Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

02 August 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:01:32:00 Win2K-f 124.180.95.199 (BIGPOND.NET.AU):
TELSTRAINTERNET44,
MELBOURNE, VICTORIA, AU. 61.120.62.28:3305 TH:cx10man.weedns.com 135 pcap raw alerts
ruleset irc
609 lines Yeah : 1.8
profile none summary
tarball 39 of 41 9670a0084c
NEW 4f63fded0b [0] none:none
StarForce| none trace

T:02:22:00 WinXP 210.228.233.129 (ODN.AD.JP):
OPEN DATA NETWORK(JAPAN TELECOM CO. LTD.),
KUMAMOTO, KUMAMOTO, JP. (DIAL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none c05290bb06
NEW dddfe6a7fe [0] none:none
PolyEnE| none trace

T:02:25:00 WinXP 68.146.21.42 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:04:33:00 WinXP 4.131.18.177 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
BEDFORD, OHIO, US. (DIAL) n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:06:11:00 Win2K-f 113.255.28.254 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:06:38:00 Win2K-f 98.141.160.84 (-):
. n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:07:03:00 WinXP 222.237.228.95 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
113 lines Yeah : 1.3
profile none summary
tarball 41 of 41
6 of 41 5213395833
NEW
9fdf6de4a9
NEW 515eacbc36 [0]
794f9a1087[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:07:05:00 WinXP 24.105.235.246 (SPEAKEASY.NET):
US. n/a :gg.arrancar.org 135 pcap raw alerts
ruleset other
186 lines Yeah : 1.3
profile none summary
tarball 38 of 41 2a3036afb7
NEW 79a17e6e18 [0] none:none
none|none none trace

T:08:45:00 WinXP 70.251.149.19 (SWBELL.NET):
PPPOX POOL - BRAS17 RCSNTX,
FT. WORTH, TEXAS, US. (DIAL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:09:36:00 WinXP 12.48.95.61 (ATT.NET):
AT&T WORLDNET SERVICES,
US. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 40 of 41 316da4c6a8
NEW ba28386df7 [0] none:none
PolyEnE| none trace

T:09:42:00 WinXP 75.43.214.212 (SBCGLOBAL.NET):
PPPOX POOL - BRAS2.LSAN,
LOS ANGELES, CALIFORNIA, US. (DSL) n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
GB:new.egg.com
:wpad 445 pcap raw alerts
ruleset http
http
http
http
48 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
NEW none[0] none:none
ASPack| lines=281
embedded dns trace

T:11:59:00 WinXP 122.29.167.55 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
NEW none[0] ASM:Graph
none|none lines=61 trace

T:12:10:00 Win2K-f 173.22.152.133 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:12:16:00 WinXP 69.85.123.4 (SPEAKEASY.NET):
US. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 35 of 35 9716d7995a
NEW c3a5354b6f [0] none:none
PolyEnE| none trace

T:12:41:00 WinXP 63.19.51.77 (UU.NET):
UUNET TECHNOLOGIES INC,
CECILIA, KENTUCKY, US. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 32 of 32 5818023061
NEW none[0] ASM:Graph
PolyEnE| lines=68 trace

T:12:44:00 Win2K-f 173.168.162.148 (-):
. n/a 135 pcap raw alerts
ruleset other
144 lines Yeah : 1.3
profile none summary
tarball 39 of 40 10980f4df2
NEW 1fd3385a95 [0] ASM:Graph
none|none lines=556 trace

T:12:57:00 WinXP 72.251.79.210 (1DIAL.COM):
AD-BASE SYSTEMS INC. (DBA GLOBALPOPS),
PITTSBURGH, PENNSYLVANIA, US. (DIAL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
3 lines Yeah : 1.3
profile none summary
tarball 40 of 41 3b569cd1c6
NEW a81c9e968a [0] none:none
PolyEnE| none trace

T:13:33:00 WinXP 4.190.209.111 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
OMAHA, NEBRASKA, US. (DIAL) n/a EU:siliconfireware.ru
:wpad
DE:212.227.111.29:80
DE:217.11.54.126:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 df17a625ee
NEW none[0] none:none
ASPack| lines=298
embedded dns trace

T:13:40:00 Win2K-f 71.111.239.212 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
DURHAM, NORTH CAROLINA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:27:00 Win2K-f 4.140.204.183 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
WALTHAM, MASSACHUSETTS, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
65 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:16:02:00 WinXP 88.161.62.82 (PROXAD.NET):
PROXAD / FREE SAS,
FR. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 511fc83563
NEW 8f20cd5496 [0] none:none
PolyEnE| none trace

T:17:15:00 WinXP 63.19.14.57 (UU.NET):
UUNET TECHNOLOGIES INC,
ST. LOUIS, MISSOURI, US. (DIAL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 32 of 32 5818023061
NEW none[0] ASM:Graph
PolyEnE| lines=68 trace

17:26:00 WinXP 64.188.198.160 (-):
. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 41 cdf48be687
NEW 5c02f1197b [0] none:none
PolyEnE| none trace

T:18:21:00 WinXP 201.93.32.215 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 40 824d6a706e
NEW a66fd13bcb [0] none:none
PolyEnE| none trace

T:18:42:00 Win2K-f 99.164.48.10 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:49:00 Win2K-f 24.80.177.50 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
VANCOUVER, BRITISH COLUMBIA, CA. (DSL) n/a CN:irc.zief.pl
CN:put.ghura.pl
IL:xt67ur.wwlax.com
CN:brenz.pl
IL:bugreport.waverevenue.com
IL:tidwhmep.s4upd.com
IL:rec.bestrevenue.net
:gg.arrancar.org 135 pcap raw alerts
ruleset http
348 lines Yeah : 1.3
profile none summary
tarball 28 of 41
34 of 40
19 of 41 6648e7022b
NEW
a72398081f
NEW
cd88b89d5e
NEW 0ad0f97bcc [0]
3f0ad45d1c[0]
150e365b1e[0] none:none
none:none
none:none
UPX|
tElock|
UPX| none
none
none trace
trace
trace

T:19:07:00 WinXP 124.87.54.132 (OCN.NE.JP):
NTT COMMUNICATIONS CORPORATION,
TOKYO, TOKYO, JP. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
NEW none[0] ASM:Graph
none|none lines=61 trace

T:19:11:00 Win2K-f 110.50.177.59 (-):
. n/a IL:rec.bestrevenue.net
IL:digi-fast.com
US:b163.bundlext.com
:gg.arrancar.org
74.55.100.8:555 445 pcap raw alerts
ruleset http
http
http
http
185 lines Argh : 0.3
profile none summary
tarball 17 of 38
40 of 41
35 of 41
4 of 41 10b9665cc5
NEW
6ab29263ea
NEW
9fa31ab3b7
NEW
f8ba797fc9
NEW 344f01b03f [0]
32d3ecc26e[0]
9216033ec0[0]
none [3] none:none
none:none
none:none
none:none
StarForce|
StarForce|
StarForce|
tElock| none
none
none
none trace
trace
trace
trace

T:19:32:00 WinXP 74.138.51.180 (INSIGHTBB.COM):
INSIGHT COMMUNICATIONS COMPANY L.P,
LOUISVILLE, KENTUCKY, US. n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:20:02:00 Win2K-f 74.213.204.170 (ETV.NET):
EMERY TELCOM,
ORANGEVILLE, UTAH, US. 61.120.62.28:3305 :cx10man.weedns.com
GB:fx010413.whyI.org
JP:61.120.62.28:3305 135 pcap raw alerts
ruleset irc
702 lines Yeah : 1.8
profile none summary
tarball 28 of 41 b8076e37ae
NEW 52953fed05 [0] none:none
StarForce| none trace

T:21:17:00 WinXP 4.244.87.52 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
TULSA, OKLAHOMA, US. (DIAL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 29 of 29 986b59708d
NEW none[0] none:none
PolyEnE| lines=57 trace

T:21:55:00 WinXP 69.201.143.58 (RR.COM):
ROAD RUNNER HOLDCO LLC,
NEW YORK, NEW YORK, US. n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
RU:www.bbin.ru
RU:www.binbank.ru
:wpad 445 pcap raw alerts
ruleset http
http
http
http
49 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
NEW none[0] none:none
ASPack| lines=281
embedded dns trace

T:22:47:00 WinXP 173.19.143.3 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:23:04:00 WinXP 61.218.192.234 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
KAOHSIUNG, KAO-HSIUNG, TW. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:23:12:00 Win2K-f 174.3.113.90 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
38 of 41 324d1f619a
NEW
c3d646e84a
NEW 0d98e96b9b [0]
f381434632[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:23:42:00 WinXP 211.203.184.52 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. 221.5.74.39:65520 218.93.205.24:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:put.ghura.pl
CN:brenz.pl
CN:211.95.79.6:80 135 pcap raw alerts
ruleset irc
http
139 lines Yeah : 1.8
profile none summary
tarball 32 of 36
34 of 36 0c3d1ec2df
NEW
8de905030e
NEW c9008e9a12 [0]
f601bdf68b[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace