Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

07 July 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:07:00 WinXP 70.92.242.36 (RR.COM):
ROAD RUNNER HOLDCO LLC,
LANNON, WISCONSIN, US. n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball 29 of 29 042774a2b7
NEW none[0] none:none
PolyEnE| lines=69
embedded dns trace

T:00:07:00 Win2K-f 4.176.108.108 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
TUCSON, ARIZONA, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:00:43:00 WinXP 71.130.22.21 (PACBELL.NET):
WILLIAM MARTINEZ DBA,
PLANO, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

01:02:00 Win2K-f 118.232.9.93 (-):
. n/a US:www.maxmind.com
US:getmyip.co.uk
:checkip.dyndns.org
US:www.getmyip.org
US:65.254.39.170:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
4 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:03:16:00 WinXP 4.255.54.21 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
VANCOUVER, WASHINGTON, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
109 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

03:21:00 Win2K-f 200.85.59.66 (TELESURF.COM.PY):
TELECEL S.A,
PY. n/a US:www.maxmind.com
US:getmyip.co.uk
US:www.getmyip.org
:checkip.dyndns.org
US:65.254.39.170:80 445 pcap raw alerts
ruleset http
5 lines Yeah : 0.8
profile none summary
tarball 2 of 37 d60e538e72
NEW none[3] none:none
UPX| none trace

T:04:23:00 WinXP 114.48.140.108 (-):
. n/a 445 pcap raw alerts
ruleset ftp
13 lines Yeah : 0.8
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:04:50:00 Win2K-f 70.75.164.181 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
1008 lines Yeah : 1.3
profile none summary
tarball 7 of 41 8605c909f4
NEW none[3] none:none
none|none none trace

T:05:25:00 Win2K-f 24.103.188.185 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:06:28:00 WinXP 91.65.196.207 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
DE. n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
NEW none[0] none:none
PolyEnE| lines=93
embedded dns trace

T:06:41:00 WinXP 114.48.14.200 (-):
. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 35 of 37 1987904b12
NEW 9fd17c99f9 [0] ASM:Graph
PolyEnE| lines=68 trace

T:07:30:00 WinXP 204.181.141.159 (OXFORDNETWORKS.NET):
OXFORD NETWORKS,
BUCKFIELD, MAINE, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball 36 of 41
38 of 41 4d4b7efca2
NEW
539d61fc06
NEW ec83dac222 [0]
c3af874c93[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:09:31:00 WinXP 70.132.142.140 (SWBELL.NET):
PPPOX POOL - RBACK2.HSTNTX,
HOUSTON, TEXAS, US. (DIAL) 67.43.236.66:10324 CA:xx.nadnadzz.info
:zone2tech.info 135 pcap raw alerts
ruleset irc
258 lines Yeah : 1.8
profile none summary
tarball 0 of 40
35 of 41 638b59e5c5
NEW
a4dde6f9e4
NEW none[4]
none [4] none:none
none:none
none|none
none|none none
none trace
trace

T:09:50:00 WinXP 63.27.152.1 (UU.NET):
UUNET TECHNOLOGIES INC,
BOSTON, MASSACHUSETTS, US. n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com 445 pcap raw alerts
ruleset http
http
15 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
NEW none[0] none:none
ASPack| lines=281
embedded dns trace

T:10:28:00 WinXP 114.48.14.136 (-):
. n/a 445 pcap raw alerts
ruleset ftp
15 lines Argh : 0.3
profile none summary
tarball none none none none none none none

12:07:00 Win2K-f 61.16.155.7 (STATIC-31-155-16-61-PRIMUS-INDIA.NET):
DIRECT INTERNET LTD,
IN. (100Mbps) n/a US:www.maxmind.com
US:getmyip.co.uk
US:checkip.dyndns.org
DE:131.220.6.26:80
US:65.254.39.170:80 445 pcap raw alerts
ruleset http
5 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:12:16:00 Win2K-f 61.16.155.7 (STATIC-31-155-16-61-PRIMUS-INDIA.NET):
DIRECT INTERNET LTD,
IN. (100Mbps) n/a US:www.maxmind.com
US:getmyip.co.uk
US:www.getmyip.org
EU:checkip.dyndns.org 445 pcap raw alerts
ruleset http
7 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:12:25:00 WinXP 74.170.98.228 (BELLSOUTH.NET):
BELLSOUTH.NET INC,
JACKSONVILLE, FLORIDA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
77 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:43:00 WinXP 71.120.69.120 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
BLOOMINGTON, ILLINOIS, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:55:00 Win2K-f 63.28.44.16 (UU.NET):
UUNET TECHNOLOGIES INC,
CHICAGO, ILLINOIS, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:56:00 WinXP 58.236.190.80 (-):
THRUNET-INFRA-INCHEON10,
SEOUL, KYONGGI-DO, KR. 218.93.205.24:65520 CN:proxima.ircgalaxy.pl
US:microsoft.com
CN:put.ghura.pl
CN:brenz.pl
CN:lometr.pl
:onuka.cn
CN:www.upononjob.cn
:horobl.cn
US:mx4.hotmail.com
:a.mx.mail.yahoo.com
US:b.mx.mail.yahoo.com
US:c.mx.mail.yahoo.com
US:d.mx.mail.yahoo.com
US:e.mx.mail.yahoo.com
:f.mx.mail.yahoo.com
US:g.mx.mail.yahoo.com
CN:221.5.74.39:65520
CN:222.186.13.27:80
US:64.191.104.197:25
US:67.19.219.74:80
72.167.37.74:80
EU:91.207.4.138:80 135 pcap raw alerts
ruleset irc
http
152 lines Yeah : 1.8
profile none summary
tarball 18 of 41
15 of 41
none
0 of 41
32 of 40
24 of 40
38 of 40 1772d47c4c
NEW
298243013a
NEW
6a4845ca11
NEW
7b3413b0f1
NEW
a5328320bc
NEW
f1bb8174e3
NEW
ffafd341d9
NEW 8bd43a2dce [0]
b8c969e769[0]
c23d00870b[0]
none [4]
9e7dff694f[0]
ff7d442dd1[0]
294fb27545[0] none:none
none:none
none:none
none:none
none:none
none:none
ASM:Graph
Stranik|
PEQuake|
tElock|
none|none
none|none
none|none
Armadillo| none
none
none
none
none
none
lines=91 trace
trace
trace
trace
trace
trace
trace

15:44:00 Win2K-f 190.55.247.40 (-):
. n/a US:www.maxmind.com
US:www.getmyip.org
:checkip.dyndns.org
US:getmyip.co.uk
US:65.254.39.170:80
US:67.15.94.80:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 3 of 37 dc331fb791
NEW none[3] none:none
UPX| none trace

T:16:37:00 Win2K-f 24.234.70.169 (COX.NET):
COX COMMUNICATIONS INC,
LAS VEGAS, NEVADA, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:16:38:00 WinXP 121.84.157.2 (EONET.NE.JP):
K-OPTICOM CORPORATION,
JP. n/a 445 pcap raw alerts
ruleset shell
ftp
13 lines Yeah : 0.8
profile none summary
tarball 31 of 32 741e3b03b3
NEW none[0] none:none
none|none lines=61 trace

T:17:14:00 WinXP 68.148.114.234 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
EDMONTON, ALBERTA, CA. (DSL) n/a :gg.arrancar.org
74.55.100.8:555 135 pcap raw alerts
ruleset other
187 lines Yeah : 1.3
profile none summary
tarball 38 of 41 8ef3f9fd36
NEW 1c396012a3 [0] none:none
none|none none trace

T:17:16:00 WinXP 71.112.7.99 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
BOTHELL, WASHINGTON, US. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 38 of 41 2d16d63f91
NEW 27cb26ee14 [0] none:none
PolyEnE| none trace

T:17:24:00 Win2K-f 172.191.19.238 (AOL.COM):
AMERICA ONLINE,
RESTON, VIRGINIA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
95 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:17:28:00 WinXP 96.10.73.83 (-):
. n/a NL:xx.sqlteam.info
CA:xx.ka3ek.com
:zone2tech.info
NL:83.68.16.6:5190 135 pcap raw alerts
ruleset irc
264 lines Yeah : 1.3
profile none summary
tarball 0 of 40
35 of 41 7982e44208
NEW
a4dde6f9e4
NEW none[4]
none [4] none:none
none:none
none|none
none|none none
none trace
trace

T:18:15:00 Win2K-f 173.19.123.94 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:36:00 Win2K-f 4.167.146.154 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
DEER PARK, TEXAS, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
149 lines Yeah : 1.3
profile none summary
tarball 34 of 40 531523673e
NEW e595c5289f [0] none:none
Armadillo| none trace

T:18:58:00 WinXP 65.26.131.236 (RR.COM):
ROAD RUNNER HOLDCO LLC,
KANSAS CITY, KANSAS, US. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 29 of 29 f502585714
NEW none[0] none:none
PolyEnE| lines=63 trace

T:19:31:00 WinXP 173.28.205.166 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 36 of 41
38 of 40 0a37c30749
NEW
6ca10c692d
NEW 2ef9d219b4 [0]
bb246ba101[0] none:none
none:none
Armadillo|
FSG| none
none trace
trace

21:58:00 Win2K-f 122.127.128.32 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. n/a US:www.maxmind.com
:checkip.dyndns.org
US:getmyip.co.uk
US:www.getmyip.org
US:65.254.39.170:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
4 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:22:16:00 Win2K-f 68.146.213.189 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
1009 lines Yeah : 1.3
profile none summary
tarball 7 of 40 8af5ea4b9d
NEW none[3] none:none
none|none none trace