Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

03 August 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:32:00 WinXP 119.228.209.126 (-):
. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41 7b313206a2
NEW 		0c866c8cce [0] none:none
 none|none none trace
T:02:08:00 Win2K-f 70.166.32.231 (COX.NET):
COX COMMUNICATIONS,
CHULA VISTA, CALIFORNIA, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:04:00:00 WinXP 211.18.114.29 (DION.NE.JP):
DION (KDDI CORPORATION),
JP. (DIAL) 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:04:54:00 Win2K-f 216.208.242.78 (GROUPTELECOM.NET):
BELL CANADA,
TORONTO, ONTARIO, CA. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
118 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
37 of 41		 c89b154681
NEW
d2b40c91a1
NEW 		58d02dbffa [0]
fbaa414397[0] 		none:none
none:none
 StarForce|
Armadillo| 		none
none 		trace
trace
T:04:55:00 WinXP 189.6.52.42 (BRASILTELECOM.NET.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:05:03:00 WinXP 66.72.68.112 (AMERITECH.NET):
AT&T INTERNET SERVICES,
BLOOMINGTON, INDIANA, US. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 1a2c0e6130
NEW 		none[0] none:none
 none|none lines=60 trace
T:05:35:00 WinXP 4.176.39.206 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MESA, ARIZONA, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
128 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41 a1acc403a2
NEW 		54ef26c2f9 [0] none:none
 Armadillo| none trace
T:06:45:00 WinXP 151.16.210.65 (38-151.NET24.IT):
IUNET-BNET,
IT. (100Mbps) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:07:33:00 WinXP 121.121.93.38 (MAXIS.NET.MY):
MAXIS COMMUNICATIONS BHD,
MY. 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:07:44:00 WinXP 130.13.163.218 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
T:09:48:00 WinXP 199.120.117.102 (SOUTHSLOPE.NET):
SOUTH SLOPE COOPERATIVE TELEPHONE COMPANY,
NORTH LIBERTY, IOWA, US. (DSL) 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 534ccf8cdb
NEW 		4473c170f3 [0] none:none
 PolyEnE| none trace
T:09:53:00 WinXP 87.55.74.194 (IP.TELE.DK):
TDC-TELEDANMARK-BREDBAANDSADSL-NET,
DK. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		41 of 41 b26ed6eeac
NEW 		97c1157bf8 [0] none:none
 PolyEnE| none trace
10:11:00 WinXP 76.8.230.228 (TELAPEX.COM):
TELEPAK NETWORKS INC,
JACKSON, MISSISSIPPI, US. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
10:18:00 WinXP 87.55.74.194 (IP.TELE.DK):
TDC-TELEDANMARK-BREDBAANDSADSL-NET,
DK. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		41 of 41 b26ed6eeac
NEW 		97c1157bf8 [0] none:none
 PolyEnE| none trace
T:10:33:00 Win2K-f 113.255.59.150 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
367 lines 		Yeah : 1.3
profile 		none summary
tarball 		30 of 41 0b32f63dbe
NEW 		none[3] none:none
 none|none none trace
T:11:26:00 Win2K-f 71.113.142.8 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
BLOOMINGTON, ILLINOIS, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
144 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 40 10980f4df2
NEW 		1fd3385a95 [0] ASM:Graph
 none|none lines=556 trace
T:12:00:00 Win2K-f 113.254.168.172 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
186 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 41 e543d59e75
NEW 		c63bbddae0 [0] none:none
 none|none none trace
T:12:06:00 WinXP 98.141.9.117 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:12:44:00 WinXP 92.115.168.45 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:14:31:00 WinXP 99.56.196.120 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
86 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
3 of 33		 53bfe15e91
NEW
991aba5d77
NEW 		1473091351 [0]
a5df7c748b[0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
none 		trace
trace
T:14:56:00 WinXP 89.111.226.231 (TEOL.NET):
TELEKOMSRPSKE,
BA. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		ftp
13 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:14:59:00 WinXP 96.8.227.146 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:15:49:00 WinXP 61.20.173.44 (-):
FAR EASTONE TELECOMMUNICATION CO. LTD,
TW. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 40 74b3d149e8
NEW 		cef0fa2981 [0] none:none
 PolyEnE| none trace
T:16:20:00 Win2K-f 96.49.243.172 (-):
. 		61.120.62.28:3305 JP:cx10man.weedns.com 135 pcap raw alerts
ruleset 		irc
695 lines 		Yeah : 1.8
profile 		none summary
tarball 		28 of 41 b8076e37ae
NEW 		52953fed05 [0] none:none
 StarForce| none trace
T:16:49:00 Win2K-f 61.218.193.250 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:17:38:00 WinXP 219.67.173.38 (ODN.AD.JP):
OPEN DATA NETWORK(JAPAN TELECOM CO. LTD.),
JP. (DIAL) 		221.5.74.39:65520 69.162.84.186:80 CN:proxim.ircgalaxy.pl
:onuka.cn
:mxs.mail.ru
US:alt4.gmail-smtp-in.l.google.com
US:in1.smtp.messagingengine.com
US:mail7.digitalwaves.co.nz
CN:put.ghura.pl
US:209.190.85.36:25
216.245.220.146:25
CN:218.93.205.19:80
GB:88.214.192.192:25
GB:88.214.216.6:25 		445 pcap raw alerts
ruleset 		http
irc
22 lines 		Yeah : 1.3
profile 		none summary
tarball 		13 of 41
37 of 39		 5052ee0fa8
NEW
dab4da4e21
NEW 		95113fdfb1 [0]
e63b813015[0] 		none:none
ASM:Graph
 Obsidium|
PolyEnE| 		none
lines=134 		trace
trace
T:18:00:00 Win2K-f 96.52.182.145 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
1008 lines 		Yeah : 1.3
profile 		none summary
tarball 		15 of 41 770a04a72c
NEW 		none[3] none:none
 none|none none trace
T:18:24:00 WinXP 130.13.45.23 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 945cb548ce
NEW 		9c2350203d [0] none:none
 PolyEnE| none trace
T:21:35:00 WinXP 66.69.86.131 (RR.COM):
ROAD RUNNER HOLDCO LLC,
SAN ANTONIO, TEXAS, US. (100Mbps) 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:22:03:00 WinXP 130.15.63.51 (QUEENSU.CA):
QUEEN'S UNIVERSITY,
KINGSTON, ONTARIO, CA. 		62.128.152.250:3305 NL:cx10man.weedns.com
AR:fx010413.whyI.org
:gynoman.weedns.com
TH:g.0x20.biz
TH:telephone.dd.blueline.be
GB:phonewire.dd.blueline.be
TH:203.146.251.62:3305
JP:61.120.62.28:3305 		135 pcap raw alerts
ruleset 		shell
ftp
irc
31 lines 		Yeah : 1.8
profile 		none summary
tarball 		28 of 41 b8076e37ae
NEW 		52953fed05 [0] none:none
 StarForce| none trace
T:22:03:00 Win2K-f 130.13.160.154 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		217.18.77.190:3305 JP:cx10man.weedns.com 135 pcap raw alerts
ruleset 		shell
ftp
irc
23 lines 		Yeah : 1.8
profile 		none summary
tarball 		28 of 41 b8076e37ae
NEW 		52953fed05 [0] none:none
 StarForce| none trace
T:22:05:00 WinXP 130.13.211.122 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		210.166.223.51:3305 TH:cx10man.weedns.com 135 pcap raw alerts
ruleset 		shell
ftp
irc
27 lines 		Yeah : 1.8
profile 		none summary
tarball 		22 of 40 59617f9be3
NEW 		35722f3350 [0] none:none
 StarForce| none trace
T:22:19:00 WinXP 130.13.51.233 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		61.120.62.28:3305 :cx10man.weedns.com
:fx010413.whyI.org
JP:61.120.62.28:3305 		135 pcap raw alerts
ruleset 		shell
ftp
shell
irc
34 lines 		Yeah : 1.8
profile 		none summary
tarball 		39 of 41 7e88321f22
NEW 		9477663d4f [0] none:none
 StarForce| none trace
T:22:33:00 Win2K-f 130.13.164.110 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		217.18.77.190:3305 GB:cx10man.weedns.com 135 pcap raw alerts
ruleset 		shell
ftp
shell
irc
38 lines 		Yeah : 1.8
profile 		none summary
tarball 		28 of 41 b8076e37ae
NEW 		52953fed05 [0] none:none
 StarForce| none trace
T:22:47:00 WinXP 130.13.210.234 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		61.120.62.28:3305 JP:cx10man.weedns.com 135 pcap raw alerts
ruleset 		shell
ftp
irc
23 lines 		Yeah : 1.8
profile 		none summary
tarball 		39 of 41 7e88321f22
NEW 		9477663d4f [0] none:none
 StarForce| none trace