Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

02 June 2008
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

01:17:00 Win2K-f 61.227.71.206 (HINET.NET):
DATA COMMUNICATION BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
TW. 209.250.232.240:7000 US:hail.dns2go.com
US:scorti1.dns2go.com 445 pcap raw alerts
ruleset ftp
irc
24 lines Yeah : 1.3
profile none summary
tarball 27 of 32 ffd21f2779
NEW none[none] none:none
none|none none none

02:32:00 WinXP 59.112.217.35 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a 445 pcap raw alerts
ruleset ftp
14 lines Argh : 0.3
profile none summary
tarball none none none none none none none

04:39:00 WinXP 211.13.71.229 (MESH.AD.JP):
C&C INTERNET SERVICE MESH,
SENDAI, MIYAGI, JP. n/a RU:moscow-advokat.ru
RU:194.6.222.11:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
[Firefox:1308 hits: 12-31 to 06-01] 1aad8e4632 [0] ASM:Graph
PolyEnE| lines=93
embedded dns trace

04:53:00 WinXP 78.97.0.211 (ASTRAL.RO):
ASTRAL TELECOM SA,
RO. n/a CN:hail2.dns2go.com
CN:222.177.11.165:8885 445 pcap raw alerts
ruleset ftp
15 lines Yeah : 0.8
profile none summary
tarball 14 of 32 5ee4121e1e
[Firefox:43 hits: 05-29 to 06-01] 51c1525417 [0] none:none
Obsidium| none trace

T:06:31:00 Win2K-f 190.174.147.219 (-):
. 222.177.11.165:8885 CN:hail2.dns2go.com 445 pcap raw alerts
ruleset ftp
irc
23 lines Yeah : 1.3
profile none summary
tarball 14 of 32 5ee4121e1e
[Firefox:43 hits: 05-29 to 06-01] 51c1525417 [0] none:none
Obsidium| none trace

T:06:41:00 WinXP 41.220.22.71 (TELONE.CO.ZW):
AFRINIC,
ZW. n/a DE:siliconfireware.ru
US:searchportal.information.com
GB:new.egg.com
:wpad
US:208.73.212.12:80
DE:217.11.54.126:80 445 pcap raw alerts
ruleset http
http
http
http
26 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
[Firefox:1030 hits: 05-01 to 06-01] 40f7f463c4 [0] ASM:Graph
ASPack| lines=281
embedded dns trace

07:46:00 Win2K-f 79.140.8.149 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. n/a CN:hail2.dns2go.com
CN:222.177.11.165:8885 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 14 of 32 5ee4121e1e
[Firefox:43 hits: 05-29 to 06-01] 51c1525417 [0] none:none
Obsidium| none trace

08:38:00 WinXP 170.51.202.147 (COM.AR):
CTI COMPANIA DE TELEFONAS DEL INTERIOR S.A,
AR. 85.114.137.60:65520 DE:proxim.ircgalaxy.pl
UA:citi-bank.ru
UA:194.54.90.246:80
DE:85.114.137.60:65520 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 30 of 32 a41d9d371e
[Firefox: 3 hits: 04-21 to 05-05] c2640d398b [0] ASM:Graph
PolyEnE| lines=129 trace

09:13:00 Win2K-f 89.207.67.83 (-):
JOINT STOCK COMPANY SVYAZIST,
RU. n/a CN:hail2.dns2go.com
CN:222.177.11.165:8885 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 14 of 32 5ee4121e1e
[Firefox:43 hits: 05-29 to 06-01] 51c1525417 [0] none:none
Obsidium| none trace

T:09:20:00 WinXP 92.98.22.224 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. n/a CN:hail2.dns2go.com
CN:222.177.11.165:8885 445 pcap raw alerts
ruleset ftp
irc
18 lines Yeah : 0.8
profile none summary
tarball 23 of 32 a1a09f9696
NEW none[none] none:none
none|none none none

T:10:12:00 WinXP 190.188.177.27 (NET.AR):
PRIMA S.A,
AR. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 32 of 32 fb39015df2
NEW none[4] none:none
PolyEnE| none trace

10:40:00 WinXP 4.88.13.45 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
RICHMOND HILL, GEORGIA, US. (DIAL) n/a DE:siliconfireware.ru
DE:212.227.111.29:80
DE:217.11.54.126:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 df17a625ee
[Firefox:452 hits: 05-04 to 06-01] 9bbdd086c5 [0] none:none
ASPack| none trace

T:10:57:00 WinXP 78.96.8.43 (-):
ASTRAL TURDA DOCSIS,
TURDA, CLUJ, RO. n/a CN:hail2.dns2go.com
CN:222.177.11.165:8885 445 pcap raw alerts
ruleset ftp
19 lines Yeah : 0.8
profile none summary
tarball 14 of 32 5ee4121e1e
[Firefox:43 hits: 05-29 to 06-01] 51c1525417 [0] none:none
Obsidium| none trace

T:11:48:00 Win2K-f 90.145.40.111 (UNET.NL):
UNET,
NL. n/a DE:flu.flutp.com 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

12:03:00 Win2K-f 94.42.31.139 (-):
. n/a CN:hail2.dns2go.com
CN:222.177.11.165:8885 445 pcap raw alerts
ruleset ftp
irc
21 lines Yeah : 0.8
profile none summary
tarball 14 of 32 5ee4121e1e
[Firefox:43 hits: 05-29 to 06-01] 51c1525417 [0] none:none
Obsidium| none trace

T:12:14:00 WinXP 196.208.85.161 (TELKOM-IPNET.CO.ZA):
AFRINIC,
DURBAN, KWAZULU-NATAL, ZA. n/a 135 pcap raw alerts
ruleset other
8 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:12:55:00 WinXP 201.212.164.2 (NET.AR):
PRIMA S.A,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 31 of 31 af0c4989ca
NEW none[4] none:none
PolyEnE| none trace

12:56:00 WinXP 201.212.164.2 (NET.AR):
PRIMA S.A,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 31 of 31 af0c4989ca
NEW none[4] none:none
PolyEnE| none trace

T:13:04:00 WinXP 78.2.97.63 (T-COM.HR):
T-COM CROATIA INTERNET NETWORK,
RIJEKA, PRIMORSKO-GORANSKA, HR. n/a CN:hail2.dns2go.com
CN:222.177.11.165:8885 445 pcap raw alerts
ruleset ftp
irc
24 lines Yeah : 0.8
profile none summary
tarball 15 of 31 6c4c3242ba
[Firefox: 4 hits: 05-31 to 06-01] 47300e90ee [0] none:none
none|none none trace

14:23:00 Win2K-f 79.205.73.92 (T-IPCONNECT.DE):
DEUTSCHE TELEKOM AG,
DE. n/a CN:hail2.dns2go.com
CN:222.177.11.165:8885 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 14 of 32 5ee4121e1e
[Firefox:43 hits: 05-29 to 06-01] 51c1525417 [0] none:none
Obsidium| none trace

15:24:00 WinXP 72.187.67.114 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ORLANDO, FLORIDA, US. n/a RU:moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
[Firefox:1308 hits: 12-31 to 06-01] 1aad8e4632 [0] ASM:Graph
PolyEnE| lines=93
embedded dns trace

T:15:24:00 WinXP 72.187.67.114 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ORLANDO, FLORIDA, US. n/a RU:moscow-advokat.ru
RU:194.6.222.11:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
[Firefox:1308 hits: 12-31 to 06-01] 1aad8e4632 [0] ASM:Graph
PolyEnE| lines=93
embedded dns trace

T:18:57:00 Win2K-f 71.103.130.164 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
DOWNEY, CALIFORNIA, US. (DSL) 84.244.5.183:2345 US:qtas.net
SE:scl.jullope.com 445 pcap raw alerts
ruleset http
irc
10 lines Yeah : 1.3
profile none summary
tarball 3 of 33 1c8163ae44
NEW none[none] none:none
none|none none none

T:19:18:00 WinXP 72.183.33.27 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CORPUS CHRISTI, TEXAS, US. n/a EU:siliconfireware.ru
SE:kavkazcenter.com
SE:kavkazcenter.net
FI:kavkazchat.com
US:chechenpress.info
GB:chechenpress.co.uk
:shaheeds.org
:daymohk.info
:chripress.org
DK:marsho.dk
US:www.jamaatshariat.com
US:www.counterdata.com
DE:m1.webstats.motigo.com
FI:imgs2.kavkazcenter.com
GB:www.chechenpress.co.uk
:www.google.com
FI:static.kavkazchat.com
DK:193.201.35.247:80
DE:212.227.111.29:80
DE:217.11.54.126:80
US:67.15.211.9:80
EU:78.47.200.154:80
FI:80.81.183.162:80 445 pcap raw alerts
ruleset http
140 lines Yeah : 0.8
profile none summary
tarball 29 of 29 ab5e47bf8d
[Firefox:46 hits: 05-10 to 06-01] none[3] none:none
ASPack| none trace

19:28:00 WinXP 66.61.139.32 (RR.COM):
ROAD RUNNER HOLDCO LLC,
COLUMBUS, OHIO, US. n/a DE:siliconfireware.ru
GB:welcome3.smile.co.uk
:wpad
GB:195.92.84.198:80
DE:212.227.111.29:80
DE:217.11.54.126:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
[Firefox:1030 hits: 05-01 to 06-01] 40f7f463c4 [0] ASM:Graph
ASPack| lines=281
embedded dns trace

T:21:04:00 Win2K-f 83.103.134.42 (ASTRAL.RO):
ASTRAL-CJ-DOCSIS,
CLUJ-NAPOCA, CLUJ, RO. n/a CN:hail2.dns2go.com
CN:222.177.11.165:8885 445 pcap raw alerts
ruleset ftp
20 lines Yeah : 0.8
profile none summary
tarball 14 of 32 5ee4121e1e
[Firefox:43 hits: 05-29 to 06-01] 51c1525417 [0] none:none
Obsidium| none trace

T:22:11:00 WinXP 119.17.99.246 (-):
. 85.114.137.60:80 DE:proxim.ircgalaxy.pl
UA:citi-bank.ru
DE:85.114.137.60:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 30 of 32 3f5ec58a6b
[Firefox:24 hits: 04-24 to 05-30] 4a77430a59 [0] ASM:Graph
PolyEnE| lines=70 trace

22:11:00 WinXP 119.17.99.246 (-):
. 85.114.137.60:80 DE:proxim.ircgalaxy.pl
DE:85.114.137.60:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 30 of 32 3f5ec58a6b
[Firefox:24 hits: 04-24 to 05-30] 4a77430a59 [0] ASM:Graph
PolyEnE| lines=70 trace