Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

PUBLIC PAGE

<Click here: to download BotHunter>

27 September 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:01:59:00 WinXP 121.121.154.52 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 dcc4d7f9bb
NEW f63727b2f4 [0] none:none
PolyEnE| none trace

T:02:47:00 WinXP 83.21.161.16 (TPNET.PL):
NEOSTRADA PLUS,
SZCZECIN, ZACHODNIOPOMORSKIE, PL. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none [0] none:none
PolyEnE| lines=68 trace

T:02:57:00 WinXP 61.62.164.71 (SO-NET.NET.TW):
SONY NETWORK TAIWAN LIMITED,
TAOYUAN, T'AI-WAN, TW. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 41 eda3b7766c
NEW 7556343561 [0] none:none
PolyEnE| none trace

T:03:26:00 Win2K-f 65.34.30.26 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CLERMONT, FLORIDA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:04:39:00 WinXP 130.13.153.61 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 f2a8dafb30
NEW 1d0f660523 [0] none:none
PolyEnE| none trace

T:05:31:00 WinXP 203.114.106.147 (-):
BAMNETNARONGWITAYAKOMSCHOOL,
BANGKOK, KRUNG THEP, TH. (100Mbps) n/a 135 pcap raw alerts
ruleset other
454 lines Yeah : 1.3
profile none summary
tarball 31 of 41 cc88f4f016
NEW 3d17903825 [0] none:none
StarForce| none trace

T:06:39:00 Win2K-f 116.127.164.14 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 91.212.220.75:65520 US:microsoft.com
EU:proxima.ircgalaxy.pl
:gidromash.cn
:ottopay.cn
:nenastiya.cn
:www.petdoso.com
174.36.176.242:81 135 pcap raw alerts
ruleset irc
http
127 lines Yeah : 1.8
profile none summary
tarball 34 of 36
29 of 32
7 of 41
4 of 41
15 of 41 99b248336f
NEW
9d677c3f70
NEW
c7830331fc
NEW
e8a94c0024
NEW
f97bcf8374
NEW c64bd1a776 [0]
77e75ff10f[0]
7953649664[0]
9dd94e06a3[0]
9dd94e06a3[0]
none [4] none:none
none:none
none:none
none:none
none:none
Armadillo|
tElock|
tElock|
StarForce|
pex| none
none
none
none
none trace
trace
trace
trace
trace

T:08:44:00 WinXP 66.66.248.184 (RR.COM):
ROAD RUNNER HOLDCO LLC,
WATERLOO, NEW YORK, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:10:05:00 Win2K-f 122.49.246.145 (CCNET-AI.NE.JP):
COMMUNITY NETWORK CENTER INC,
TOYOKAWA, AICHI, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 32
33 of 33 07fabc79ef
NEW
53bfe15e91
NEW none[0]
1473091351[0]
1473091351[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=81
lines=75
embedded dns trace
trace

T:10:45:00 Win2K-f 174.3.134.150 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
TORONTO, ONTARIO, CA. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:11:43:00 WinXP 174.3.26.44 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CA. (DSL) n/a 135 pcap raw alerts
ruleset other
433 lines Yeah : 1.3
profile none summary
tarball 39 of 41 dba6cd1d33
NEW ac7cd6d443 [0] none:none
ASPack| none trace

12:32:00 Win2K-f 190.4.207.243 (E-CORPNET.ORG):
TELEFONICA MOVIL DE CHILE S.A,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) n/a US:www.maxmind.com
:checkip.dyndns.org
DE:131.220.6.26:80 445 pcap raw alerts
ruleset http
5 lines Yeah : 0.8
profile none summary
tarball 2 of 37 d60e538e72
NEW none [3] none:none
UPX| none trace

T:12:58:00 WinXP 189.24.65.80 (VELOXZONE.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
BELO HORIZONTE, MINAS GERAIS, BR. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
NEW none [0] none:none
none|none lines=61 trace

T:14:13:00 Win2K-f 61.67.124.3 (TW-AIRNET.NET):
CHWBN-NET,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
115 lines Yeah : 1.3
profile none summary
tarball 31 of 36
33 of 36 02fc26757d
NEW
9f5880bc0f
NEW c6e29542be [0]
58b1c7ef40[0]
58b1c7ef40[0] none:none
none:none
Armadillo|
StarForce| none
none trace
trace

T:14:57:00 Win2K-f 77.20.5.66 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BREMERHAVEN, BREMEN, DE. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 39 of 41 29e407e21a
NEW c91b492a8b [0] none:none
Armadillo| none trace

T:14:58:00 WinXP 114.38.15.154 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 36 of 41 0dc5e34053
NEW 320071fd7b [0] none:none
Armadillo| none trace

T:14:58:00 WinXP 88.134.74.80 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BERLIN, BERLIN, DE. (DSL) 66.252.13.212:16667 US:bbs.moiservice.com
US:66.252.13.212:16667 445 pcap raw alerts
ruleset ftp
irc
32 lines Yeah : 1.3
profile none summary
tarball 38 of 41 dc4dbc2bf7
NEW 33ecef1cca [0] none:none
Stranik| none trace

T:15:00:00 WinXP 173.28.214.210 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CHANHASSEN, MINNESOTA, US. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 38 of 41 f9288312b5
NEW bfdbe01a07 [0] none:none
Armadillo| none trace

T:15:09:00 Win2K-f 189.18.118.233 (VELOXZONE.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
SãO PAULO, SAO PAULO, BR. (DSL) n/a 445 pcap raw alerts
ruleset ftp
9 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:15:20:00 WinXP 83.135.71.114 (VERSANET.DE):
VERSATEL DEUTSCHLAND,
DORTMUND, NORDRHEIN-WESTFALEN, DE. (DSL) 66.252.13.212:16667 US:bbs.moiservice.com
US:66.252.13.212:16667 445 pcap raw alerts
ruleset ftp
irc
31 lines Yeah : 1.3
profile none summary
tarball 40 of 41 7c153bb816
NEW 3e38bd1d25 [0] none:none
Stranik| none trace

T:15:20:00 Win2K-f 188.193.245.133 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
DE. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 33 of 41 de37f2fc47
NEW bac4cc6eec [0] none:none
Armadillo| none trace

T:15:32:00 Win2K-f 81.84.181.166 (CPE.NETCABO.PT):
TVCABO-PORTUGAL CABLE MODEM NETWORK,
LISBON, LISBOA, PT. (DSL) n/a 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:15:34:00 WinXP 78.226.226.14 (PROXAD.NET):
PROXAD / FREE SAS,
PARIS, ILE-DE-FRANCE, FR. (DSL) 66.252.13.212:16667 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 1.3
profile none summary
tarball 39 of 41 1f69f4e905
NEW bf861f894b [0] none:none
Armadillo| none trace

T:15:39:00 WinXP 91.67.158.131 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BAYREUTH, BAYERN, DE. (DSL) n/a 445 pcap raw alerts
ruleset ftp
10 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:15:47:00 Win2K-f 78.227.212.184 (PROXAD.NET):
PROXAD / FREE SAS,
TOULOUSE, MIDI-PYRENEES, FR. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 39 of 41 6a9ddd72bb
NEW 940af3d988 [0] none:none
Armadillo| none trace

T:15:49:00 WinXP 173.29.130.232 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CHANHASSEN, MINNESOTA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 36 of 41
38 of 40 067917e07b
NEW
d764c1dcb2
NEW dae35b319c [0]
3d2bc60c5d[0]
3d2bc60c5d[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:15:55:00 WinXP 85.138.36.96 (CPE.NETCABO.PT):
TVCABO-PORTUGAL CABLE MODEM NETWORK,
FARO, FARO, PT. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none [0] none:none
PolyEnE| lines=68 trace

T:16:07:00 Win2K-f 70.182.165.141 (COX.NET):
COX COMMUNICATIONS,
FAYETTEVILLE, ARKANSAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:16:17:00 WinXP 63.28.51.232 (UU.NET):
UUNET TECHNOLOGIES INC,
FREDERICKSBURG, VIRGINIA, US. (DSL) n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
RU:www.bbin.ru
:wpad
RU:www.binbank.ru
GB:welcome3.smile.co.uk
DE:212.227.111.29:80
DE:217.11.54.126:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
http
http
26 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
NEW none [0] none:none
ASPack| lines=281
embedded dns trace

T:16:19:00 WinXP 190.209.40.215 (-):
TELMEX CHILE S.A HFC,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 dcc4d7f9bb
NEW f63727b2f4 [0] none:none
PolyEnE| none trace

T:16:23:00 Win2K-f 85.138.209.94 (CPE.NETCABO.PT):
TVCABO-PORTUGAL CABLE MODEM NETWORK,
FARO, FARO, PT. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 39 of 41 a9c5179d74
NEW 48e0c7e36a [0] none:none
Armadillo| none trace

T:16:49:00 Win2K-f 188.192.189.26 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
DE. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 39 of 41 94716a73b0
NEW 6b5fdc79fd [0] none:none
Armadillo| none trace

T:16:57:00 WinXP 92.226.94.4 (ALICEDSL.DE):
HANSENET-ADSL,
HAMBURG, HAMBURG, DE. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 39 of 41 5d643abe90
NEW 888af3572a [0] none:none
Armadillo| none trace

T:16:57:00 Win2K-f 212.117.11.92 (INTURBO.LT):
INTURBO BROADBAND NETWORK,
LT. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 40 of 41 fedffe273e
NEW 1f577beaa8 [0] none:none
Stranik| none trace

T:17:01:00 WinXP 72.21.131.167 (MINDSPRING.COM):
EARTHLINK INC,
TORRANCE, CALIFORNIA, US. (DSL) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball 29 of 29 042774a2b7
NEW none [0] none:none
PolyEnE| lines=69
embedded dns trace

T:17:09:00 WinXP 218.167.56.68 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 33 of 41 de37f2fc47
NEW bac4cc6eec [0] none:none
Armadillo| none trace

T:17:14:00 WinXP 87.97.214.29 (PL.EKK.BG):
EKK CATV PLOVDIV,
PLOVDIV, PLOVDIV, BG. (DSL) n/a 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:17:17:00 WinXP 77.23.165.249 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BERLIN, BERLIN, DE. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 39 of 41 9fdc9cf56c
NEW 7915c81794 [0] none:none
Armadillo| none trace

T:17:30:00 Win2K-f 70.65.149.89 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
LETHBRIDGE, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
419 lines Yeah : 1.3
profile none summary
tarball 40 of 41 78cfa70905
NEW c17d8c800f [0] none:none
PENinja S| none trace

T:18:15:00 WinXP 122.121.209.253 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 33 of 41 b0c46107a6
NEW bac4cc6eec [0] none:none
Armadillo| none trace

T:18:36:00 Win2K-f 88.134.74.80 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BERLIN, BERLIN, DE. (DSL) 66.252.13.212:16667 US:bbs.moiservice.com 445 pcap raw alerts
ruleset ftp
irc
36 lines Yeah : 1.3
profile none summary
tarball 38 of 41 dc4dbc2bf7
NEW 33ecef1cca [0] none:none
Stranik| none trace

T:18:51:00 WinXP 118.169.136.164 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 33 of 41 de37f2fc47
NEW bac4cc6eec [0] none:none
Armadillo| none trace

T:19:03:00 WinXP 118.87.20.81 (ODWR.J-CNET.JP):
ODAWARA CABLETV INTERNET SERVICE,
ODAWARA, KANAGAWA, JP. (DSL) 67.43.236.66:8080 72.10.172.211:8080 CA:xx.ka3ek.com
:idfc.info
CA:67.43.226.242:8080
CA:67.43.236.66:8080 135 pcap raw alerts
ruleset irc
http
344 lines Yeah : 1.8
profile none summary
tarball 29 of 41
32 of 38
38 of 41 39336e51eb
NEW
524bc0f75c
NEW
820b27d4c6
NEW 3f5ab71d39 [0]
d3e9510bb3[0]
1102de0215[0]
1102de0215[0] none:none
none:none
none:none
Neolite|
PENinja S|
Armadillo| none
none
none trace
trace
trace

T:20:10:00 WinXP 172.165.117.213 (AOL.COM):
AMERICA ONLINE,
US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
121 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:21:01:00 WinXP 66.66.248.184 (RR.COM):
ROAD RUNNER HOLDCO LLC,
WATERLOO, NEW YORK, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
60 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

21:42:00 WinXP 200.219.76.216 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 39 of 41 f2a8dafb30
NEW 1d0f660523 [0] none:none
PolyEnE| none trace

T:22:28:00 Win2K-f 96.13.114.48 (WINDSTREAM.NET):
ALLTEL MIP CUSTOMERS - ATLANTA,
THOMASVILLE, GEORGIA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
814 lines Yeah : 1.3
profile none summary
tarball 30 of 40 8f0bb9144b
NEW 7583fe4738 [0] none:none
Armadillo| none trace

T:23:45:00 WinXP 112.203.118.72 (PLDT.NET):
IPG,
LAS PINAS CITY, MANILA, PH. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 41 eda3b7766c
NEW 7556343561 [0] none:none
PolyEnE| none trace

T:23:51:00 WinXP 70.60.184.47 (RR.COM):
ROAD RUNNER HOLDCO LLC,
MEMPHIS, TENNESSEE, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 18 of 35
0 of 32 218ce30f5c
NEW
73f1082158
NEW none [3]
none [0] none:none
none:none
none|none
Armadillo| none
lines=90 trace
trace