Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

04 August 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:27:00 Win2K-f 61.221.226.3 (HINET.NET):
DATA COMMUNICATION BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:00:48:00 WinXP 98.141.161.39 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:00:59:00 Win2K-f 74.83.15.14 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
186 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 c30ebc6937
NEW 		86a59c11cf [0] none:none
 StarForce| none trace
T:01:49:00 Win2K-f 117.197.120.145 (-):
. 		82.114.87.50:2345 CZ:qtas.net
US:immmsn.info
CZ:t32.marund.net
CZ:82.114.87.50:2345 		445 pcap raw alerts
ruleset 		http
irc
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		22 of 41 fa6db4def6
NEW 		2a4509a944 [0] none:none
 ASProtect| none trace
T:02:01:00 WinXP 95.58.11.139 (-):
. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
T:02:55:00 WinXP 217.219.198.32 (-):
NETGOSTAR,
IR. (100Mbps) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
T:03:02:00 WinXP 78.227.216.40 (PRESTONAUTO.COM):
PROXAD INTERNET SERVICE PROVIDER IN FRANCE,
PARIS, ILE-DE-FRANCE, FR. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41 10232cb6f9
NEW 		da3f906792 [0] none:none
 PolyEnE| none trace
T:03:08:00 WinXP 86.155.81.133 (BTCENTRALPLUS.COM):
BT-CENTRAL-PLUS,
UK. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 831f4ee0a7
NEW 		none[0] ASM:Graph
 none|none lines=61 trace
T:03:45:00 WinXP 96.8.219.143 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:03:47:00 Win2K-f 4.178.239.160 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
05:42:00 Win2K-f 62.87.65.242 (AIRTEL.NET):
GLOBAL MOBILE OPERATOR,
BARCELONA, CATALUņA, ES. 		n/a US:www.maxmind.com
US:checkip.dyndns.org 		445 pcap raw alerts
ruleset 		http
4 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:05:47:00 WinXP 69.85.112.208 (SPEAKEASY.NET):
US. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
T:05:59:00 Win2K-f 118.141.132.52 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:06:03:00 WinXP 65.78.218.236 (WVFIBERNET.NET):
FIBERNET,
SPENCER, WEST VIRGINIA, US. 		n/a   445 pcap raw alerts
ruleset 		ftp
14 lines 		Yeah : 0.8
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:06:44:00 WinXP 122.146.252.192 (SPARQNET.NET):
NEW CENTURY INFOCOMM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:07:48:00 WinXP 79.163.97.242 (-):
IDEA,
PL. 		n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 119ec42aa0
NEW 		fd3c61c261 [0] none:none
 PolyEnE| none trace
T:07:59:00 WinXP 77.64.185.199 (PRIMACOM.NET):
PRIMACOM,
DE. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none c05290bb06
NEW 		dddfe6a7fe [0] none:none
 PolyEnE| none trace
T:09:39:00 WinXP 113.255.115.105 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
77 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 40
33 of 33		 27b17a2724
NEW
53bfe15e91
NEW 		a1d5ac965b [0]
1473091351[0] 		none:none
ASM:Graph
 tElock|
tElock| 		none
lines=75
embedded dns 		trace
trace
T:10:33:00 WinXP 83.92.147.52 (ADSL-DHCP.TELE.DK):
TDC-TELEDANMARK-BREDBAANDSADSL-NET,
DK. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 1fcc146d70
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:10:46:00 WinXP 84.183.239.4 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
QUEDLINBURG, SACHSEN-ANHALT, DE. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:12:56:00 WinXP 202.216.56.71 (FLETS-A-WEST-1-10.DSN.JP):
DS NETWORKS CO,
JP. 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 ca47a36342
NEW 		none[0] ASM:Graph
 PolyEnE| lines=89
embedded dns 		trace
T:13:54:00 WinXP 69.85.112.201 (SPEAKEASY.NET):
US. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
14:34:00 WinXP 130.13.40.65 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
16 lines 		Yeah : 1.3
profile 		none summary
tarball 		36 of 41 894e794b2b
NEW 		aeb41eb7b9 [0] none:none
 Obsidium| none trace
T:15:11:00 WinXP 67.249.225.180 (-):
. 		n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
GB:welcome3.smile.co.uk
:wpad
GB:195.92.84.198:80
US:204.13.161.51:80
EU:78.47.200.154:80 		445 pcap raw alerts
ruleset 		http
http
http
9 lines 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 a12cab51ef
NEW 		none[0] none:none
 ASPack| lines=281
embedded dns 		trace
T:15:28:00 WinXP 75.181.174.11 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 1a2c0e6130
NEW 		none[0] none:none
 none|none lines=60 trace
T:16:40:00 WinXP 122.110.4.63 (-):
. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 36b32ce575
NEW 		f8ed53f9d5 [0] none:none
 PolyEnE| none trace
T:16:51:00 WinXP 66.66.248.227 (RR.COM):
ROAD RUNNER HOLDCO LLC,
SCHENECTADY, NEW YORK, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:17:23:00 WinXP 75.60.216.180 (SBCGLOBAL.NET):
PPPOX POOL - SE1.WOTNOH,
DALLAS, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:17:58:00 WinXP 71.148.35.37 (SBCGLOBAL.NET):
KASSA KASSA,
PLANO, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:18:29:00 Win2K-f 4.225.20.218 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
KOKOMO, INDIANA, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
145 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 33 a08f3b74a4
NEW 		none[0] none:none
 Armadillo| lines=90 trace
T:18:35:00 WinXP 115.132.70.46 (-):
. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 b75de11a6a
NEW 		4839076ec1 [0] none:none
 PolyEnE| none trace
18:41:00 Win2K-f 122.120.241.207 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 		n/a US:www.maxmind.com
US:getmyip.co.uk
EU:checkip.dyndns.org
US:www.getmyip.org
US:67.15.94.80:80
EU:91.198.22.70:80 		445 pcap raw alerts
ruleset 		http
6 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:18:49:00 Win2K-f 122.120.241.207 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 		n/a US:www.maxmind.com
:checkip.dyndns.org 		445 pcap raw alerts
ruleset 		http
4 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:19:35:00 WinXP 61.221.119.126 (HINET.NET):
DATA COMMUNICATION BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. (100Mbps) 		n/a   135 pcap raw alerts
ruleset 		other
64 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 33 57ce4acac2
NEW 		none[0] none:none
 Armadillo| lines=90 trace
T:19:54:00 WinXP 67.8.56.42 (RR.COM):
ROAD RUNNER HOLDCO LLC,
NAPLES, FLORIDA, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:20:08:00 WinXP 67.67.218.178 (SWBELL.NET):
PPPOX POOL - RBACK7 AUSTTX,
AUSTIN, TEXAS, US. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 1a2c0e6130
NEW 		none[0] none:none
 none|none lines=60 trace
T:20:38:00 WinXP 12.74.52.121 (ATT.NET):
AT&T WORLDNET SERVICES,
LOUISVILLE, KENTUCKY, US. (DIAL) 		n/a DE:siliconfireware.ru
US:searchportal.information.com
GB:new.egg.com
:wpad
US:spi.domainsponsor.com 		445 pcap raw alerts
ruleset 		http
http
http
http
31 lines 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 a12cab51ef
NEW 		none[0] none:none
 ASPack| lines=281
embedded dns 		trace
T:21:56:00 WinXP 216.215.128.38 (NUVOX.NET):
NUVOX COMMUNICATIONS INC,
GREENSBORO, NORTH CAROLINA, US. 		n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
GB:welcome3.smile.co.uk
:wpad
GB:195.92.84.198:80 		445 pcap raw alerts
ruleset 		http
http
http
25 lines 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 a12cab51ef
NEW 		none[0] none:none
 ASPack| lines=281
embedded dns 		trace
T:22:19:00 WinXP 98.141.160.199 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:22:38:00 WinXP 63.25.86.165 (UU.NET):
UUNET TECHNOLOGIES INC,
US. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 eda3b7766c
NEW 		7556343561 [0] none:none
 PolyEnE| none trace
T:22:38:00 WinXP 122.53.81.60 (PLDT.NET):
IPG,
PH. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
101 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 39
36 of 39		 ee4c5c80ea
NEW
f37bd4ab26
NEW 		28944e2541 [0]
c78cfe6339[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=42
lines=64
embedded dns 		trace
trace