Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

PUBLIC PAGE

<Click here: to download BotHunter>

30 September 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:29:00 Win2K-f 203.114.106.149 (-):
BAMNETNARONGWITAYAKOMSCHOOL,
BANGKOK, KRUNG THEP, TH. (100Mbps) n/a 135 pcap raw alerts
ruleset other
3 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:00:59:00 Win2K-f 97.107.33.63 (DCWIS.COM):
ONLINE DOOR COUNTY,
FISH CREEK, WISCONSIN, US. (DSL) n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:01:58:00 Win2K-f 71.189.119.92 (-):
LINDA LIU,
ONTARIO, CALIFORNIA, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:02:02:00 WinXP 70.184.102.222 (COX.NET):
COX COMMUNICATIONS,
PHOENIX, ARIZONA, US. (100Mbps) 218.93.205.30:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:dl.guarddog2009.com
EU:91.212.220.75:65520 135 pcap raw alerts
ruleset irc
http
129 lines Yeah : 1.8
profile none summary
tarball 23 of 41
32 of 36
35 of 36 5d721a4dee
NEW
bea8cb1865
NEW
fac78fde16
NEW 6afc8cafab [0]
154de51a66[0]
882896ab05[0]
882896ab05[0] none:none
ASM:Graph
none:none
UPX|
Armadillo|
tElock| none
lines=91
none trace
trace
trace

T:03:07:00 Win2K-f 97.97.68.230 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CLEARWATER, FLORIDA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
1002 lines Yeah : 1.3
profile none summary
tarball 32 of 41 43b8f21924
NEW none [3] none:none
none|none none trace

04:28:00 Win2K-f 190.48.238.123 (COM.AR):
TELEFONICA DE ARGENTINA,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) n/a US:www.maxmind.com 445 pcap raw alerts
ruleset http
3 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:04:37:00 Win2K-f 190.48.238.123 (COM.AR):
TELEFONICA DE ARGENTINA,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) n/a US:www.maxmind.com
US:www.getmyip.org
:checkip.dyndns.org 445 pcap raw alerts
ruleset http
5 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:06:18:00 WinXP 83.91.165.128 (DSL.TELE.DK):
TDC-TELEDANMARK-BREDBAANDSADSL-NET,
FREDERIKSBERG, FREDERIKSBORG, DK. (DSL) n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 33 of 35 e9fcd6f257
NEW 2e05bc2272 [0] ASM:Graph
PolyEnE| lines=68 trace

T:06:29:00 Win2K-f 95.134.120.168 (UKRTEL.NET):
UKRTELECOM,
KIEV, KYYIV, UA. (DSL) n/a CL:dood.l1qu1d.net
EU:78.155.216.238:6900 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 11 of 41 e6ac88b320
NEW 804cff045b [0] none:none
StarForce| none trace

T:06:29:00 Win2K-f 190.19.87.20 (COM.AR):
CABLEVISION S.A,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 11 of 41 e6ac88b320
NEW 804cff045b [0] none:none
StarForce| none trace

T:06:34:00 WinXP 190.17.36.53 (COM.AR):
CABLEVISION S.A,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) n/a CL:dood.l1qu1d.net
EU:78.155.216.238:6900 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 11 of 41 e6ac88b320
NEW 804cff045b [0] none:none
StarForce| none trace

T:06:43:00 Win2K-f 190.97.134.22 (-):
INGELCOM LTDA,
CO. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 11 of 41 e6ac88b320
NEW 804cff045b [0] none:none
StarForce| none trace

T:06:46:00 Win2K-f 94.143.56.52 (SURGUTTEL.RU):
JSC SURGUTTEL,
MOSCOW, MOSCOW CITY, RU. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 11 of 40 8b9b0a8973
NEW fe51b8774a [0] none:none
StarForce| none trace

T:06:50:00 WinXP 82.254.45.76 (PROXAD.NET):
PROXAD / FREE SAS,
STRASBOURG, ALSACE, FR. (DSL) n/a CL:dood.l1qu1d.net
EU:78.155.216.238:6900 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 11 of 41 e6ac88b320
NEW 804cff045b [0] none:none
StarForce| none trace

T:06:52:00 WinXP 186.18.149.54 (186.IN-ADDR.ARPA):
TELECENTRO S.A. - CLIENTES RESIDENCIALES,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) n/a CL:dood.l1qu1d.net
EU:78.155.216.238:6900 445 pcap raw alerts
ruleset ftp
irc
13 lines Yeah : 0.8
profile none summary
tarball 11 of 41 e6ac88b320
NEW 804cff045b [0] none:none
StarForce| none trace

T:06:56:00 WinXP 190.191.32.203 (NET.AR):
PRIMA S.A,
AR. (DSL) n/a CL:dood.l1qu1d.net
EU:78.155.216.238:6900 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 11 of 41 e6ac88b320
NEW 804cff045b [0] none:none
StarForce| none trace

T:07:03:00 Win2K-f 81.198.33.124 (-):
ADDRESS POOL FOR LTC-HOME CUSTOMERS,
RIGA, RIGA, LV. (DSL) n/a 445 pcap raw alerts
ruleset ftp
10 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:07:10:00 Win2K-f 89.174.76.45 (COM.PL):
OKSYWIE-NET,
GDYNIA, GDANSK, PL. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 11 of 40 8b9b0a8973
NEW fe51b8774a [0] none:none
StarForce| none trace

T:07:16:00 WinXP 92.115.252.58 (HOST-STATIC-92-115-28-10.MOLDTELECOM.MD):
JSC MOLDTELECOM SA,
CHISINAU, CHISINAU, MD. (DSL) n/a CL:dood.l1qu1d.net
EU:78.155.216.238:6900 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 11 of 40 8b9b0a8973
NEW fe51b8774a [0] none:none
StarForce| none trace

T:07:36:00 Win2K-f 94.24.182.143 (IS74.RU):
INTERSVYAZ-2 JSC,
RU. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 11 of 40 8b9b0a8973
NEW fe51b8774a [0] none:none
StarForce| none trace

T:07:41:00 WinXP 67.150.84.112 (MDSG-PACWEST.COM):
PAC-WEST MANAGED MODEM NAS POOL,
NASHVILLE, TENNESSEE, US. (DSL) n/a 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:08:45:00 WinXP 86.155.80.137 (BTCENTRALPLUS.COM):
BT BROADBAND,
LIVERPOOL, ENGLAND, UK. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
NEW none [0] ASM:Graph
none|none lines=61 trace

T:08:49:00 WinXP 95.104.45.123 (CAUCASUS.NET):
CAUCASUS ONLINE BROADBAND NETWORK,
GE. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 35 of 36 06a5e31b47
NEW 25e6e52787 [0] ASM:Graph
PolyEnE| lines=68 trace

T:09:22:00 Win2K-f 208.126.80.107 (NETINS.NET):
SENECA TELEPHONE COMPANY,
NOEL, MISSOURI, US. (DSL) n/a 135 pcap raw alerts
ruleset other
328 lines Yeah : 1.3
profile none summary
tarball 7 of 41
40 of 41 86f852a05d
NEW
c3966880a2
NEW none[3]
d3198bb3be[0]
d3198bb3be[0] none:none
none:none
none|none
StarForce| none
none trace
trace

T:09:22:00 WinXP 98.190.229.24 (COX.NET):
COX COMMUNICATIONS,
MCPHERSON, KANSAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:09:29:00 Win2K-f 61.219.58.201 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:17:00 WinXP 4.238.182.90 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
VINELAND, NEW JERSEY, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
142 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:53:00 Win2K-f 110.8.12.88 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 91.212.220.75:65520 218.93.205.30:65520 US:microsoft.com
EU:proxima.ircgalaxy.pl
EU:gidromash.cn
EU:ottopay.cn
:www.petdoso.com
174.36.176.242:81
US:64.235.53.208:80 135 pcap raw alerts
ruleset irc
http
120 lines Yeah : 1.8
profile none summary
tarball 31 of 33
2 of 41
31 of 33
7 of 41 168aab35a3
NEW
428d526489
NEW
667f0c59f3
NEW
c7830331fc
NEW 60b730b97e [0]
none [4]
8fe2be2095[0]
7953649664[0]
7953649664[0] ASM:Graph
none:none
ASM:Graph
none:none
tElock|
PEQuake|
Armadillo|
tElock| lines=120
embedded dns
none
lines=91
none trace
trace
trace
trace

T:11:39:00 WinXP 218.32.102.163 (SDTV.NET.TW):
SAN DA CATV CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
37 of 41 a205366bef
NEW
efaef2451a
NEW 82bbbe4789 [0]
5382f9a037[0]
5382f9a037[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:11:55:00 WinXP 213.192.41.117 (-):
CESKA SIT S.R.O,
PRAGUE, HLAVNI MESTO PRAHA, CZ. (DSL) 78.155.216.238:6900 CL:dood.l1qu1d.net 445 pcap raw alerts
ruleset ftp
irc
34 lines Yeah : 1.3
profile none summary
tarball 8 of 40 b9c3f7747b
NEW 804cff045b [0] none:none
StarForce| none trace

T:13:38:00 Win2K-f 122.146.82.147 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:42:00 WinXP 218.172.208.122 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
KAOHSIUNG, T'AI-WAN, TW. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 34 of 36 f32b37da28
NEW 92283bfcbf [0] none:none
PolyEnE| none trace

T:14:56:00 Win2K-f 99.155.18.139 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
PEORIA, ILLINOIS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:15:00:00 WinXP 87.250.55.18 (BVCOM.NET):
AVCOM,
CS. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 32 of 32 b502f83a7c
NEW 28f5be93b0 [0] none:none
PolyEnE| none trace

T:15:22:00 WinXP 63.25.194.58 (UU.NET):
UUNET TECHNOLOGIES INC,
OKLAHOMA CITY, OKLAHOMA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:20:11:00 WinXP 115.165.83.226 (CATV02.ITSCOM.JP):
ITS COMMUNICATIONS INC,
KAWASAKI, KANAGAWA, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
NEW none [0] none:none
none|none lines=61 trace

T:20:37:00 WinXP 4.180.102.188 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
SAND SPRINGS, OKLAHOMA, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
1079 lines Yeah : 1.3
profile none summary
tarball 37 of 41 4e6aac204a
NEW dd8a47a468 [0] none:none
PeCompact| none trace

T:21:04:00 Win2K-f 208.125.40.153 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ROCHESTER, NEW YORK, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:21:27:00 Win2K-f 96.49.243.172 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
BURNABY, BRITISH COLUMBIA, CA. (DSL) 92.240.234.164:3305 :cx10man.weedns.com 135 pcap raw alerts
ruleset irc
695 lines Yeah : 1.8
profile none summary
tarball 28 of 41 b8076e37ae
NEW 52953fed05 [0] none:none
StarForce| none trace

T:22:17:00 Win2K-f 71.148.35.37 (SBCGLOBAL.NET):
KASSA KASSA,
PLANO, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace