Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

13 June 2008
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:05:00 Win2K-f 168.215.246.7 (TWTELECOM.NET):
MILAM CAPITAL PARTNERS,
SAN ANTONIO, TEXAS, US. (100Mbps) n/a 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 20 of 32 131351dd21
[Firefox: 3 hits: 05-22 to 06-01] none[4] none:none
none|none none trace

T:00:23:00 Win2K-f 122.122.34.177 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 69.42.216.90:9890 :f.unicat.org
69.42.216.90:9890 445 pcap raw alerts
ruleset ftp
15 lines Yeah : 1.3
profile none summary
tarball 13 of 31 e8d4d8cde1
[Firefox:290 hits: 03-31 to 06-12] fda109a6fd [0] ASM:Graph
ASProtect| lines=583
embedded dns trace

T:00:25:00 Win2K-f 208.83.219.142 (-):
. n/a 135 pcap raw alerts
ruleset other
103 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:00:38:00 WinXP 72.130.255.248 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HONOLULU, HAWAII, US. n/a DE:siliconfireware.ru
RU:www.bbin.ru
RU:www.binbank.ru
:wpad
DE:212.227.111.29:80
DE:217.11.54.126:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
http
http
47 lines Yeah : 0.8
profile none summary
tarball 29 of 29 df17a625ee
[Firefox:463 hits: 05-04 to 06-11] 9bbdd086c5 [0] ASM:Graph
ASPack| lines=186
embedded dns trace

T:02:16:00 Win2K-f 208.105.80.24 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:03:30:00 WinXP 62.11.32.26 (DIALUP.TISCALI.IT):
TISCALI ITALIA SPA,
NAPOLI, CAMPANIA, IT. (DIAL) n/a DE:siliconfireware.ru
:wpad
GB:new.egg.com
DE:212.227.111.29:80
DE:217.11.54.126:80
GB:217.145.225.22:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 df17a625ee
[Firefox:463 hits: 05-04 to 06-11] 9bbdd086c5 [0] ASM:Graph
ASPack| lines=186
embedded dns trace

T:03:58:00 Win2K-f 219.255.188.183 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a 135 pcap raw alerts
ruleset other
95 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:04:08:00 Win2K-f 71.108.103.113 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
LANCASTER, CALIFORNIA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:04:19:00 WinXP 66.50.174.16 (PRTC.NET):
PUERTO RICO TELEPHONE COMPANY,
SAN JUAN, PUERTO RICO, PR. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:3046 hits: 12-31 to 06-12] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

T:05:30:00 WinXP 24.173.43.175 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CORPUS CHRISTI, TEXAS, US. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:3046 hits: 12-31 to 06-12] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

T:06:17:00 WinXP 69.23.111.59 (RR.COM):
ROAD RUNNER HOLDCO LLC,
GREEN BAY, WISCONSIN, US. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:3046 hits: 12-31 to 06-12] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

T:10:17:00 WinXP 85.101.139.65 (TTNET.NET.TR):
TURKTELEKOM,
ISTANBUL, ISTANBUL, TR. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:3046 hits: 12-31 to 06-12] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

T:10:19:00 WinXP 130.13.43.121 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 198.106.206.242:6915 :proxim.ircgalaxy.pl
US:ircn3t.cjb.net 445 pcap raw alerts
ruleset shell
ftp
irc
55 lines Yeah : 1.3
profile none summary
tarball 29 of 32 355281ab68
NEW none[4] none:none
StarForce| none trace

T:11:15:00 Win2K-f 130.13.111.78 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. n/a :proxim.ircgalaxy.pl
US:ircn3t.cjb.net
US:198.106.206.242:6915 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 0.8
profile none summary
tarball 29 of 32 151d9e39e7
NEW none[4] none:none
StarForce| none trace

T:13:50:00 Win2K-f 130.13.22.95 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. n/a :proxim.ircgalaxy.pl
US:ircn3t.cjb.net
US:198.106.206.242:6915 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 0.8
profile none summary
tarball 29 of 32 c5d407807f
NEW none[4] none:none
StarForce| none trace

T:14:10:00 Win2K-f 24.77.203.206 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
KELOWNA, BRITISH COLUMBIA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:14:16:00 Win2K-f 70.182.92.66 (COX.NET):
COX COMMUNICATIONS,
TULSA, OKLAHOMA, US. n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:14:28:00 WinXP 125.215.205.184 (IMSBIZ.COM):
PCCW BUSINESS INTERNET ACCESS,
HONG KONG, HONG KONG (SAR), HK. (100Mbps) n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:14:52:00 Win2K-f 66.57.186.196 (RR.COM):
ROAD RUNNER HOLDCO LLC,
LEXINGTON, SOUTH CAROLINA, US. n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:15:21:00 WinXP 202.3.152.139 (202.RCCTV.JP):
RIVER CITY CABLETV CO.LTD,
KARACHI, SINDH, PK. n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:15:34:00 Win2K-f 24.66.164.116 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
DUNCAN, BRITISH COLUMBIA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
54 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:15:47:00 WinXP 207.5.161.83 (SUSCOM-MAINE.NET):
GREAT WORKS INTERNET,
BRUNSWICK, MAINE, US. n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:16:02:00 WinXP 4.233.194.98 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
NEW HAMPSHIRE, US. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 0.8
profile none summary
tarball 32 of 32 03f912899b
[Firefox:10 hits: 12-14 to 06-11] 83893bd25d [0] ASM:Graph
none|none lines=65 trace

T:16:14:00 WinXP 70.168.9.104 (COX.NET):
COX COMMUNICATIONS,
PAWTUCKET, RHODE ISLAND, US. n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:16:58:00 Win2K-f 204.212.10.214 (-):
AAFES/BARRACKS,
HERNDON, VIRGINIA, US. 67.43.236.98:10324 CA:xx.nadnadzz.info
CA:nadsam0.info
US:130.107.152.5:37834 135 pcap raw alerts
ruleset irc
http
400 lines Yeah : 1.3
profile none summary
tarball 28 of 32
13 of 32
10 of 32
12 of 32
19 of 32 26149a0768
NEW
2c11ff8e99
NEW
55435efbce
NEW
700888fcd9
NEW
797863ab19
NEW none[4]
none [4]
55435efbce[1]
none [4]
none [4] none:none
none:none
ASM:Graph
none:none
none:none
Gleam|
none|none
FSG|
Mew|
Mew| none
none
lines=12
none
none trace
trace
trace
trace
trace

T:19:17:00 WinXP 61.228.211.172 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a RU:moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
[Firefox:1331 hits: 12-31 to 06-12] 1aad8e4632 [0] ASM:Graph
PolyEnE| lines=93
embedded dns trace

T:20:13:00 Win2K-f 71.115.80.131 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
ELKHART, INDIANA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:21:11:00 Win2K-f 130.13.159.41 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. n/a :proxim.ircgalaxy.pl
US:ircn3t.cjb.net
US:198.106.206.242:6915 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 0.8
profile none summary
tarball 29 of 32 8fba02579a
NEW none[4] none:none
StarForce| none trace

T:22:49:00 Win2K-f 122.147.99.126 (SPARQNET.NET):
NEW CENTURY INFOCOMM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:23:12:00 Win2K-f 61.37.147.200 (BORA.NET):
DACOM CORP,
SEOUL, KYONGGI-DO, KR. (100Mbps) n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:23:34:00 Win2K-f 210.211.255.186 (VSNL.NET.IN):
VIDESH SANCHAR NIGAM LTD - INDIA,
IN. n/a 135 pcap raw alerts
ruleset other
347 lines Yeah : 0.8
profile none summary
tarball 12 of 32 e5bc9c0cbf
NEW none[4] none:none
Gleam| none trace