Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

PUBLIC PAGE

<Click here: to download BotHunter>

12 November 2008
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:13:00 Win2K-f 24.213.224.230 (RR.COM):
ROAD RUNNER HOLDCO LLC,
AMSTERDAM, NEW YORK, US. 		n/a US:microsoft.com
US:download.microsoft.com
US:192.221.96.126:80
US:198.78.220.124:80
US:207.123.46.126:80 		135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
[Firefox:3886 hits: 06-17 to 11-10]
a08f3b74a4
[Firefox:1395 hits: 06-18 to 11-10] 		none[4]
a08f3b74a4[1]
a08f3b74a4[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=81 		trace
trace
01:10:00 WinXP 220.142.131.60 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 		n/a RU:moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
[Firefox:857 hits: 12-31 to 11-10] 		1aad8e4632 [0] ASM:Graph
 PolyEnE| lines=93
embedded dns 		trace
01:14:00 Win2K-f 70.64.8.16 (GASOC.COM):
SHAW COMMUNICATIONS INC,
SASKATOON, SASKATCHEWAN, CA. (DSL) 		n/a US:microsoft.com
US:download.microsoft.com
US:198.78.220.126:80
US:199.93.44.124:80
US:205.128.73.126:80 		135 pcap raw alerts
ruleset 		other
111 lines 		Yeah : 1.3
profile 		none summary
tarball 		34 of 36
32 of 36		 2e43dc0077
[Firefox:14 hits: 10-01 to 11-10]
3fd58319f0
[Firefox: 2 hits: 10-08 to 10-30] 		none [none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
01:23:00 WinXP 24.69.187.101 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) 		n/a US:microsoft.com
US:download.microsoft.com
US:192.221.110.126:80
US:205.128.70.126:80
US:205.128.73.126:80 		135 pcap raw alerts
ruleset 		other
238 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 36
33 of 36		 090753e602
[Firefox: 7 hits: 10-09 to 10-30]
79595a71bb
[Firefox: 7 hits: 10-09 to 10-30] 		none [none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
01:36:00 WinXP 85.103.195.194 (TTNET.NET.TR):
TURK TELEKOM ADSL-ALCATEL,
ISTANBUL, ISTANBUL, TR. 		n/a RU:moscow-advokat.ru
US:lia.zanet.net
:los-angeles.ca.us.undernet.org
:flanders.be.eu.undernet.org
NL:diemen.nl.eu.undernet.org
:lulea.se.eu.undernet.org
:gaspode.zanet.org.za
SE:ozbytes.dal.net
:brussels.be.eu.undernet.org
:washington.dc.us.undernet.org
SE:qis.md.us.dal.net
RU:194.6.222.11:6667 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		35 of 36 0548660ce6
NEW 		none [none] none:none
 none|none none none
01:48:00 WinXP 82.233.168.212 (PROXAD.NET):
PROXAD / FREE SAS,
NICE, PROVENCE-ALPES-COTE D'AZUR, FR. 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		35 of 36 06a5e31b47
[Firefox: 8 hits: 10-28 to 11-10] 		none [none] none:none
 none|none none none
T:02:05:00 WinXP 115.81.108.168 (-):
. 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		34 of 36 786c3bb507
NEW 		none [none] none:none
 none|none none none
02:08:00 WinXP 119.154.15.237 (-):
. 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:02:09:00 WinXP 118.0.236.241 (-):
. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 831f4ee0a7
[Firefox:679 hits: 01-01 to 11-10] 		eb7546c600 [0] ASM:Graph
 none|none lines=61 trace
02:12:00 Win2K-f 125.4.2.34 (ZAQ.NE.JP):
HIGASHI-OSAKA CABLE TELEVISION CO. LTD,
OSAKA, OSAKA, JP. 		n/a US:microsoft.com
US:download.microsoft.com
US:205.128.73.126:80 		135 pcap raw alerts
ruleset 		http
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32
33 of 33		 07fabc79ef
[Firefox:25 hits: 06-19 to 11-03]
53bfe15e91
[Firefox:3886 hits: 06-17 to 11-10] 		07fabc79ef [1]
none [4] 		ASM:Graph
none:none
 Armadillo|
tElock| 		lines=81
none 		trace
trace
02:13:00 WinXP 87.121.169.4 (NETERRA.NET):
NETERRAIP,
BG. 		n/a EU:proxim.ircgalaxy.pl
RU:moscow-advokat.ru
EU:79.132.211.24:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		34 of 36 805afbac09
[Firefox: 5 hits: 10-31 to 11-10] 		none [none] none:none
 none|none none none
02:29:00 WinXP 119.154.32.216 (-):
. 		194.54.90.246:80 UA:citi-bank.ru 445 pcap raw alerts
ruleset 		http
3 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 36 771f87c713
[Firefox: 4 hits: 11-02 to 11-04] 		none [none] none:none
 none|none none none
02:38:00 WinXP 41.214.150.213 (-):
. 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		35 of 36 bf9f26628c
[Firefox:13 hits: 10-11 to 11-09] 		none [none] none:none
 none|none none none
02:39:00 WinXP 64.139.104.242 (RCABLETV.COM):
NCI DATA.COM INC,
REPUBLIC, WASHINGTON, US. (DSL) 		n/a US:microsoft.com
US:download.microsoft.com
US:205.128.73.126:80
US:206.33.45.125:80
US:207.123.37.124:80 		135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
[Firefox:3886 hits: 06-17 to 11-10]
73f1082158
[Firefox:1928 hits: 06-18 to 11-10] 		none[4]
73f1082158[1]
73f1082158[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=81 		trace
trace
T:02:47:00 WinXP 118.169.217.6 (-):
. 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		35 of 36 06a5e31b47
[Firefox: 8 hits: 10-28 to 11-10] 		none [none] none:none
 none|none none none
T:02:50:00 Win2K-f 115.83.207.73 (-):
. 		79.132.211.24:65520 EU:proxim.ircgalaxy.pl
US:microsoft.com
US:download.microsoft.com
US:198.78.220.124:80
US:199.93.44.124:80
US:205.128.70.126:80
EU:79.132.211.24:65520 		135 pcap raw alerts
ruleset 		irc
241 lines 		Yeah : 1.8
profile 		none summary
tarball 		34 of 36
32 of 36		 cc91fb83d8
[Firefox: 2 hits: 10-20 to 11-09]
d224be6e3b
[Firefox: 2 hits: 10-20 to 11-09] 		none [none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
02:55:00 Win2K-f 60.249.118.241 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 		n/a US:microsoft.com
US:download.microsoft.com
US:205.128.73.126:80
US:207.123.42.126:80 		135 pcap raw alerts
ruleset 		http
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
[Firefox:3886 hits: 06-17 to 11-10]
57ce4acac2
[Firefox:337 hits: 06-17 to 11-10] 		none[4]
57ce4acac2[1]
57ce4acac2[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=81 		trace
trace
03:15:00 WinXP 93.144.66.212 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		36 of 36 6f880fc1bd
NEW 		none [none] none:none
 none|none none none
T:03:26:00 WinXP 122.53.35.180 (PLDT.NET):
IPG,
PH. 		79.132.211.24:65520 US:microsoft.com
US:download.microsoft.com
EU:proxim.ircgalaxy.pl
US:199.93.44.126:80
EU:79.132.211.24:65520 		135 pcap raw alerts
ruleset 		http
irc
141 lines 		Yeah : 1.8
profile 		none summary
tarball 		29 of 33
33 of 33
0 of 33		 16874933ea
[Firefox:61 hits: 06-18 to 11-08]
76ee340669
[Firefox:61 hits: 06-18 to 11-08]
e07c29c4ae
[Firefox:828 hits: 06-19 to 11-10] 		16874933ea [1]
none [4]
e07c29c4ae[1]
e07c29c4ae[1] 		ASM:Graph
none:none
ASM:Graph
 Armadillo|
PolyEnE|
FSG| 		lines=82
none
lines=92 		trace
trace
trace
03:54:00 WinXP 82.251.235.103 (PROXAD.NET):
PROXAD / FREE SAS,
NICE, PROVENCE-ALPES-COTE D'AZUR, FR. (DSL) 		194.54.90.246:80 UA:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 36 5d7c7f2ec8
[Firefox: 4 hits: 10-25 to 10-31] 		none [none] none:none
 none|none none none
T:03:54:00 WinXP 82.251.235.103 (PROXAD.NET):
PROXAD / FREE SAS,
NICE, PROVENCE-ALPES-COTE D'AZUR, FR. (DSL) 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		35 of 36 5d7c7f2ec8
[Firefox: 4 hits: 10-25 to 10-31] 		none [none] none:none
 none|none none none
T:04:00:00 WinXP 24.74.19.152 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CHARLOTTE, NORTH CAROLINA, US. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
16 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 1a2c0e6130
[Firefox:531 hits: 12-31 to 11-10] 		048df78048 [0]