Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

06 July 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

00:16:00 Win2K-f 119.77.203.193 (-):
. n/a US:www.maxmind.com
:checkip.dyndns.org
US:getmyip.co.uk
US:www.getmyip.org
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:00:51:00 Win2K-f 218.55.122.239 (PANELPOWER.NET):
HANARO TELECOM CO,
SEOUL, KYONGGI-DO, KR. (100Mbps) 221.5.74.39:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
EU:dfeuvyoage.net
CN:brenz.pl
:cmdmand.info
:inporter.info
NL:thcway.info
CN:lometr.pl 135 pcap raw alerts
ruleset irc
http
http
http
http
http
154 lines Yeah : 1.8
profile none summary
tarball 18 of 41
9 of 41
31 of 33
9 of 41
29 of 33 1772d47c4c
NEW
1c3b65d074
NEW
ae0d40ac58
NEW
b9edee0b1c
NEW
fc0aa80688
NEW 8bd43a2dce [0]
9b65f560ef[0]
none [4]
none [4]
dd55b8dcc3[0] none:none
none:none
none:none
none:none
none:none
Stranik|
none|none
tElock|
Mew|
Armadillo| none
none
none
none
none trace
trace
trace
trace
trace

T:01:51:00 WinXP 4.130.196.97 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
CORPUS CHRISTI, TEXAS, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
541 lines Yeah : 1.3
profile none summary
tarball 37 of 40 b9bf706959
NEW 800e16f299 [0] none:none
PeCompact| none trace

T:02:02:00 WinXP 121.121.14.208 (MAXIS.NET.MY):
MAXIS COMMUNICATIONS BHD,
MY. n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 38 of 40 cdbb312d0a
NEW 8050e5ba3e [0] none:none
PolyEnE| none trace

T:03:50:00 WinXP 86.154.239.43 (BTCENTRALPLUS.COM):
BT-CENTRAL-PLUS,
SWANSEA, WALES, UK. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
NEW none[0] ASM:Graph
none|none lines=61 trace

05:20:00 Win2K-f 62.87.65.243 (AIRTEL.NET):
GLOBAL MOBILE OPERATOR,
BARCELONA, CATALUñA, ES. n/a US:www.maxmind.com
US:www.getmyip.org
:checkip.dyndns.org
US:getmyip.co.uk
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:05:31:00 WinXP 122.55.173.215 (PLDT.NET):
IPG,
PH. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 41 80286858d3
NEW 183f8250c9 [0] none:none
PolyEnE| none trace

T:06:14:00 Win2K-f 118.87.20.65 (-):
. 61.120.62.28:3305 TH:cx10man.weedns.com
GB:fx010413.whyI.org
JP:61.120.62.28:3305 135 pcap raw alerts
ruleset irc
603 lines Yeah : 1.8
profile none summary
tarball 36 of 39 f5114d3371
NEW 330af0d74b [0] none:none
StarForce| none trace

T:06:24:00 WinXP 203.73.84.108 (SEED.NET.TW):
DIGITAL UNITED INC,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:07:25:00 WinXP 79.163.104.193 (-):
IDEA,
PL. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 35 of 36 06a5e31b47
NEW 25e6e52787 [0] ASM:Graph
PolyEnE| lines=68 trace

T:08:47:00 WinXP 24.44.62.229 (OPTONLINE.NET):
OPTIMUM ONLINE (CABLEVISION SYSTEMS),
STRATFORD, CONNECTICUT, US. 194.109.11.65:6556 NL:0x80.online-software.org 135 pcap raw alerts
ruleset other
271 lines Yeah : 1.8
profile none summary
tarball 32 of 32 15d4d85dc0
NEW 4c95ae4b3d [0] ASM:Graph
StarForce| lines=212
embedded dns trace

T:08:59:00 Win2K-f 74.170.98.228 (BELLSOUTH.NET):
BELLSOUTH.NET INC,
JACKSONVILLE, FLORIDA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:43:00 WinXP 96.8.220.143 (-):
. n/a 135 pcap raw alerts
ruleset other
11 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:11:08:00 WinXP 114.48.15.85 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:11:43:00 Win2K-f 120.138.130.207 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
79 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:12:05:00 WinXP 173.21.231.50 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:33:00 WinXP 84.140.191.3 (T-IPCONNECT.DE):
DEUTSCHE TELEKOM AG,
HAMBURG, HAMBURG, DE. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 32 of 32 03f912899b
NEW none[0] none:none
none|none lines=64 trace

T:14:48:00 Win2K-f 24.193.40.42 (RR.COM):
ROAD RUNNER HOLDCO LLC,
NEW YORK, NEW YORK, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:15:09:00 WinXP 69.12.235.190 (BEIGECOUGAR.COM):
SONIC.NET INC,
TRACY, CALIFORNIA, US. n/a KR:cx10man.weedns.com 135 pcap raw alerts
ruleset irc
572 lines Yeah : 1.3
profile none summary
tarball 39 of 40 70ec5c4b3f
NEW f697adabdd [0] none:none
StarForce| none trace

T:16:44:00 WinXP 76.83.49.177 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. n/a DE:siliconfireware.ru
US:searchportal.information.com
:www.proxy-socks.net
:wpad
US:spi.domainsponsor.com
US:208.73.210.123:80 445 pcap raw alerts
ruleset http
http
http
16 lines Yeah : 0.8
profile none summary
tarball 29 of 29 0ada72d805
NEW none[0] ASM:Graph
ASPack| lines=281
embedded dns trace

T:17:13:00 Win2K-f 61.218.193.218 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
85 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:17:53:00 WinXP 97.76.30.138 (-):
. n/a 135 pcap raw alerts
ruleset other
1002 lines Yeah : 1.3
profile none summary
tarball 6 of 40 3778afa522
NEW none[3] none:none
none|none none trace

T:19:29:00 Win2K-f 4.238.91.174 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
PROVIDENCE, RHODE ISLAND, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
66 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

19:50:00 Win2K-f 190.51.191.177 (COM.AR):
TELEFONICA DE ARGENTINA,
BUENOS AIRES, BUENOS AIRES, AR. n/a US:www.maxmind.com
US:www.getmyip.org
US:checkip.dyndns.org
US:getmyip.co.uk
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 7 of 37 7587773eea
NEW none[3] none:none
StarForce| none trace

T:20:10:00 Win2K-f 174.6.21.151 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:21:22:00 WinXP 174.6.57.96 (-):
. n/a 135 pcap raw alerts
ruleset other
1007 lines Yeah : 1.3
profile none summary
tarball 33 of 40 0cd916efaf
NEW none[3] none:none
none|none none trace

T:22:34:00 Win2K-f 4.191.42.207 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
152 lines Yeah : 1.3
profile none summary
tarball 38 of 41
37 of 41 7461f4b99e
NEW
f9e3a69cf4
NEW de5ff2b862 [0]
b40853b435[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:22:43:00 WinXP 61.218.193.250 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
77 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:23:14:00 WinXP 59.103.63.132 (-):
. n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 40 824d6a706e
NEW a66fd13bcb [0] none:none
PolyEnE| none trace