Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

26 July 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:01:08:00 WinXP 195.158.229.78 (-):
EBONE NEW YORK CITY POP,
NEW YORK, NEW YORK, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
127 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 40 21f78789d7
NEW
d764c1dcb2
NEW 5014629ea1 [0]
3d2bc60c5d[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:01:43:00 WinXP 60.248.117.221 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
74 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:02:19:00 Win2K-f 211.212.16.38 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
94 lines Yeah : 1.3
profile none summary
tarball 41 of 41
5 of 41 4e723f03b5
NEW
9a9801a8d3
NEW 5d0041443e [0]
94e2bf1ef1[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:02:20:00 WinXP 4.159.174.4 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MILWAUKEE, WISCONSIN, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
165 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:04:34:00 WinXP 76.210.226.39 (-):
PPPOX POOL - BRAS1.BUMTTX,
PLANO, TEXAS, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:05:48:00 WinXP 114.48.159.31 (-):
. n/a 445 pcap raw alerts
ruleset ftp
13 lines Yeah : 0.8
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:08:20:00 Win2K-f 98.141.160.199 (-):
. n/a 135 pcap raw alerts
ruleset other
19 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:08:29:00 Win2K-f 218.210.85.174 (SPARQNET.NET):
NEW CENTURY INFOCOMM TECH CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:09:06:00 WinXP 82.246.50.232 (PROXAD.NET):
PROXAD / FREE SAS,
NICE, PROVENCE-ALPES-COTE D'AZUR, FR. n/a RU:citi-bank.ru
:parex-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 39 of 41 2457886182
NEW 89781b90e7 [0] none:none
PolyEnE| none trace

T:09:16:00 Win2K-f 4.237.237.74 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
NEW YORK, NEW YORK, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:09:21:00 WinXP 88.30.122.29 (RIMA-TDE.NET):
TELEFONICA MOVILES ESPANA (NCC#2007041930),
ES. n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:09:43:00 WinXP 4.251.124.154 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
GERMANTOWN, MARYLAND, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
732 lines Yeah : 1.3
profile none summary
tarball 22 of 40 59617f9be3
NEW 35722f3350 [0] none:none
StarForce| none trace

T:11:20:00 WinXP 62.234.208.56 (WANADOO.NL):
EURONET INTERNET BV,
THE HAGUE, ZUID-HOLLAND, NL. (DIAL) n/a 445 pcap raw alerts
ruleset ftp
13 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:11:53:00 WinXP 61.218.193.250 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

12:29:00 WinXP 99.38.201.228 (-):
. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 31 of 32 1e5df7ba74
NEW none[0] ASM:Graph
PolyEnE| lines=68 trace

T:12:49:00 WinXP 67.9.23.186 (RR.COM):
ROAD RUNNER HOLDCO LLC,
LARGO, FLORIDA, US. n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
NEW none[0] none:none
PolyEnE| lines=93
embedded dns trace

T:13:30:00 WinXP 70.252.113.146 (SWBELL.NET):
PPPOX POOL - BRAS3.OKCYOK,
OKLAHOMA CITY, OKLAHOMA, US. (DIAL) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
NEW none[0] none:none
PolyEnE| lines=93
embedded dns trace

T:13:46:00 WinXP 58.127.87.77 (HANANET.NET):
HANARO TELECOM INC,
KR. 218.93.205.24:65520 CN:proxima.ircgalaxy.pl
US:microsoft.com
CN:put.ghura.pl
IL:xt67ur.wwlax.com
IL:bugreport.waverevenue.com
IL:xul93.pubdomainstr.com
CN:dl2.guarddog2009.com
IL:rec.bestrevenue.net
CN:brenz.pl
US:b155.bundlext.com
CN:211.95.79.6:80
IL:62.90.134.29:80 135 pcap raw alerts
ruleset irc
http
120 lines Yeah : 1.8
profile none summary
tarball 7 of 41
14 of 41
28 of 41
none
27 of 41
21 of 41
38 of 40 18dfbbc85b
NEW
637194c253
NEW
6648e7022b
NEW
6a4845ca11
NEW
6f8772fb4c
NEW
a72dde0ecb
NEW
ffafd341d9
NEW 4f6fcecea3 [0]
2d39eb2ce1[0]
0ad0f97bcc[0]
c23d00870b[0]
72c4861af2[0]
495a04ac11[0]
294fb27545[0] none:none
none:none
none:none
none:none
none:none
none:none
ASM:Graph
UPX|
UPX|
UPX|
tElock|
UPX|
UPX|
Armadillo| none
none
none
none
none
none
lines=91 trace
trace
trace
trace
trace
trace
trace

T:14:14:00 WinXP 92.40.58.29 (IKBCC.COM):
EU-ZZ,
UK. n/a RU:citi-bank.ru
EU:kidos-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 511fc83563
NEW 8f20cd5496 [0] none:none
PolyEnE| none trace

T:14:22:00 WinXP 70.168.132.205 (COX.NET):
COX COMMUNICATIONS,
VIENNA, VIRGINIA, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:15:21:00 Win2K-f 61.218.193.218 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:15:39:00 WinXP 119.230.92.15 (-):
. n/a 445 pcap raw alerts
ruleset ftp
13 lines Yeah : 0.8
profile none summary
tarball 38 of 41 7b313206a2
NEW 0c866c8cce [0] none:none
none|none none trace

T:17:15:00 WinXP 216.9.145.92 (-):
NEW CONCEPTS COMMUNICATIONS INC,
LINTON, INDIANA, US. 67.43.236.67:10324 CA:xx.nadnadzz.info
:nadsamcabran12.com 135 pcap raw alerts
ruleset irc
http
581 lines Yeah : 1.8
profile none summary
tarball 25 of 41
32 of 38
27 of 32 47d76e8dce
NEW
524bc0f75c
NEW
d00b0ae77c
NEW 457779e597 [0]
d3e9510bb3[0]
423a668612[0] none:none
none:none
none:none
Neolite|
PENinja S|
Armadillo| none
none
none trace
trace
trace

T:17:52:00 WinXP 99.155.87.188 (-):
. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:18:13:00 WinXP 114.205.186.59 (-):
. 218.93.205.24:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:put.ghura.pl
CN:brenz.pl
CN:211.95.79.6:80 135 pcap raw alerts
ruleset irc
http
138 lines Yeah : 1.8
profile none summary
tarball 7 of 41
30 of 33
28 of 33 18dfbbc85b
NEW
533d15b5ce
NEW
58c343a8d8
NEW 4f6fcecea3 [0]
c67adf46e2[0]
none [0] none:none
ASM:Graph
none:none
UPX|
tElock|
Armadillo| none
lines=126
embedded dns
lines=91 trace
trace
trace

T:21:27:00 Win2K-f 203.91.184.97 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, AICHI, JP. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:22:35:00 WinXP 173.169.65.117 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace