Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

PUBLIC PAGE

<Click here: to download BotHunter>

14 November 2008
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:12:00 Win2K-f 78.96.186.233 (ASTRAL.RO):
ASTRAL TELECOM SA,
RO. 63.173.172.98:6668
US:63.173.172.98:6668 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 1.3
profile none summary
tarball 28 of 35 3f4f3c33fe
[Firefox: 5 hits: 10-28 to 11-09] none [none] none:none
none|none none none

00:14:00 Win2K-f 58.231.109.157 (-):
THRUNET-INFRA-SEOUL08,
SEOUL, KYONGGI-DO, KR. 63.173.172.98:6668
US:63.173.172.98:6668 139 pcap raw alerts
ruleset ftp
23 lines Yeah : 1.3
profile none summary
tarball 29 of 36 af782db102
[Firefox: 2 hits: 10-26 to 11-07] none [none] none:none
none|none none none

00:14:00 WinXP 119.149.81.160 (-):
. 63.173.172.98:6667
US:63.173.172.98:6667 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 1.3
profile none summary
tarball 30 of 35 885d9d9090
[Firefox: 4 hits: 10-26 to 11-13] none [none] none:none
none|none none none

00:15:00 Win2K-f 124.241.145.23 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, AICHI, JP. n/a US:microsoft.com
US:download.microsoft.com
US:198.78.201.126:80 135 pcap raw alerts
ruleset http
79 lines Yeah : 1.3
profile none summary
tarball 32 of 33
9 of 33
0 of 32 2851817490
[Firefox: 9 hits: 06-27 to 11-01]
624c441842
[Firefox: 6 hits: 06-27 to 11-01]
b5919931fe
[Firefox:1124 hits: 06-20 to 11-13] none[none]
none [none]
b5919931fe[1]
b5919931fe[1] none:none
none:none
ASM:Graph
none|none
none|none
ASProtect| none
none
lines=90 none
none
trace

00:16:00 Win2K-f 222.234.216.85 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball none af222ae6db
[Firefox:33 hits: 08-15 to 11-09] none [none] none:none
none|none none none

00:16:00 WinXP 58.234.14.3 (-):
THRUNET-INFRA-SEOUL15,
SEOUL, KYONGGI-DO, KR. 63.173.172.98:6667
US:63.173.172.98:6667 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 1.3
profile none summary
tarball 34 of 36 ead12a6c02
[Firefox:37 hits: 09-26 to 11-10] none [none] none:none
none|none none none

00:20:00 WinXP 123.204.143.138 (SEED.NET.TW):
DIGITAL UNITED INC,
TAIPEI, T'AI-PEI, TW. (DSL) 194.54.90.246:80 UA:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 34 of 36 b1c85cee4b
[Firefox:31 hits: 10-27 to 11-13] none [none] none:none
none|none none none

T:00:20:00 WinXP 94.96.80.194 (-):
. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 34 of 36 b1c85cee4b
[Firefox:31 hits: 10-27 to 11-13] none [none] none:none
none|none none none

T:00:22:00 WinXP 58.233.132.135 (-):
THRUNET-INFRA-SEOUL14,
SEOUL, KYONGGI-DO, KR. 63.173.172.98:6668
US:63.173.172.98:6668 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 1.3
profile none summary
tarball 29 of 36 af782db102
[Firefox: 2 hits: 10-26 to 11-07] none [none] none:none
none|none none none

T:00:25:00 Win2K-f 211.211.206.52 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. 63.173.172.98:6668
US:63.173.172.98:6668 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 1.3
profile none summary
tarball 29 of 34 5b7b606a3c
NEW none [none] none:none
none|none none none

T:00:30:00 WinXP 58.236.100.161 (-):
THRUNET-INFRA-INCHEON09,
SEOUL, KYONGGI-DO, KR. 63.173.172.98:6668
US:63.173.172.98:6668 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 1.3
profile none summary
tarball 31 of 36 16fe4d40d8
[Firefox: 4 hits: 10-29 to 11-07] none [none] none:none
none|none none none

T:00:46:00 Win2K-f 222.233.29.38 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 25 of 36 bcae797d03
[Firefox:35 hits: 08-01 to 11-07] none [none] none:none
none|none none none

T:00:49:00 Win2K-f 78.96.169.174 (ASTRAL.RO):
ASTRAL TELECOM SA,
RO. n/a 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 27 of 35 e019377a4f
[Firefox: 6 hits: 10-28 to 11-07] none [none] none:none
none|none none none

00:57:00 Win2K-f 61.125.248.114 (ASAHI-NET.OR.JP):
ASAHI NET,
JP. (DIAL) n/a 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 21 of 36 b724b621a2
[Firefox:15 hits: 10-26 to 11-07] none [none] none:none
none|none none none

01:00:00 Win2K-f 219.255.111.145 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. 63.173.172.98:6668
US:63.173.172.98:6668 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 1.3
profile none summary
tarball 29 of 36 af782db102
[Firefox: 2 hits: 10-26 to 11-07] none [none] none:none
none|none none none

01:01:00 WinXP 87.61.171.80 (IP.TELE.DK):
TDC-TELEDANMARK-BREDBAANDSADSL-NET,
DK. n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:wpad
DE:217.11.54.126:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
http
6 lines Yeah : 0.8
profile none summary
tarball 29 of 29 df17a625ee
[Firefox:228 hits: 04-06 to 11-13] 9bbdd086c5 [0] ASM:Graph
ASPack| lines=186
embedded dns trace

T:01:04:00 Win2K-f 218.238.193.115 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. 63.173.172.98:6668 139 pcap raw alerts
ruleset ftp
irc
22 lines Yeah : 1.3
profile none summary
tarball 29 of 36 72c08ed557
[Firefox: 2 hits: 10-22 to 11-05] none [none] none:none
none|none none none

01:06:00 Win2K-f 61.4.212.40 (-):
CJ CABLENET PUKINCHEON BROADCASTING,
INCHON, KYONGGI-DO, KR. n/a 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 29 of 36 cc8840e4b7
[Firefox: 9 hits: 10-20 to 11-09] none [none] none:none
none|none none none

T:01:07:00 WinXP 122.53.105.33 (PLDT.NET):
IPG,
PH. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 35 of 36 289d74b4ce
[Firefox:12 hits: 11-03 to 11-12] none [none] none:none
none|none none none

01:12:00 WinXP 122.221.154.189 (UCOM.NE.JP):
UCOM CORP,
JP. 63.173.172.98:6667
US:63.173.172.98:6667 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 1.3
profile none summary
tarball 25 of 35 1be9d03a2b
[Firefox:35 hits: 07-29 to 11-13] none [none] none:none
none|none none none

T:01:13:00 WinXP 218.37.231.173 (-):
HANVITINB-INFRA,
SEOUL, KYONGGI-DO, KR. 63.173.172.98:6668 139 pcap raw alerts
ruleset ftp
irc
26 lines Yeah : 1.3
profile none summary
tarball 34 of 36 021884fd26
NEW none [none] none:none
none|none none none

01:14:00 Win2K-f 211.209.39.79 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 29 of 36 e28f44cb36
NEW none [none] none:none
none|none none none

01:14:00 WinXP 219.74.16.237 (SINGNET.COM.SG):
SINGNET PTE LTD,
SINGAPORE, SINGAPORE, SG. 63.173.172.98:6668
US:63.173.172.98:6668 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 1.3
profile none summary
tarball 30 of 36 3a95dbdc43
NEW none [none] none:none
none|none none none

01:17:00 Win2K-f 219.251.192.245 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a US:microsoft.com
US:download.microsoft.com
EU:proxima.ircgalaxy.pl
US:204.160.126.126:80
US:207.123.42.126:80
US:4.23.60.125:80
EU:79.132.211.24:65520 135 pcap raw alerts
ruleset other
86 lines Yeah : 1.3
profile none summary
tarball 30 of 32
33 of 33 5364c612fa
[Firefox: 8 hits: 07-06 to 09-21]
53bfe15e91
[Firefox:3939 hits: 06-17 to 11-13] none [none]
none [4] none:none
none:none
none|none
tElock| none
none none
trace

01:24:00 Win2K-f 67.223.137.107 (-):
. n/a 139 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 25 of 36 7c2b50c774
[Firefox:49 hits: 08-01 to 11-09] none [none] none:none
none|none none none

T:01:28:00 WinXP 125.230.196.178 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 63.173.172.98:6668
US:63.173.172.98:6668 139 pcap raw alerts
ruleset ftp
irc
22 lines Yeah : 1.3
profile none summary
tarball