Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

PUBLIC PAGE

<Click here: to download BotHunter>

19 November 2008
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:09:00 Win2K-f 218.113.72.58 (BBTEC.NET):
JAPAN NATION-WIDE NETWORK OF SOFTBANK BB CORP,
OSAKA, OSAKA, JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
[Firefox:4037 hits: 06-17 to 11-18]
a08f3b74a4
[Firefox:1447 hits: 06-18 to 11-18] 		none[4]
a08f3b74a4[1]
a08f3b74a4[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=81 		trace
trace
T:00:16:00 Win2K-f 68.146.209.203 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
[Firefox:4037 hits: 06-17 to 11-18]
73f1082158
[Firefox:2004 hits: 06-18 to 11-18] 		none[4]
73f1082158[1]
73f1082158[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=81 		trace
trace
T:00:21:00 WinXP 117.99.5.204 (XLRI.AC.IN):
BHARTI AIRTEL LTD,
DELHI, DELHI, IN. 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 a0139d7ad8
[Firefox:181 hits: 04-10 to 11-18] 		d9e9662db1 [0] ASM:Graph
 PolyEnE| lines=68 trace
T:00:27:00 WinXP 121.73.117.16 (TELSTRACLEAR.NET):
TELECOMMUNICATIONS COMPANY,
NZ. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
348 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 36
34 of 36		 7f89b38665
[Firefox:39 hits: 08-02 to 11-15]
a51a50404e
[Firefox:39 hits: 08-02 to 11-15] 		none [none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
00:32:00 WinXP 82.207.41.7 (UKRTEL.NET):
UKRTELECOM IP ACCESS NETWORK,
UA. 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
00:48:00 Win2K-f 64.127.0.163 (-):
CITY OF PHILIPPI,
ACWORTH, GEORGIA, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
387 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 36
34 of 36		 235d9f7aba
NEW
28d72b163a
NEW 		none [none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
00:59:00 WinXP 203.196.65.116 (KAGACABLE.NE.JP):
KAGA CABLE TELEVISION CO.LTD,
JP. (DSL) 		n/a RU:moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		25 of 25 7f60162c2c
[Firefox:758 hits: 12-31 to 11-18] 		1aad8e4632 [0] ASM:Graph
 PolyEnE| lines=93
embedded dns 		trace
01:06:00 Win2K-f 211.22.95.84 (JEANCO.COM.TW):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
[Firefox:4037 hits: 06-17 to 11-18]
73f1082158
[Firefox:2004 hits: 06-18 to 11-18] 		none[4]
73f1082158[1]
73f1082158[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=81 		trace
trace
01:20:00 WinXP 24.189.30.113 (OPTONLINE.NET):
OPTIMUM ONLINE (CABLEVISION SYSTEMS),
BROOKLYN, NEW YORK, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
[Firefox:4037 hits: 06-17 to 11-18]
73f1082158
[Firefox:2004 hits: 06-18 to 11-18] 		none[4]
73f1082158[1]
73f1082158[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=81 		trace
trace
01:33:00 Win2K-f 61.218.192.234 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
KAOHSIUNG, KAO-HSIUNG, TW. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
80 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
[Firefox:4037 hits: 06-17 to 11-18]
57ce4acac2
[Firefox:356 hits: 06-17 to 11-18] 		none[4]
57ce4acac2[1]
57ce4acac2[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=81 		trace
trace
T:01:34:00 Win2K-f 85.95.210.118 (CALIXO.NET):
VIALIS - REGIE MUNICIPALE DE COLMAR,
FR. 		63.173.172.98:6668  
US:63.173.172.98:6668 		139 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 1.3
profile 		none summary
tarball 		23 of 36 995f3b198b
NEW 		none [none] none:none
 none|none none none
T:01:46:00 WinXP 24.83.218.254 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
VANCOUVER, BRITISH COLUMBIA, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 36
33 of 36		 02fc26757d
NEW
9f5880bc0f
NEW 		none [none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
01:52:00 Win2K-f 76.189.27.207 (RR.COM):
ROAD RUNNER HOLDCO LLC,
WESTLAKE, OHIO, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
[Firefox:4037 hits: 06-17 to 11-18]
73f1082158
[Firefox:2004 hits: 06-18 to 11-18] 		none[4]
73f1082158[1]
73f1082158[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=81 		trace
trace
T:02:12:00 WinXP 93.102.5.115 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
[Firefox:1121 hits: 12-31 to 11-18] 		7a70e1b592 [0] ASM:Graph
 PolyEnE| lines=68 trace
02:25:00 Win2K-f 202.161.189.43 (ALAPCOM.COM):
ALAP COMMUNICATION LTD. DATA/INTERNET SERVICE,
BD. 		79.132.211.24:65520 EU:proxim.ircgalaxy.pl 135 pcap raw alerts
ruleset 		irc
403 lines 		Yeah : 1.8
profile 		none summary
tarball 		32 of 36 3ea3e1ad41
NEW 		none [none] none:none
 none|none none none
02:40:00 WinXP 74.46.92.236 (FRONTIERNET.NET):
FRONTIER COMMUNICATIONS OF AMERICA INC,
US. 		79.132.211.24:65520 EU:proxim.ircgalaxy.pl
CN:fleshkatera.cn
CN:lolika.cn
CN:www.upononjob.cn
CN:mulfika.cn
US:do-power-scan.com
US:av-pro-2009.com
:wpad 		445 pcap raw alerts
ruleset 		http
irc
44 lines 		Yeah : 1.3
profile 		none summary
tarball 		34 of 35
11 of 36
16 of 36
11 of 36		 017f3b2704
[Firefox: 6 hits: 10-26 to 11-15]
752d7e4cf2
NEW
9ffd4ae260
NEW
fb8f82fcb3
[Firefox:34 hits: 10-24 to 11-15] 		none [none]
none [none]
none [none]
none [none] 		none:none
none:none
none:none
none:none
 none|none
none|none
none|none
none|none 		none
none
none
none 		none
none
none
none
02:44:00 WinXP 218.173.13.195 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 		63.173.172.98:6667  
US:63.173.172.98:6667 		139 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 1.3
profile 		none summary
tarball 		25 of 36 7c2b50c774
[Firefox:53 hits: 08-01 to 11-16] 		none [none] none:none
 none|none none none
T:03:15:00 Win2K-f 67.63.113.69 (SPEAKEASY.NET):
US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
[Firefox:4037 hits: 06-17 to 11-18]
a08f3b74a4
[Firefox:1447 hits: 06-18 to 11-18] 		none[4]
a08f3b74a4[1]
a08f3b74a4[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=81 		trace
trace
T:03:18:00 WinXP 201.49.205.164 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		n/a EU:proxim.ircgalaxy.pl
UA:citi-bank.ru
UA:194.54.90.246:80
EU:79.132.211.24:65520 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		34 of 36 9bb68450cd
[Firefox:18 hits: 10-26 to 11-16] 		none [none] none:none
 none|none none none
T:03:33:00 Win2K-f 60.250.30.117 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 		67.43.236.98:5190 CA:xx.sqlteam.info
CA:alwayssam.com
CA:zonetech.info 		135 pcap raw alerts
ruleset 		irc
http
282 lines 		Yeah : 1.8
profile 		none summary
tarball 		21 of 36
31 of 33
15 of 36		 41b9df60db
[Firefox:11 hits: 11-03 to 11-18]
954a98c971
[Firefox:12 hits: 06-09 to 11-03]
cada8d5adf
[Firefox:10 hits: 11-03 to 11-18] 		none [none]
none [4]
none [none]