Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

PUBLIC PAGE

<Click here: to download BotHunter>

02 July 2008
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:07:00 Win2K-f 60.38.16.246 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. 		n/a   445 pcap raw alerts
ruleset 		ftp
27 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 33 ca15c09536
[Firefox:170 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
T:00:07:00 Win2K-f 61.251.9.95 (-):
DAEJEON TELECOM,
SEOUL, KYONGGI-DO, KR. 		n/a US:microsoft.com
HK:proxim.ircgalaxy.pl
US:download.microsoft.com
HK:210.245.211.11:65520
US:64.62.216.10:80
US:64.62.216.56:80 		135 pcap raw alerts
ruleset 		other
113 lines 		Yeah : 1.3
profile 		none summary
tarball 		24 of 33
32 of 33		 074325ecbc
NEW
2a66fc87fa
NEW 		none [none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:00:12:00 WinXP 81.137.216.248 (BTOPENWORLD.COM):
SINGLE STATIC IP ADDRESSES,
LONDON, ENGLAND, UK. 		n/a US:chat-shqip.org
US:w3bs.chat-shqip.org
US:69.247.147.113:12351
US:69.247.147.113:13001 		445 pcap raw alerts
ruleset 		ftp
25 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 33 ca15c09536
[Firefox:170 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
T:00:14:00 Win2K-f 217.232.103.211 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
BERLIN, BERLIN, DE. (DIAL) 		n/a US:chat-shqip.org
US:w3bs.chat-shqip.org
US:69.247.147.113:12351
US:69.247.147.113:13001 		445 pcap raw alerts
ruleset 		ftp
25 lines 		Yeah : 1.3
profile 		none summary
tarball 		10 of 33 d2c26e07fd
[Firefox:143 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
00:16:00 Win2K-f 217.232.103.211 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
BERLIN, BERLIN, DE. (DIAL) 		n/a US:chat-shqip.org
US:w3bs.chat-shqip.org
US:69.247.147.113:12351
US:69.247.147.113:13001 		445 pcap raw alerts
ruleset 		ftp
26 lines 		Yeah : 1.3
profile 		none summary
tarball 		10 of 33 d2c26e07fd
[Firefox:143 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
00:18:00 WinXP 88.134.177.83 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
DE. 		n/a US:chat-shqip.org
US:w3bs.chat-shqip.org
US:69.247.147.113:12351
US:69.247.147.113:13001 		445 pcap raw alerts
ruleset 		ftp
28 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 33 80433c452f
[Firefox: 2 hits: 06-30 to 07-01] 		none [none] none:none
 none|none none none
00:18:00 Win2K-f 125.215.102.7 (PIKARA.NE.JP):
PIKARA(STNET INCORPORATED),
JP. 		n/a   445 pcap raw alerts
ruleset 		ftp
26 lines 		Yeah : 1.3
profile 		none summary
tarball 		20 of 33 17739a55ad
[Firefox:211 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
00:20:00 Win2K-f 118.169.70.207 (-):
. 		n/a  
CZ:217.170.244.2:443
CZ:82.114.64.251:443 		445 pcap raw alerts
ruleset 		shell
ftp
17 lines 		Yeah : 1.3
profile 		none summary
tarball 		25 of 28 7fdfe363d5
[Firefox:2785 hits: 12-31 to 07-01] 		10862ea8b8 [0] ASM:Graph
 FSG| lines=1933
embedded dns 		trace
T:00:31:00 Win2K-f 217.237.99.34 (T-IPCONNECT.DE):
DEUTSCHE TELEKOM AG,
TRIER, RHEINLAND-PFALZ, DE. 		n/a   445 pcap raw alerts
ruleset 		ftp
21 lines 		Yeah : 1.3
profile 		none summary
tarball 		20 of 33 17739a55ad
[Firefox:211 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
00:39:00 Win2K-f 92.21.141.146 (-):
CARPHONE WAREHOUSE BROADBAND SERVICES,
UK. 		n/a HK:proxim.ircgalaxy.pl
HK:210.245.211.11:80 		445 pcap raw alerts
ruleset 		ftp
27 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 33 619057c44c
NEW 		none [none] none:none
 none|none none none
T:00:40:00 Win2K-f 78.8.22.141 (NET.PL):
DIALOG,
WROCLAW, DOLNOSLASKIE, PL. 		n/a   445 pcap raw alerts
ruleset 		ftp
22 lines 		Yeah : 1.3
profile 		none summary
tarball 		20 of 33 17739a55ad
[Firefox:211 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
T:00:41:00 Win2K-f 24.65.50.37 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) 		n/a US:microsoft.com
HK:proxim.ircgalaxy.pl
US:download.microsoft.com
HK:210.245.211.11:65520
US:64.62.216.56:80 		135 pcap raw alerts
ruleset 		other
113 lines 		Yeah : 1.3
profile 		none summary
tarball 		30 of 33
31 of 33		 215dda8137
NEW
c1c5be6c5a
NEW 		none [none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
00:43:00 WinXP 213.77.121.222 (-):
LIQUID SYSTEMS SP. Z O.O,
KRAKOW, MALOPOLSKIE, PL. 		n/a US:chat-shqip.org
US:w3bs.chat-shqip.org
US:69.247.147.113:12351
US:69.247.147.113:13001 		445 pcap raw alerts
ruleset 		ftp
25 lines 		Yeah : 1.3
profile 		none summary
tarball 		14 of 33 2b905ce565
NEW 		none [none] none:none
 none|none none none
T:00:44:00 Win2K-f 130.227.67.155 (POST.LINDPRO.DK):
UNI2-KUNDER,
DK. 		67.43.236.98:10324 CA:xx.nadnadzz.info
CA:nadsam0.info
US:130.107.220.21:53660
CA:67.43.236.99:10324 		135 pcap raw alerts
ruleset 		irc
http
165 lines 		Yeah : 1.3
profile 		none summary
tarball 		24 of 32
16 of 33
none
none		 4f51b7cd6f
NEW
89ae89a9b7
NEW
c5622bb285
[Firefox: 5 hits: 06-23 to 06-27]
ee20b91263
[Firefox: 2 hits: 06-27 to 06-27] 		none [none]
none [none]
none [4]
none [none] 		none:none
none:none
none:none
none:none
 none|none
none|none
none|none
none|none 		none
none
none
none 		none
none
trace
none
00:52:00 WinXP 120.75.189.106 (-):
. 		n/a US:chat-shqip.org
US:w3bs.chat-shqip.org
US:69.247.147.113:12351
US:69.247.147.113:13001 		445 pcap raw alerts
ruleset 		ftp
27 lines 		Yeah : 1.3
profile 		none summary
tarball 		20 of 33 17739a55ad
[Firefox:211 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
00:57:00 WinXP 62.169.107.73 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
LISBON, LISBOA, PT. (DSL) 		n/a UA:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		32 of 33 73582ef3de
NEW 		none [none] none:none
 none|none none none
T:01:00:00 Win2K-f 85.177.188.96 (ALICEDSL.DE):
HANSENET-ADSL,
BOCHUM, NORDRHEIN-WESTFALEN, DE. (DSL) 		n/a HK:proxim.ircgalaxy.pl
US:chat-shqip.org
US:w3bs.chat-shqip.org
HK:210.245.211.11:80
US:69.247.147.113:12351
US:69.247.147.113:13001 		445 pcap raw alerts
ruleset 		ftp
27 lines 		Yeah : 1.3
profile 		none summary
tarball 		19 of 33 536227ab5f
NEW 		none [none] none:none
 none|none none none
01:03:00 Win2K-f 118.7.234.41 (-):
. 		n/a US:chat-shqip.org
US:w3bs.chat-shqip.org
US:69.247.147.113:12351
US:69.247.147.113:13001 		445 pcap raw alerts
ruleset 		ftp
27 lines 		Yeah : 1.3
profile 		none summary
tarball 		10 of 33 d2c26e07fd
[Firefox:143 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
01:04:00 Win2K-f 71.140.69.146 (-):
LOS GIRASOLES LTD,
PLANO, TEXAS, US. (100Mbps) 		n/a US:microsoft.com
US:download.microsoft.com
US:204.160.126.124:80 		135 pcap raw alerts
ruleset 		other
88 lines 		Yeah : 1.3
profile 		none summary
tarball 		3 of 33
33 of 33		 73ce2b74da
[Firefox: 2 hits: 06-18 to 06-26]
79c01ec060
[Firefox: 3 hits: 06-18 to 06-26] 		73ce2b74da [1]
none [4] 		ASM:Graph
none:none
 Armadillo|
tElock| 		lines=81
none 		trace
trace
01:06:00 WinXP 220.156.9.221 (HI-HO.NE.JP):
INTERNET INITIATIVE JAPAN INC,
TOKYO, TOKYO, JP. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
13 lines 		Yeah : 0.8
profile 		none summary
tarball 		31 of 32 741e3b03b3
[Firefox:92 hits: 09-28 to 07-01] 		e0197e8a64 [0] ASM:Graph
 none|none lines=62 trace
T:01:09:00 WinXP 82.103.205.93 (ELISA-LAAJAKAISTA.FI):
JYVASVIESTIN-NET,
FI. 		n/a HK:proxim.ircgalaxy.pl
US:chat-shqip.org
US:w3bs.chat-shqip.org
HK:210.245.211.11:65520
US:69.247.147.113:12351
US:69.247.147.113:13001 		445 pcap raw alerts
ruleset 		ftp
27 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 33 71b5bbe58a
NEW 		none [none] none:none
 none|none none none
01:22:00 WinXP 118.240.190.229 (-):
. 		n/a US:chat-shqip.org
US:w3bs.chat-shqip.org
US:69.247.147.113:12351
US:69.247.147.113:13001 		445 pcap raw alerts
ruleset 		ftp
28 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 33 ca15c09536
[Firefox:170 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
01:23:00 WinXP 118.109.155.199 (-):
. 		n/a  
CZ:217.170.244.2:443
CZ:82.114.64.251:443 		445 pcap raw alerts
ruleset 		shell
ftp
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 33 661a97baa1
NEW 		none [none] none:none
 none|none none none
T:01:31:00 Win2K-f 125.215.118.134 (PIKARA.NE.JP):
PIKARA(STNET INCORPORATED),
JP. 		n/a   445 pcap raw alerts
ruleset 		ftp
27 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 33 ca15c09536
[Firefox:170 hits: 06-27 to 07-01] 		none [none] none:none
 none|none none none
T:01:32:00 Win2K-f 119.11.105.120 (-):
. 		n/a   445 pcap raw alerts
ruleset 		ftp
25 lines 		Yeah : 1.3
profile 		none summary
tarball 		30 of 33 87e5da3c72
NEW 		none [none] none:none
 none|none none none
T:01:33:00 Win2K-f 92.5.50.52 (-):
CARPHONE WAREHOUSE BROADBAND SERVICES,
UK. 		n/a HK:proxim.ircgalaxy.pl
HK:210.245.211.11:80 		445 pcap