Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

PUBLIC PAGE

<Click here: to download BotHunter>

24 June 2008
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:16:00 WinXP 82.247.241.199 (PROXAD.NET):
PROXAD / FREE SAS,
NICE, PROVENCE-ALPES-COTE D'AZUR, FR. n/a :proxim.ircgalaxy.pl
UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 32 of 33 b3dc05139e
NEW none [4] none:none
PolyEnE| none trace

T:00:20:00 WinXP 166.165.228.162 (MYVZW.COM):
SERVICE PROVIDER CORPORATION,
BEDMINSTER, NEW JERSEY, US. (DSL) 217.170.244.2:443 445 pcap raw alerts
ruleset shell
ftp
irc
61 lines Yeah : 1.8
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2697 hits: 12-31 to 06-23] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

T:00:36:00 WinXP 70.166.137.147 (COX.NET):
COX COMMUNICATIONS,
ATLANTA, GEORGIA, US. n/a US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
78 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
[Firefox:150 hits: 06-17 to 06-23]
73f1082158
[Firefox:52 hits: 06-18 to 06-23] none[4]
73f1082158[1]
73f1082158[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=81 trace
trace

00:53:00 WinXP 84.140.238.100 (T-IPCONNECT.DE):
DEUTSCHE TELEKOM AG,
LUBECK, SCHLESWIG-HOLSTEIN, DE. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 32 of 32 03f912899b
[Firefox:19 hits: 12-14 to 06-23] 83893bd25d [0] ASM:Graph
none|none lines=65 trace

01:02:00 WinXP 61.20.171.158 (-):
FAR EASTONE TELECOMMUNICATION CO. LTD,
TW. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:3082 hits: 12-31 to 06-23] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

T:01:07:00 Win2K-f 121.113.147.31 (PLALA.OR.JP):
PLALA NETWORKS INC,
JP. 217.170.244.2:443
CZ:217.170.244.2:443 445 pcap raw alerts
ruleset shell
ftp
irc
28 lines Yeah : 1.8
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2697 hits: 12-31 to 06-23] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

T:01:08:00 WinXP 58.156.35.172 (UCOM.NE.JP):
IML,
JP. n/a 445 pcap raw alerts
ruleset shell
ftp
21 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
[Firefox:655 hits: 07-11 to 06-22] eb7546c600 [0] ASM:Graph
none|none lines=61 trace

T:01:40:00 WinXP 151.118.187.72 (QWEST.NET):
QWEST BROADBAND,
PHOENIX, ARIZONA, US. n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

01:49:00 WinXP 84.177.215.218 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
DE. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 32 of 32 03f912899b
[Firefox:19 hits: 12-14 to 06-23] 83893bd25d [0] ASM:Graph
none|none lines=65 trace

T:01:50:00 WinXP 210.139.204.185 (SO-NET.NE.JP):
SO-NET ENTERTAINMENT CORPORATION,
NAHA, OKINAWA, JP. n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:landdev1.lap.internal
:wpad
US:208.73.212.12:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
http
http
7 lines Yeah : 0.8
profile none summary
tarball 29 of 29 df17a625ee
[Firefox:470 hits: 05-04 to 06-21] 9bbdd086c5 [0] ASM:Graph
ASPack| lines=186
embedded dns trace

T:01:59:00 WinXP 66.143.34.251 (SWBELL.NET):
RBACK1.KSC2MO,
KANSAS CITY, MISSOURI, US. (DSL) n/a US:microsoft.com
US:download.microsoft.com
US:64.62.216.10:80
US:64.62.216.56:80 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
[Firefox:150 hits: 06-17 to 06-23]
73f1082158
[Firefox:52 hits: 06-18 to 06-23] none[4]
73f1082158[1]
73f1082158[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=81 trace
trace

02:01:00 WinXP 118.168.1.96 (-):
. n/a
CZ:217.170.244.2:443
CZ:82.114.64.251:443 445 pcap raw alerts
ruleset shell
ftp
17 lines Yeah : 1.3
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2697 hits: 12-31 to 06-23] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

02:20:00 WinXP 70.241.71.165 (SWBELL.NET):
PPPOX POOL - RBACK21 HSTNTX,
HOUSTON, TEXAS, US. (DSL) n/a US:microsoft.com
US:download.microsoft.com
US:64.62.216.10:80
US:64.62.216.56:80 135 pcap raw alerts
ruleset other
77 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
[Firefox:150 hits: 06-17 to 06-23]
a08f3b74a4
[Firefox:53 hits: 06-18 to 06-23] none[4]
a08f3b74a4[1]
a08f3b74a4[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=81 trace
trace

03:03:00 WinXP 222.159.36.198 (INFOWEB.NE.JP):
INFOWEB(FUJITSU LTD.),
TOKYO, TOKYO, JP. (DIAL) n/a
CZ:217.170.244.2:443
CZ:82.114.64.251:443 445 pcap raw alerts
ruleset shell
ftp
17 lines Yeah : 1.3
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2697 hits: 12-31 to 06-23] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

T:03:22:00 WinXP 62.201.95.166 (T-ONLINE.HU):
T-ONLINE CATV CLIENTS (DYNAMIC ADDRESS POOL),
HU. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
[Firefox:59 hits: 09-28 to 06-23] e0197e8a64 [0] ASM:Graph
none|none lines=62 trace

03:51:00 WinXP 80.104.175.253 (BUSINESS.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A,
MILANO, LOMBARDIA, IT. n/a UA:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:3082 hits: 12-31 to 06-23] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

T:03:56:00 Win2K-f 116.127.56.111 (-):
HANARO TELECOM,
SEOUL, KYONGGI-DO, KR. n/a :proxim.ircgalaxy.pl
US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
114 lines Yeah : 1.3
profile none summary
tarball 30 of 33
28 of 33 533d15b5ce
NEW
58c343a8d8
NEW none[4]
58c343a8d8[1]
58c343a8d8[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=82 trace
trace

T:03:59:00 WinXP 121.102.146.6 (HI-HO.NE.JP):
PANASONIC NETWORK SERVICES INC,
JP. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
[Firefox:59 hits: 09-28 to 06-23] e0197e8a64 [0] ASM:Graph
none|none lines=62 trace

T:04:27:00 Win2K-f 61.37.147.200 (BORA.NET):
DACOM CORP,
SEOUL, KYONGGI-DO, KR. (100Mbps) n/a :proxim.ircgalaxy.pl
US:microsoft.com
US:download.microsoft.com
US:198.78.220.126:80
US:199.93.41.124:80
US:199.93.41.126:80 135 pcap raw alerts
ruleset other
113 lines Yeah : 1.3
profile none summary
tarball 32 of 33
30 of 33 3690b64ca2
[Firefox: 2 hits: 06-18 to 06-21]
a6fb77fd26
[Firefox: 2 hits: 06-18 to 06-21] none[4]
a6fb77fd26[1]
a6fb77fd26[1] none:none
ASM:Graph
PolyEnE|
Armadillo| none
lines=82 trace
trace

T:05:10:00 Win2K-f 76.243.226.214 (PACBELL.NET):
AT&T INTERNET SERVICES,
US. n/a US:microsoft.com
US:download.microsoft.com 135 pcap raw alerts
ruleset http
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
[Firefox:150 hits: 06-17 to 06-23]
a08f3b74a4
[Firefox:53 hits: 06-18 to 06-23] none[4]
a08f3b74a4[1]
a08f3b74a4[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=81