|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:10:09:00 | WinXP | 195.174.26.182 (KABLONET.COM.TR): CABLE OPERATOR NETWORK OF TURK TELEKOM, ISTANBUL, ISTANBUL, TR. (DSL) |
n/a | EU:siliconfireware.ru US:searchportal.information.com US:spi.domainsponsor.com :wpad :landdev1.lap.internal |
445 | pcap | raw alerts ruleset |
http http http 11 lines |
Yeah : 0.8 profile |
none | summary tarball |
28 of 32 | 820d9f6daa NEW |
none[4] | none:none |
ASPack| | none | trace |
| T:10:44:00 | WinXP | 24.195.176.181 (RR.COM): ROAD RUNNER HOLDCO LLC, SARATOGA SPRINGS, NEW YORK, US. |
n/a | UA:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 [Firefox:2996 hits: 12-31 to 05-23] |
7a70e1b592 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| 12:20:00 | WinXP | 69.183.217.216 (SNET.NET): BRAS11A.MRDNCT, PLANO, TEXAS, US. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 14 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 831f4ee0a7 [Firefox:610 hits: 07-11 to 05-23] |
eb7546c600 [0] | ASM:Graph |
none|none | lines=61 | trace | |
| T:12:44:00 | WinXP | 83.95.124.79 (ADSL-DHCP.TELE.DK): TDC-TELEDANMARK-BREDBAANDSADSL-NET, DK. (DSL) |
n/a | UA:citi-bank.ru UA:194.54.90.246:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 1fcc146d70 [Firefox:234 hits: 05-02 to 05-12] |
258fafe892 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| 13:03:00 | WinXP | 77.37.132.5 (NCNET.RU): NCN-INFRA, RU. |
n/a | UA:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
30 of 32 | a8aa255ece NEW |
none[4] | none:none |
PolyEnE| | none | trace |
| 13:09:00 | Win2K-f | 77.127.33.194 (INTER.NET.IL): EURONET DIGITAL COMMUNICATIONS, IL. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 14 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:13:25:00 | WinXP | 123.200.32.32 (TCN-CATV.NE.JP): TOKYO CABLE NETWORK. INC, TOKYO, TOKYO, JP. |
n/a | RU:moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
25 of 25 | 7f60162c2c [Firefox:1302 hits: 12-31 to 05-23] |
1aad8e4632 [0] | ASM:Graph |
PolyEnE| | lines=93 embedded dns |
trace |
| T:13:47:00 | WinXP | 83.97.195.3 (CM-83-97-128-10.TELECABLE.ES): TELECABLE, GIJON, ASTURIAS, ES. (DSL) |
n/a | UA:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 [Firefox:2996 hits: 12-31 to 05-23] |
7a70e1b592 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| 13:48:00 | WinXP | 83.97.195.3 (CM-83-97-128-10.TELECABLE.ES): TELECABLE, GIJON, ASTURIAS, ES. (DSL) |
194.54.90.246:80 | UA:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 [Firefox:2996 hits: 12-31 to 05-23] |
7a70e1b592 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:13:52:00 | WinXP | 69.108.105.162 (PACBELL.NET): IRVNCA INTERNAL, LOS ANGELES, CALIFORNIA, US. (DSL) |
n/a | UA:citi-bank.ru UA:194.54.90.246:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 3ae357d17b [Firefox:710 hits: 05-01 to 05-20] |
462a7be171 [0] | ASM:Graph |
PolyEnE| | lines=73 | trace |
| 14:09:00 | WinXP | 91.66.211.166 (SUPERKABEL.DE): KABEL DEUTSCHLAND BREITBAND SERVICE GMBH, DE. |
n/a | RU:moscow-advokat.ru RU:194.6.222.11:6667 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | ca47a36342 [Firefox:22 hits: 05-04 to 02-16] |
c3a58f69c6 [0] | ASM:Graph |
PolyEnE| | lines=89 embedded dns |
trace |
| 14:59:00 | WinXP | 200.139.79.78 (STERLINGSTUDENTS.NET): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | CN:hail2.dns2go.com | 445 | pcap | raw alerts ruleset |
ftp irc 22 lines |
Yeah : 0.8 profile |
none | summary tarball |
14 of 32 | 5ee4121e1e NEW |
none[4] | none:none |
Obsidium| | none | trace |
| 16:28:00 | WinXP | 76.185.114.229 (RR.COM): ROAD RUNNER HOLDCO LLC, HERNDON, VIRGINIA, US. (100Mbps) |
n/a | GB:welcome3.smile.co.uk :wpad DE:siliconfireware.ru US:searchportal.information.com US:spi.domainsponsor.com :landdev1.lap.internal GB:195.92.84.198:80 |
445 | pcap | raw alerts ruleset |
http http 6 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | a12cab51ef [Firefox:1027 hits: 05-01 to 05-23] |
40f7f463c4 [0] | ASM:Graph |
ASPack| | lines=281 embedded dns |
trace |
| 20:08:00 | WinXP | 203.70.94.173 (SEED.NET.TW): DIGITAL UNITED INC, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | UA:citi-bank.ru UA:194.54.90.246:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
31 of 33 | bce12aa21f [Firefox: 8 hits: 05-12 to 05-19] |
none[4] | none:none |
PolyEnE| | none | trace |
| T:20:29:00 | WinXP | 72.178.120.212 (RR.COM): ROAD RUNNER HOLDCO LLC, SAN ANTONIO, TEXAS, US. |
n/a | UA:citi-bank.ru UA:194.54.90.246:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 9543d041a7 [Firefox: 7 hits: 05-16 to 05-12] |
49e3eed5c5 [0] | ASM:Graph |
PolyEnE| | lines=77 embedded dns |
trace |
| T:20:59:00 | WinXP | 66.38.55.235 (DUO-COUNTY.COM): BRANDENBURG TELEPHONE COMPANY, RUSSELL SPRINGS, KENTUCKY, US. |
n/a | UA:citi-bank.ru UA:194.54.90.246:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | a0139d7ad8 [Firefox:433 hits: 05-02 to 05-21] |
d9e9662db1 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |