Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

16 June 2008
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:03:19:00 Win2K-f 70.250.104.52 (SWBELL.NET):
MID MISSOURI BROADBAND AND CABLE LLC,
LOOSE CREEK, MISSOURI, US. n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:04:03:00 WinXP 124.102.114.181 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
[Firefox:653 hits: 07-11 to 06-21] eb7546c600 [0] ASM:Graph
none|none lines=61 trace

T:04:48:00 Win2K-f 65.68.44.78 (SWBELL.NET):
AT&T INTERNET SERVICES,
KANSAS CITY, MISSOURI, US. (DSL) n/a 135 pcap raw alerts
ruleset other
108 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:04:49:00 WinXP 221.171.33.163 (MESH.AD.JP):
BIGLOBE-CIDR-BLK,
JP. n/a RU:moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
[Firefox:1343 hits: 12-31 to 06-21] 1aad8e4632 [0] ASM:Graph
PolyEnE| lines=93
embedded dns trace

T:06:36:00 Win2K-f 116.127.207.236 (-):
HANARO TELECOM,
SEOUL, KYONGGI-DO, KR. n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:06:54:00 WinXP 124.102.63.17 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
[Firefox:653 hits: 07-11 to 06-21] eb7546c600 [0] ASM:Graph
none|none lines=61 trace

T:07:56:00 Win2K-f 218.54.126.243 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a 135 pcap raw alerts
ruleset other
52 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:08:12:00 WinXP 68.146.201.80 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:08:43:00 WinXP 219.248.233.108 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a 135 pcap raw alerts
ruleset other
100 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:09:15:00 Win2K-f 222.234.234.234 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:09:24:00 Win2K-f 172.192.120.71 (AOL.COM):
AMERICA ONLINE,
RESTON, VIRGINIA, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:09:31:00 WinXP 211.5.26.15 (KDDI.NE.JP):
DION (KDDI CORPORATION),
TOKYO, TOKYO, JP. n/a DE:siliconfireware.ru
US:searchportal.information.com
DE:ebookfinaltrash.ru
:wpad
US:64.215.166.173:80
US:64.215.166.190:80 445 pcap raw alerts
ruleset http
http
http
3 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
[Firefox:1064 hits: 05-01 to 06-21] 40f7f463c4 [0] ASM:Graph
ASPack| lines=281
embedded dns trace

T:10:17:00 WinXP 118.243.128.200 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 30 of 32 8ae058b2d0
[Firefox: 4 hits: 05-01 to 06-21] e6a9383b75 [0] ASM:Graph
none|none lines=59 trace

T:10:35:00 Win2K-f 172.162.34.211 (AOL.COM):
AMERICA ONLINE,
US. n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

11:35:00 WinXP 119.72.114.63 (-):
. n/a RU:moscow-advokat.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
[Firefox:1343 hits: 12-31 to 06-21] 1aad8e4632 [0] ASM:Graph
PolyEnE| lines=93
embedded dns trace

11:59:00 WinXP 24.59.8.87 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ROME, NEW YORK, US. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:3077 hits: 12-31 to 06-21] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

T:12:12:00 WinXP 88.104.159.66 (AS9105.COM):
TISCALI UK LTD,
MANCHESTER, ENGLAND, UK. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 29 of 33 1fa222a7d3
NEW 1fa222a7d3 [1] ASM:Graph
FASM| lines=84 trace

T:12:38:00 Win2K-f 200.82.125.57 (NET.AR):
APOLO -GOLD-TELECOM-PER,
BUENOS AIRES, BUENOS AIRES, AR. n/a US:hail.dns2go.com 445 pcap raw alerts
ruleset ftp
irc
22 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:1522 hits: 04-27 to 06-18] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

T:12:51:00 Win2K-f 172.167.146.149 (AOL.COM):
AMERICA ONLINE,
RESTON, VIRGINIA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
49 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:12:59:00 WinXP 61.222.240.150 (HINET.NET):
DATA COMMUNICATION BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
KAOHSIUNG, KAO-HSIUNG, TW. n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:13:16:00 Win2K-f 71.12.20.234 (CHARTER.COM):
CHARTER COMMUNICATIONS,
HICKORY, NORTH CAROLINA, US. n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:13:51:00 Win2K-f 64.181.117.26 (AUSTINCPAAC.COM):
FIBERNET OF WEST VIRGINIA,
CHARLESTON, WEST VIRGINIA, US. (100Mbps) n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:14:57:00 Win2K-f 24.86.136.120 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
SURREY, BRITISH COLUMBIA, CA. (DSL) n/a :proxim.ircgalaxy.pl 135 pcap raw alerts
ruleset other
268 lines Yeah : 1.3
profile none summary
tarball 30 of 33 7df41a77e6
NEW none[4] none:none
PolyEnE| none trace

T:15:01:00 WinXP 69.41.137.204 (SEISMICINTERNET.NET):
SEISMIC ENTERPRISES,
KAILUA KONA, HAWAII, US. n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:16:51:00 WinXP 217.184.140.13 (MEDIAWAYS.NET):
VARIOUS ONLINE SERVICES,
HAMBURG, HAMBURG, DE. n/a RU:moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
[Firefox:1343 hits: 12-31 to 06-21] 1aad8e4632 [0] ASM:Graph
PolyEnE| lines=93
embedded dns trace

T:17:44:00 Win2K-f 65.86.121.87 (DSL.NET):
ABERCROMBIE SIMMONS & GILLETTE OF VIRGINIA INC,
VIRGINIA BEACH, VIRGINIA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:18:35:00 Win2K-f 121.124.41.217 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:18:40:00 WinXP 67.150.123.231 (MDSG-PACWEST.COM):
PAC-WEST MANAGED MODEM NAS POOL,
LOS ANGELES, CALIFORNIA, US. n/a 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 32 of 32 92c8e458d8
[Firefox: 2 hits: 02-24 to 06-16] 4ba645ac3a [0] ASM:Graph
none|none lines=62 trace

T:18:56:00 Win2K-f 58.226.13.97 (HANANET.NET):
HANARO TELECOM INC,
KR. n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:18:57:00 Win2K-f 207.5.244.39 (SUSCOM-MAINE.NET):
GREAT WORKS INTERNET,
BRUNSWICK, MAINE, US. n/a 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:18:59:00 Win2K-f 63.25.222.153 (UU.NET):
UUNET TECHNOLOGIES INC,
LOUISVILLE, KENTUCKY, US. n/a 135 pcap raw alerts
ruleset other
71 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:19:09:00 Win2K-f 99.161.88.140 (-):
. n/a 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:19:20:00 WinXP 66.2.44.25 (ALGX.NET):
XO COMMUNICATIONS,
JERSEY CITY, NEW JERSEY, US. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 29 of 29 1a2c0e6130
[Firefox:433 hits: 12-31 to 06-21] 048df78048 [0] ASM:Graph
none|none lines=61 trace

T:21:52:00 Win2K-f 116.39.93.81 (-):
LG POWERCOMM,
SEOUL, KYONGGI-DO, KR. n/a 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 30 of 33 1952074241
NEW none[4] none:none
none|none none trace

T:22:17:00 Win2K-f 124.10.134.167 (TFN.NET.TW):
TAIWAN FIXED NETWORK CO. LTD,
KAOHSIUNG, KAO-HSIUNG, TW. n/a 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 28 of 32 a7e3664263
[Firefox: 2 hits: 05-22 to 06-16] none[4] none:none
none|none none trace

T:23:23:00 Win2K-f 222.239.30.90 (-):
INCHON CABLE TV NAMDONG BROADCAST,
INCHON, KYONGGI-DO, KR. n/a 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball none none none none none none none