Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

05 July 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:01:02:00 WinXP 203.91.165.198 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, AICHI, JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:02:11:00 Win2K-f 125.4.25.231 (ZAQ.NE.JP):
HIGASHI-OSAKA CABLE TELEVISION CO. LTD,
OSAKA, OSAKA, JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32
33 of 33		 07fabc79ef
NEW
53bfe15e91
NEW 		none[0]
1473091351[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=81
lines=75
embedded dns 		trace
trace
T:02:50:00 WinXP 203.196.70.145 (KAGACABLE.NE.JP):
KAGA CABLE TELEVISION CO.LTD,
JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:03:18:00 WinXP 89.111.226.240 (TEOL.NET):
TELEKOMSRPSKE,
BA. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 40 f54691063f
NEW 		6039c698cd [0] ASM:Graph
 none|none lines=59 trace
T:04:21:00 WinXP 75.49.6.90 (SBCGLOBAL.NET):
PPPOX POOL - SE1.WOTNOH 101906-1259,
COLUMBUS, OHIO, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:04:42:00 Win2K-f 122.49.244.77 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32
33 of 33		 07fabc79ef
NEW
53bfe15e91
NEW 		none[0]
1473091351[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=81
lines=75
embedded dns 		trace
trace
T:04:53:00 Win2K-f 114.207.185.130 (-):
. 		218.93.205.24:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:brenz.pl
CN:lometr.pl
CN:218.93.205.24:65520 		135 pcap raw alerts
ruleset 		irc
http
124 lines 		Yeah : 1.8
profile 		none summary
tarball 		18 of 41
30 of 33
28 of 33		 1772d47c4c
NEW
533d15b5ce
NEW
58c343a8d8
NEW 		8bd43a2dce [0]
c67adf46e2[0]
none [0] 		none:none
ASM:Graph
none:none
 Stranik|
tElock|
Armadillo| 		none
lines=126
embedded dns
lines=91 		trace
trace
trace
T:05:11:00 Win2K-f 71.181.168.57 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
WILKES BARRE, PENNSYLVANIA, US. 		221.5.74.39:65520 CN:proxim.ircgalaxy.pl
CN:put.ghura.pl
CN:brenz.pl
CN:lometr.pl
CN:211.95.79.6:80 		445 pcap raw alerts
ruleset 		irc
http
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		18 of 41
15 of 41		 1772d47c4c
NEW
298243013a
NEW 		8bd43a2dce [0]
b8c969e769[0] 		none:none
none:none
 Stranik|
PEQuake| 		none
none 		trace
trace
T:05:44:00 Win2K-f 124.241.176.28 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, AICHI, JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
120 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
37 of 41		 c7bb39ee2c
NEW
f49bcb46ba
NEW 		07462a9c7b [0]
ab0f851c9d[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:06:02:00 Win2K-f 4.174.242.19 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
PHILADELPHIA, PENNSYLVANIA, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
211 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
37 of 41		 5c39773b13
NEW
a1acc403a2
NEW 		c64405f2e9 [0]
54ef26c2f9[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:06:18:00 WinXP 71.113.167.222 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
BLOOMINGTON, ILLINOIS, US. (DSL) 		n/a :gg.arrancar.org
74.55.100.8:555 		135 pcap raw alerts
ruleset 		other
145 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 40 10980f4df2
NEW 		1fd3385a95 [0] ASM:Graph
 none|none lines=556 trace
T:07:29:00 WinXP 61.215.151.26 (CABLENET.NE.JP):
CABLENET SAITAMA CO. LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:07:43:00 WinXP 173.19.210.202 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:08:11:00 WinXP 61.221.250.18 (HINET.NET):
DATA COMMUNICATION BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
TW. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:10:33:00 Win2K-f 76.244.155.139 (PACBELL.NET):
AT&T INTERNET SERVICES,
US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:10:37:00 Win2K-f 222.233.231.72 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:10:51:00 WinXP 60.248.117.221 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:11:58:00 WinXP 219.71.166.39 (NVWTV.COM.TW):
HOSHIN GIGAMEDIA CENTER INC,
TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
37 of 41		 a205366bef
NEW
efaef2451a
NEW 		82bbbe4789 [0]
5382f9a037[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
12:07:00 Win2K-f 190.105.1.59 (-):
. 		n/a US:www.maxmind.com
:checkip.dyndns.org
US:www.getmyip.org
US:getmyip.co.uk
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:91.198.22.70:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		8 of 38 24ecbc6b15
NEW 		none[3] none:none
 StarForce| none trace
T:12:15:00 Win2K-f 190.105.1.59 (-):
. 		n/a US:www.maxmind.com
US:getmyip.co.uk
US:www.getmyip.org
US:checkip.dyndns.org
DE:131.220.6.26:80 		445 pcap raw alerts
ruleset 		http
8 lines 		Yeah : 0.8
profile 		none summary
tarball 		7 of 37 7587773eea
NEW 		none[3] none:none
 StarForce| none trace
T:12:35:00 Win2K-f 4.231.204.163 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MIAMI, FLORIDA, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
769 lines 		Yeah : 1.3
profile 		none summary
tarball 		9 of 41 3c85066a71
NEW 		none[3] none:none
 none|none none trace
T:12:50:00 WinXP 4.181.170.36 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
GROTON, CONNECTICUT, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
34 of 41		 9409fca3c1
NEW
c91bf6b822
NEW 		04c1ce33ac [0]
9e9043d11b[0] 		none:none
none:none
 tElock|
tElock| 		none
none 		trace
trace
T:13:04:00 Win2K-f 63.24.95.221 (UU.NET):
UUNET TECHNOLOGIES INC,
US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
86 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:13:27:00 Win2K-f 74.215.139.75 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:14:58:00 Win2K-f 4.226.225.104 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
BANDERA, TEXAS, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:15:17:00 WinXP 151.81.141.213 (38-151.NET24.IT):
IUNET-BNET,
IT. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41 79797e25e9
NEW 		7cd852ed1d [0] none:none
 PolyEnE| none trace
T:16:23:00 WinXP 24.103.196.250 (-):
. 		n/a CA:xx.ka3ek.com
:zone2tech.info
67.215.1.206:80 		135 pcap raw alerts
ruleset 		irc
349 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 41
37 of 40		 181eec3736
NEW
a0a15f5ebf
NEW 		none[4]
c506c7cc86[0] 		none:none
none:none
 none|none
Mew| 		none
none 		trace
trace
16:51:00 WinXP 201.93.7.165 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 32 b502f83a7c
NEW 		28f5be93b0 [0] none:none
 PolyEnE| none trace
T:17:34:00 Win2K-f 124.184.92.98 (BIGPOND.NET.AU):
TELSTRAINTERNET44,
SYDNEY, NEW SOUTH WALES, AU. 		218.93.205.24:65520 US:microsoft.com
CN:proxim.ircgalaxy.pl
EU:dfeuvyoage.net
:cmdmand.info
:inporter.info
CN:brenz.pl
NL:thcway.info
CN:lometr.pl 		135 pcap raw alerts
ruleset 		irc
http
http
http
http
http
256 lines 		Yeah : 1.8
profile 		none summary
tarball 		18 of 41
9 of 41
37 of 41
9 of 41
38 of 41		 1772d47c4c
NEW
1c3b65d074
NEW
3f23ac55d3
NEW
b9edee0b1c
NEW
cdabb6a7c6
NEW 		8bd43a2dce [0]
9b65f560ef[0]
304cbcc85d[0]
none [4]
6f5a4e5299[0] 		none:none
none:none
none:none
none:none
none:none
 Stranik|
none|none
Armadillo|
Mew|
tElock| 		none
none
none
none
none 		trace
trace
trace
trace
trace
T:18:26:00 Win2K-f 61.218.193.250 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
77 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:18:27:00 Win2K-f 74.215.139.75 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:18:29:00 WinXP 69.232.18.154 (PACBELL.NET):
HI STYLES FASHIONS INC,
PLANO, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:18:49:00 WinXP 218.180.150.15 (BBTEC.NET):
JAPAN NATION-WIDE NETWORK OF SOFTBANK BB CORP,
TOKYO, TOKYO, JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:19:01:00 Win2K-f 24.227.62.42 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CASSELBERRY, FLORIDA, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
19:23:00 Win2K-f 117.61.75.226 (163DATA.COM.CN):
CHINANET JIANGSU PROVINCE NETWORK,
BEIJING, BEIJING, CN. 		n/a US:www.maxmind.com
US:getmyip.co.uk
EU:checkip.dyndns.org
US:www.getmyip.org
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:91.198.22.70:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:19:32:00 Win2K-f 117.61.75.226 (163DATA.COM.CN):
CHINANET JIANGSU PROVINCE NETWORK,
BEIJING, BEIJING, CN. 		n/a US:www.maxmind.com
US:www.getmyip.org
US:getmyip.co.uk
:checkip.dyndns.org 		445 pcap raw alerts
ruleset 		http
7 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:20:26:00 WinXP 139.55.113.181 (ALLTEL.NET):
WINDSTREAM COMMUNICATIONS INC,
BURNSIDE, KENTUCKY, US. 		218.93.205.24:65520 221.5.74.39:65520 CN:proxim.ircgalaxy.pl
CN:put.ghura.pl
:www.google.com
:er20090515.com
:uprtrishest.com
DK:liesbethmilan.be
CN:brenz.pl
CN:lometr.pl
GB:zz-dns.com 		445 pcap raw alerts
ruleset 		http
irc
http
http
47 lines 		Yeah : 1.3
profile 		none summary
tarball 		18 of 41
30 of 41
17 of 41
35 of 36
9 of 41
26 of 41		 1772d47c4c
NEW
270610f4f3
NEW
73baa56112
NEW
7fd7475c63
NEW
b9edee0b1c
NEW
c3642a675a
NEW 		8bd43a2dce [0]
b7030f729c[0]
fd029b0e1e[0]
8dcf239714[0]
none [4]
64d48f7d93[0] 		none:none
none:none
none:none
none:none
none:none
none:none
 Stranik|
none|none
StarForce|
PolyEnE|
Mew|
tElock| 		none
none
none
none
none
none 		trace
trace
trace
trace
trace
trace
T:21:56:00 Win2K-f 70.183.63.227 (COX.NET):
COX COMMUNICATIONS INC,
NEWPORT BEACH, CALIFORNIA, US. 		n/a :imb.f6hbr.in 135 pcap raw alerts
ruleset 		other
288 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 36 d732dd0b4d
NEW 		7fdcb7e309 [0] none:none
 StarForce| none trace
T:23:00:00 Win2K-f 63.246.125.200 (SPEAKEASY.NET):
US. 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:23:09:00 Win2K-f 125.4.241.203 (ZAQ.NE.JP):
KITAKAWACHI CABLE NET CO LTD,
JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
111 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
37 of 41		 98d2778fd6
NEW
f676f3bf5b
NEW 		9feea491cb [0]
0fba495fc4[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:23:22:00 WinXP 67.52.25.21 (RR.COM):
ROAD RUNNER HOLDCO LLC,
RACINE, WISCONSIN, US. 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none