|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:07:00 | WinXP | 78.59.219.74 (ZEBRA.LT): LIETUVOS, LT. |
n/a | :proxim.ircgalaxy.pl UA:citi-bank.ru 115.126.2.121:65520 UA:194.54.90.246:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | cd1d4a8f0a NEW |
none [none] | none:none |
none|none | none | none |
| 00:09:00 | WinXP | 114.48.40.153 (-): . |
n/a | :proxim.ircgalaxy.pl 115.126.2.121:65520 |
445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | 16727c6808 NEW |
none [none] | none:none |
none|none | none | none |
| 00:13:00 | WinXP | 116.127.232.167 (-): HANARO TELECOM, SEOUL, KYONGGI-DO, KR. |
n/a | :proxima.ircgalaxy.pl US:microsoft.com US:download.microsoft.com 115.126.2.121:65520 US:204.160.104.126:80 US:4.23.60.126:80 |
135 | pcap | raw alerts ruleset |
http 91 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 33 0 of 33 0 of 33 |
168aab35a3 [Firefox:180 hits: 06-17 to 11-02] 4c3df24b32 [Firefox:236 hits: 06-17 to 11-02] e07c29c4ae [Firefox:777 hits: 06-19 to 11-02] |
none[4] 4c3df24b32[1] e07c29c4ae[1] e07c29c4ae[1] |
none:none ASM:Graph ASM:Graph |
tElock| Armadillo| FSG| |
none lines=81 lines=92 |
trace trace trace |
| 00:17:00 | WinXP | 98.25.127.181 (-): . |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
29 of 29 | 1a2c0e6130 [Firefox:503 hits: 12-31 to 11-02] |
048df78048 [0] | ASM:Graph |
none|none | lines=61 | trace | |
| 00:48:00 | WinXP | 65.69.205.89 (COM-TECHED.NET): COLLEGE OF THE MAINLAND, PLANO, TEXAS, US. (100Mbps) |
n/a | US:microsoft.com US:download.microsoft.com US:199.93.41.124:80 US:4.23.60.125:80 |
135 | pcap | raw alerts ruleset |
http 77 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 0 of 33 |
53bfe15e91 [Firefox:3675 hits: 06-17 to 11-02] 73f1082158 [Firefox:1831 hits: 06-18 to 11-02] e07c29c4ae [Firefox:777 hits: 06-19 to 11-02] |
none[4] 73f1082158[1] e07c29c4ae[1] e07c29c4ae[1] |
none:none ASM:Graph ASM:Graph |
tElock| Armadillo| FSG| |
none lines=81 lines=92 |
trace trace trace |
| 00:52:00 | Win2K-f | 125.58.90.19 (-): . |
n/a | US:microsoft.com US:download.microsoft.com |
135 | pcap | raw alerts ruleset |
http 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 [Firefox:3675 hits: 06-17 to 11-02] 73f1082158 [Firefox:1831 hits: 06-18 to 11-02] |
none[4] 73f1082158[1] 73f1082158[1] |
none:none ASM:Graph |
tElock| Armadillo| |
none lines=81 |
trace trace |
| T:01:23:00 | Win2K-f | 124.195.158.89 (-): . |
n/a | US:microsoft.com US:download.microsoft.com US:205.128.70.126:80 US:207.123.37.125:80 |
135 | pcap | raw alerts ruleset |
http 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 0 of 32 |
53bfe15e91 [Firefox:3675 hits: 06-17 to 11-02] a08f3b74a4 [Firefox:1309 hits: 06-18 to 11-02] b5919931fe [Firefox:1040 hits: 06-20 to 11-02] |
none[4] a08f3b74a4[1] b5919931fe[1] b5919931fe[1] |
none:none ASM:Graph ASM:Graph |
tElock| Armadillo| ASProtect| |
none lines=81 lines=90 |
trace trace trace |
| 01:26:00 | Win2K-f | 124.195.158.89 (-): . |
n/a | US:microsoft.com US:download.microsoft.com |
135 | pcap | raw alerts ruleset |
http 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 0 of 32 |
53bfe15e91 [Firefox:3675 hits: 06-17 to 11-02] a08f3b74a4 [Firefox:1309 hits: 06-18 to 11-02] b5919931fe [Firefox:1040 hits: 06-20 to 11-02] |
none[4] a08f3b74a4[1] b5919931fe[1] b5919931fe[1] |
none:none ASM:Graph ASM:Graph |
tElock| Armadillo| ASProtect| |
none lines=81 lines=90 |
trace trace trace |
| 01:30:00 | Win2K-f | 140.239.201.214 (XO.NET): XO COMMUNICATIONS, BOSTON, MASSACHUSETTS, US. |
n/a | US:microsoft.com US:download.microsoft.com |
135 | pcap | raw alerts ruleset |
http 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 33 of 33 0 of 32 |
73f1082158 [Firefox:1831 hits: 06-18 to 11-02] 79c01ec060 [Firefox:71 hits: 06-18 to 11-02] b5919931fe [Firefox:1040 hits: 06-20 to 11-02] |
73f1082158 [1] none [4] b5919931fe[1] b5919931fe[1] |
ASM:Graph none:none ASM:Graph |
Armadillo| tElock| ASProtect| |
lines=81 none lines=90 |
trace trace trace |
| 01:37:00 | WinXP | 218.162.182.220 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TW. (DSL) |
n/a | UA:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 [Firefox:1429 hits: 12-31 to 11-02] |
7a70e1b592 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:01:39:00 | WinXP | 220.219.254.27 (INFOWEB.NE.JP): INFOWEB(FUJITSU LTD.), YOKOHAMA, KANAGAWA, JP. (DIAL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 32 | 741e3b03b3 [Firefox:519 hits: 01-05 to 11-02] |
e0197e8a64 [0] | ASM:Graph |
none|none | lines=62 | trace | |
| 01:56:00 | WinXP | 221.251.49.172 (UCOM.NE.JP): TK, TOKYO, TOKYO, JP. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 16 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 32 | 741e3b03b3 [Firefox:519 hits: 01-05 to 11-02] |
e0197e8a64 [0] | ASM:Graph |
none|none | lines=62 | trace | |
| 02:07:00 | Win2K-f | 24.84.5.16 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, SURREY, BRITISH COLUMBIA, CA. (DSL) |
n/a | US:microsoft.com US:download.microsoft.com US:192.221.110.126:80 US:199.93.41.126:80 US:204.160.104.126:80 |
135 | pcap | raw alerts ruleset |
other 127 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 36 33 of 36 |
28ce5fc467 [Firefox: 7 hits: 09-12 to 10-25] e7335cb667 [Firefox: 7 hits: 09-12 to 10-25] |
none [none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:02:08:00 | WinXP | 68.148.148.151 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, EDMONTON, ALBERTA, CA. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1010 lines |
Yeah : 1.3 profile |
none | summary tarball |
none 5 of 36 |
e24773490e NEW fd419eefad [Firefox: 8 hits: 10-31 to 11-02] |
none [none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
|
| T:02:11:00 | WinXP | 122.52.37.157 (PLDT.NET): IPG, PH. |
n/a | :proxim.ircgalaxy.pl UA:citi-bank.ru 115.126.2.121:65520 UA:194.54.90.246:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | 895d51605c NEW |
none [none] | none:none |
none|none | none | none |
| 02:37:00 | Win2K-f | 71.79.78.37 (RR.COM): ROAD RUNNER HOLDCO LLC, WESTERVILLE, OHIO, US. |
n/a | US:microsoft.com US:download.microsoft.com US:192.221.96.126:80 US:199.93.53.126:80 US:204.160.126.124:80 |
135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 [Firefox:3675 hits: 06-17 to 11-02] 73f1082158 [Firefox:1831 hits: 06-18 to 11-02] |
none[4] 73f1082158[1] 73f1082158[1] |
none:none ASM:Graph |
tElock| Armadillo| |
none lines=81 |
trace trace |
| 02:43:00 | WinXP | 213.22.81.195 (CPE.NETCABO.PT): TVCABO-PORTUGAL CABLE MODEM NETWORK, PORTO, PORTO, PT. |
n/a | RU:moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
34 of 36 | 96d089e522 [Firefox:41 hits: 10-08 to 11-02] |
none [none] | none:none |
none|none | none | none |
| T:03:00:00 | WinXP | 122.146.241.164 (SPARQNET.NET): NEW CENTURY INFOCOMM TECH. CO. LTD, TAIPEI, T'AI-PEI, TW. |
n/a | US:microsoft.com US:download.microsoft.com US:192.221.96.126:80 US:205.128.70.126:80 US:8.12.202.125:80 |
135 | pcap | raw alerts ruleset |
other 298 lines |
Yeah : 1.3 profile |
none | summary tarball |
29 of 33 31 of 33 |
dd98c3c108 [Firefox:11 hits: 06-24 to 10-29] e98746deb1 [Firefox:10 hits: 06-24 to 10-29] |
dd98c3c108 [1] none [4] |
ASM:Graph none:none |
Armadillo| tElock| |
lines=82 none |