Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

PUBLIC PAGE

<Click here: to download BotHunter>

21 June 2008
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

00:08:00 Win2K-f 4.243.128.186 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
FAIRFIELD, CALIFORNIA, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
102 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
[Firefox:105 hits: 06-17 to 06-20]
73f1082158
[Firefox:34 hits: 06-18 to 06-20] none[4]
73f1082158[1]
73f1082158[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=81 trace
trace

00:13:00 WinXP 24.69.99.242 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) n/a US:microsoft.com
US:download.microsoft.com
:proxim.ircgalaxy.pl
US:199.93.41.124:80
US:207.123.47.126:80
US:8.12.202.125:80 135 pcap raw alerts
ruleset other
94 lines Yeah : 1.3
profile none summary
tarball 33 of 33
none 53bfe15e91
[Firefox:105 hits: 06-17 to 06-20]
9755a5d861
NEW none[4]
9755a5d861[1]
9755a5d861[1] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:00:43:00 WinXP 211.211.97.126 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a :proxim.ircgalaxy.pl
US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
125 lines Yeah : 1.3
profile none summary
tarball none
none
none 3b6cda60f6
NEW
4c9db01aba
NEW
e07c29c4ae
[Firefox:12 hits: 06-19 to 06-20] 3b6cda60f6 [1]
none [4]
e07c29c4ae[1]
e07c29c4ae[1] ASM:Graph
none:none
ASM:Graph
Armadillo|
tElock|
FSG| lines=81
none
lines=92 trace
trace
trace

T:00:54:00 WinXP 222.235.160.184 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a :proxima.ircgalaxy.pl
US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
88 lines Yeah : 1.3
profile none summary
tarball 31 of 33
0 of 33
none 168aab35a3
[Firefox: 5 hits: 06-17 to 06-20]
4c3df24b32
[Firefox:10 hits: 06-17 to 06-20]
e07c29c4ae
[Firefox:12 hits: 06-19 to 06-20] none[4]
4c3df24b32[1]
e07c29c4ae[1]
e07c29c4ae[1] none:none
ASM:Graph
ASM:Graph
tElock|
Armadillo|
FSG| none
lines=81
lines=92 trace
trace
trace

T:01:17:00 Win2K-f 122.53.125.102 (PLDT.NET):
IPG,
PH. n/a US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
127 lines Yeah : 1.3
profile none summary
tarball 29 of 33
33 of 33
none 16874933ea
[Firefox: 4 hits: 06-18 to 06-20]
76ee340669
[Firefox: 4 hits: 06-18 to 06-20]
b5919931fe
[Firefox: 8 hits: 06-20 to 06-20] 16874933ea [1]
none [4]
b5919931fe[1]
b5919931fe[1] ASM:Graph
none:none
ASM:Graph
Armadillo|
PolyEnE|
ASProtect| lines=82
none
lines=90 trace
trace
trace

01:20:00 WinXP 219.241.199.101 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a :proxim.ircgalaxy.pl
US:microsoft.com
US:download.microsoft.com
US:64.215.166.173:80
US:64.215.166.190:80 135 pcap raw alerts
ruleset other
113 lines Yeah : 1.3
profile none summary
tarball none
none 194e0b013d
NEW
2a12badf92
NEW 194e0b013d [1]
none [4] ASM:Graph
none:none
Armadillo|
PolyEnE| lines=81
none trace
trace

T:01:26:00 WinXP 122.146.83.150 (SPARQNET.NET):
NEW CENTURY INFOCOMM TECH. CO. LTD,
TW. n/a US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
78 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32
none 53bfe15e91
[Firefox:105 hits: 06-17 to 06-20]
73f1082158
[Firefox:34 hits: 06-18 to 06-20]
e07c29c4ae
[Firefox:12 hits: 06-19 to 06-20] none[4]
73f1082158[1]
e07c29c4ae[1]
e07c29c4ae[1] none:none
ASM:Graph
ASM:Graph
tElock|
Armadillo|
FSG| none
lines=81
lines=92 trace
trace
trace

01:39:00 Win2K-f 68.150.131.61 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
LEDUC, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
266 lines Yeah : 1.3
profile none summary
tarball none f5704d7334
NEW none [4] none:none
StarForce| none trace

02:13:00 Win2K-f 4.174.160.64 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
WAYNESBORO, PENNSYLVANIA, US. (DIAL) n/a US:microsoft.com
US:download.microsoft.com
US:64.215.166.173:80
US:64.215.166.190:80 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
[Firefox:105 hits: 06-17 to 06-20]
a08f3b74a4
[Firefox:34 hits: 06-18 to 06-20] none[4]
a08f3b74a4[1]
a08f3b74a4[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=81 trace
trace

02:32:00 Win2K-f 122.52.18.242 (PLDT.NET):
IPG,
PH. n/a 135 pcap raw alerts
ruleset other
11 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:02:35:00 Win2K-f 68.149.8.89 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
EDMONTON, ALBERTA, CA. (DSL) n/a :proxim.ircgalaxy.pl 135 pcap raw alerts
ruleset other
266 lines Yeah : 1.3
profile none summary
tarball none 0d416b2208
NEW none [4] none:none
PolyEnE| none trace

T:02:39:00 WinXP 24.189.171.29 (OPTONLINE.NET):
OPTIMUM ONLINE (CABLEVISION SYSTEMS),
UNIONDALE, NEW YORK, US. n/a US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32
none 53bfe15e91
[Firefox:105 hits: 06-17 to 06-20]
73f1082158
[Firefox:34 hits: 06-18 to 06-20]
e07c29c4ae
[Firefox:12 hits: 06-19 to 06-20] none[4]
73f1082158[1]
e07c29c4ae[1]
e07c29c4ae[1] none:none
ASM:Graph
ASM:Graph
tElock|
Armadillo|
FSG| none
lines=81
lines=92 trace
trace
trace

02:46:00 WinXP 61.252.173.56 (KRLINE.NET):
KRNIC,
KR. n/a :proxim.ircgalaxy.pl
US:microsoft.com
US:download.microsoft.com
US:198.78.220.124:80
US:199.93.44.124:80
US:205.128.79.124:80 135 pcap raw alerts
ruleset other
113 lines Yeah : 1.3
profile none summary
tarball 31 of 33
30 of 33 05ea62612c
NEW
3a0107380f
NEW none[4]
3a0107380f[1]
3a0107380f[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=82 trace
trace

02:51:00 Win2K-f 76.93.104.77 (-):
. n/a US:microsoft.com
US:download.microsoft.com
US:192.221.110.125:80
US:192.221.99.124:80
US:205.128.66.124:80 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
[Firefox:105 hits: 06-17 to 06-20]
73f1082158
[Firefox:34 hits: 06-18 to 06-20] none[4]
73f1082158[1]
73f1082158[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=81 trace
trace

T:02:52:00 WinXP 61.252.173.56 (KRLINE.NET):
KRNIC,
KR. n/a :proxim.ircgalaxy.pl
US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
114 lines Yeah : 1.3
profile none summary
tarball 31 of 33
30 of 33
none 05ea62612c
NEW
3a0107380f
NEW
e07c29c4ae
[Firefox:12 hits: 06-19 to 06-20] none[4]
3a0107380f[1]
e07c29c4ae[1]
e07c29c4ae[1] none:none
ASM:Graph
ASM:Graph
tElock|
Armadillo|
FSG| none
lines=82
lines=92 trace
trace
trace

T:02:55:00 WinXP 194.165.181.167 (ESAT.NET):
OCEAN FREE INTERNET DIAL UP SERVICE,
DUBLIN, DUBLIN, IE. (DIAL) 194.54.90.246:80 UA:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 29 of 29 3ae357d17b
[Firefox:717 hits: 05-01 to 06-20] 462a7be171 [0] ASM:Graph
PolyEnE| lines=73 trace

03:15:00 WinXP 76.168.73.62 (RR.COM):
ROAD RUNNER HOLDCO LLC,
VENICE, CALIFORNIA, US. (100Mbps) n/a 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 1.3
profile none summary
tarball