ircgalaxy.pl
US:microsoft.com
US:download.microsoft.com
US:198.78.220.126:80
US:199.93.44.124:80
US:206.33.45.125:80 135 pcap raw alerts
ruleset other
102 lines Yeah : 1.3
profile none summary
tarball 31 of 33
none 168aab35a3
[Firefox: 3 hits: 06-17 to 06-19]
61426996c3
NEW none[4]
61426996c3[1]
61426996c3[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=82 trace
trace

T:04:54:00 Win2K-f 75.14.253.81 (-):
REFAT M HIJAZ DBA,
PLANO, TEXAS, US. (100Mbps) n/a US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33
none 53bfe15e91
[Firefox:73 hits: 06-17 to 06-19]
a08f3b74a4
[Firefox:24 hits: 06-18 to 06-19]
b5919931fe
NEW none[4]
a08f3b74a4[1]
b5919931fe[1]
b5919931fe[1] none:none
ASM:Graph
ASM:Graph
tElock|
Armadillo|
ASProtect| none
lines=81
lines=90 trace
trace
trace

T:05:09:00 Win2K-f 118.169.201.210 (-):
. 217.170.244.2:443 445 pcap raw alerts
ruleset shell
ftp
irc
29 lines Yeah : 1.8
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2658 hits: 12-31 to 06-19] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

05:17:00 WinXP 125.203.124.163 (PLALA.OR.JP):
PLALA NETWORKS INC,
JP. (DSL) n/a :proxim.ircgalaxy.pl 445 pcap raw alerts
ruleset ftp
13 lines Yeah : 0.8
profile none summary
tarball none e09933a21a
NEW none [4] none:none
PolyEnE| none trace

T:05:21:00 Win2K-f 118.161.191.38 (-):
. 217.170.244.2:443 445 pcap raw alerts
ruleset shell
ftp
irc
27 lines Yeah : 1.8
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2658 hits: 12-31 to 06-19] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

05:23:00 WinXP 217.245.100.62 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
BERLIN, BERLIN, DE. (DIAL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 32 of 32 03f912899b
[Firefox:14 hits: 12-14 to 06-19] 83893bd25d [0] ASM:Graph
none|none lines=65 trace

05:29:00 WinXP 83.132.107.51 (CPE.NETCABO.PT):
TVCABO-PORTUGAL CABLE MODEM NETWORK,
LISBON, LISBOA, PT. n/a UA:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 31 of 32 f2668b51f1
[Firefox: 8 hits: 08-10 to 06-15] none [4] none:none
PolyEnE| none trace

05:58:00 Win2K-f 222.239.34.179 (-):
INCHON CABLE TV NAMDONG BROADCAST,
INCHON, KYONGGI-DO, KR. n/a US:microsoft.com
US:download.microsoft.com
US:64.62.216.10:80
US:64.62.216.56:80 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 33
33 of 33 4c3df24b32
[Firefox: 8 hits: 06-17 to 06-19]
53bfe15e91
[Firefox:73 hits: 06-17 to 06-19] 4c3df24b32 [1]
none [4] ASM:Graph
none:none
Armadillo|
tElock| lines=81
none trace
trace

06:09:00 WinXP 58.190.31.158 (EONET.NE.JP):
K-OPTICOM CORPORATION,
OSAKA, OSAKA, JP. n/a 445 pcap raw alerts
ruleset shell
ftp
13 lines Yeah : 0.8
profile none summary
tarball 31 of 32 741e3b03b3
[Firefox:40 hits: 09-28 to 06-19] e0197e8a64 [0] ASM:Graph
none|none lines=62 trace

06:29:00 WinXP 221.170.142.240 (MESH.AD.JP):
BIGLOBE-CIDR-BLK,
TOKYO, TOKYO, JP. n/a :proxim.ircgalaxy.pl 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball none e09933a21a
NEW none [4] none:none
PolyEnE| none trace

06:58:00 WinXP 80.191.115.189 (-):
REGIONAL LIBRARAY OF SCIENCE AND TECHNOLOGY,
SHIRAZ, FARS, IR. n/a EU:siliconfireware.ru
GB:new.egg.com
:wpad
DE:212.227.111.29:80
DE:217.11.54.126:80
GB:217.145.225.22:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
[Firefox:1060 hits: 05-01 to 06-19]