Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

17 July 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:36:00 WinXP 75.49.12.48 (SBCGLOBAL.NET):
PPPOX POOL - SE1.WOTNOH 101906-1259,
COLUMBUS, OHIO, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:02:06:00 WinXP 86.155.9.168 (BTCENTRALPLUS.COM):
BT-CENTRAL-PLUS,
UK. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
NEW none[0] ASM:Graph
none|none lines=61 trace

T:02:21:00 WinXP 85.180.228.165 (ALICEDSL.DE):
HANSENET-ADSL,
DE. (DSL) n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 29 of 29 d42c1cc7c0
NEW none[0] ASM:Graph
PolyEnE| lines=54 trace

T:02:27:00 Win2K-f 130.13.15.171 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. n/a 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

02:27:00 WinXP 130.13.15.171 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. n/a 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

04:52:00 Win2K-f 115.80.217.200 (-):
. n/a US:www.maxmind.com
US:www.getmyip.org
US:getmyip.co.uk
EU:checkip.dyndns.org
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 7 of 37 7587773eea
NEW none[3] none:none
StarForce| none trace

T:04:56:00 Win2K-f 222.236.99.247 (HANANET.NET):
HANARO TELECOM INC,
KR. 218.93.205.24:65520 CN:proxima.ircgalaxy.pl
US:microsoft.com
CN:brenz.pl
CN:lometr.pl 135 pcap raw alerts
ruleset irc
http
148 lines Yeah : 1.8
profile none summary
tarball 19 of 41
8 of 41
40 of 41
40 of 41 176f4e0237
NEW
1e93b61c3f
NEW
80a65838c6
NEW
f82d977dc5
NEW 971b66b4c6 [0]
98d3499a7c[0]
5a961ecaa3[0]
7e2c966516[0] none:none
none:none
none:none
none:none
none|none
Mew|
tElock|
Armadillo| none
none
none
none trace
trace
trace
trace

T:04:58:00 WinXP 98.141.9.167 (-):
. n/a 135 pcap raw alerts
ruleset other
19 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:05:12:00 WinXP 70.250.239.125 (SWBELL.NET):
PPPOX POOL - BRAS17 RCSNTX,
FT. WORTH, TEXAS, US. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:06:14:00 Win2K-f 61.218.193.218 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:06:17:00 WinXP 67.246.220.245 (-):
. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:07:59:00 WinXP 89.111.226.199 (TEOL.NET):
TELEKOMSRPSKE,
BA. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:09:16:00 WinXP 193.169.50.83 (-):
ISTEL,
UK. n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 694802b8ef
NEW 433eb20eb6 [0] none:none
PolyEnE| none trace

T:09:21:00 WinXP 211.59.80.206 (HAEDONGTEK.CO.KR):
THRUNET CO. LTD,
SEOUL, KYONGGI-DO, KR. 218.93.205.24:65520 CN:proxima.ircgalaxy.pl
US:microsoft.com
CN:brenz.pl
CN:211.95.79.6:80 135 pcap raw alerts
ruleset irc
121 lines Yeah : 1.8
profile none summary
tarball 31 of 33
31 of 33 9d571adc3c
NEW
a704164588
NEW 72d7e4054f [0]
6d68e7488e[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:09:50:00 WinXP 91.148.89.3 (WEG.CO.YU):
YU-YUNET,
RS. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 40 824d6a706e
NEW a66fd13bcb [0] none:none
PolyEnE| none trace

T:09:55:00 Win2K-f 96.50.150.171 (-):
. n/a 135 pcap raw alerts
ruleset other
1000 lines Yeah : 1.3
profile none summary
tarball 6 of 40 eb4a6773e7
NEW none[3] none:none
none|none none trace

T:10:12:00 WinXP 93.102.6.93 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. n/a US:www.yahoo.com
US:www.altavista.com
:jbeegvia.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 31 of 32 17028f1eda
NEW none[3] none:none
tElock| none trace

T:11:49:00 WinXP 217.253.211.158 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
DE. (DIAL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

13:16:00 Win2K-f 200.249.9.132 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a US:www.maxmind.com
US:getmyip.co.uk
US:www.getmyip.org
:checkip.dyndns.org
US:65.254.39.170:80
US:75.126.138.202:80 445 pcap raw alerts
ruleset http
4 lines Yeah : 0.8
profile none summary
tarball 2 of 37 fcb4920986
NEW none[3] none:none
UPX| none trace

T:13:47:00 Win2K-f 70.60.10.34 (RR.COM):
ROAD RUNNER HOLDCO LLC,
NASHPORT, OHIO, US. n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:13:54:00 WinXP 71.148.35.37 (SBCGLOBAL.NET):
KASSA KASSA,
PLANO, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:23:00 Win2K-f 66.249.173.57 (SPEAKEASY.NET):
US. n/a 135 pcap raw alerts
ruleset other
7 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:14:54:00 Win2K-f 116.125.27.76 (-):
HANARO TELECOM,
SEOUL, KYONGGI-DO, KR. 221.5.74.39:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:brenz.pl
CN:211.95.79.6:80
CN:221.5.74.39:65520 135 pcap raw alerts
ruleset irc
134 lines Yeah : 1.8
profile none summary
tarball 29 of 32
28 of 32 8a75955033
NEW
9276c8b36b
NEW 2bf3e548b9 [0]
none [0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=126
embedded dns
lines=81 trace
trace

T:15:03:00 WinXP 186.9.6.255 (-):
. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 f9b84f422a
NEW b36c48de2f [0] none:none
PolyEnE| none trace

T:15:26:00 Win2K-f 99.178.230.30 (-):
. 218.93.205.24:65520 US:microsoft.com
CN:proxim.ircgalaxy.pl
CN:brenz.pl
CN:211.95.79.6:80 445 pcap raw alerts
ruleset irc
19 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

16:21:00 Win2K-f 190.220.61.73 (-):
. n/a US:www.maxmind.com
US:getmyip.co.uk
US:www.getmyip.org
:checkip.dyndns.org
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 dc331fb791
NEW none[3] none:none
UPX| none trace

T:16:33:00 Win2K-f 71.130.22.21 (PACBELL.NET):
WILLIAM MARTINEZ DBA,
PLANO, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:17:13:00 WinXP 70.187.6.37 (COX.NET):
COX COMMUNICATIONS,
OMAHA, NEBRASKA, US. 218.93.205.24:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:brenz.pl
CN:211.95.79.6:80 135 pcap raw alerts
ruleset irc
129 lines Yeah : 1.8
profile none summary
tarball 32 of 36
35 of 36 bea8cb1865
NEW
fac78fde16
NEW 154de51a66 [0]
882896ab05[0] ASM:Graph
none:none
Armadillo|
tElock| lines=91
none trace
trace

T:18:22:00 WinXP 63.21.35.209 (UU.NET):
UUNET TECHNOLOGIES INC,
LOUISVILLE, KENTUCKY, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
134 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

18:34:00 WinXP 118.231.108.177 (-):
. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 38 of 41 a639a866cf
NEW c7bf122964 [0] none:none
PolyEnE| none trace

T:18:35:00 WinXP 76.216.91.211 (SBCGLOBAL.NET):
PPPOX POOL - BRAS6.STLSMO,
DALLAS, TEXAS, US. 61.120.62.28:3305 :cx10man.weedns.com
GB:fx010413.whyI.org
JP:61.120.62.28:3305 135 pcap raw alerts
ruleset irc
698 lines Yeah : 1.8
profile none summary
tarball 28 of 41 b8076e37ae
NEW 52953fed05 [0] none:none
StarForce| none trace

T:19:22:00 Win2K-f 125.58.122.125 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

19:52:00 Win2K-f 190.254.8.235 (-):
. n/a US:www.maxmind.com
US:getmyip.co.uk
US:www.getmyip.org
US:checkip.dyndns.org
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 2 of 37 409ef22885
NEW none[3] none:none
UPX| none trace

T:19:58:00 WinXP 114.48.159.168 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:21:11:00 WinXP 98.140.249.72 (-):
. n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:22:09:00 WinXP 114.48.195.157 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:22:24:00 Win2K-f 173.25.98.116 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
79 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:23:05:00 WinXP 114.146.82.90 (-):
. n/a 445 pcap raw alerts
ruleset ftp
13 lines Yeah : 0.8
profile none summary
tarball 40 of 41 25c979a843
NEW 3a90fb7e37 [0] none:none
none|none none trace