Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

09 August 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:05:00 WinXP 96.51.69.235 (-):
. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:00:51:00 Win2K-f 203.91.181.12 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, AICHI, JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:01:03:00 WinXP 63.246.121.100 (SPEAKEASY.NET):
US. 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:01:22:00 WinXP 193.250.173.245 (ABO.WANADOO.FR):
FRANCE TELECOM,
FR. 		n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:wpad
US:204.13.161.51:80
US:208.73.210.123:80 		445 pcap raw alerts
ruleset 		http
http
http
27 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:02:13:00 WinXP 119.234.36.188 (-):
. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:02:22:00 WinXP 80.98.99.118 (BROADBAND.HU):
UPC MAGYARORSZAG KFT,
BUDAPEST, BUDAPEST, HU. 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:03:40:00 Win2K-f 74.213.204.170 (ETV.NET):
EMERY TELCOM,
ORANGEVILLE, UTAH, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		2 of 36
0 of 32		 9ba1f1416a
NEW
d41d8cd98f
NEW 		none[3]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		trace
trace
T:03:40:00 WinXP 60.35.134.93 (PLALA.OR.JP):
PLALA NETWORKS INC,
JP. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:03:50:00 Win2K-f 202.107.247.8 (CNINFO.NET):
CHINANET-ZJ QUZHOU NODE NETWORK,
BEIJING, BEIJING, CN. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		2 of 36
0 of 32		 9ba1f1416a
NEW
d41d8cd98f
NEW 		none[3]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		trace
trace
T:03:50:00 WinXP 117.254.18.235 (-):
. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:04:33:00 Win2K-f 98.124.84.233 (-):
. 		203.146.251.62:3305 :cx10man.weedns.com
GB:fx010413.whyI.org
TH:gynoman.weedns.com
JP:g.0x20.biz
TH:telephone.dd.blueline.be
JP:61.120.62.28:3305 		135 pcap raw alerts
ruleset 		irc
695 lines 		Yeah : 1.8
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:05:34:00 WinXP 67.246.221.80 (-):
. 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:05:37:00 WinXP 63.246.125.200 (SPEAKEASY.NET):
US. 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:06:06:00 WinXP 64.130.169.218 (SCRTC.COM):
SOUTH CENTRAL RURAL TELEPHONE CO,
SAN JOSE, CALIFORNIA, US. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:06:52:00 WinXP 81.57.58.69 (PROXAD.NET):
PROXAD / FREE TELECOM,
PARIS, ILE-DE-FRANCE, FR. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:07:13:00 WinXP 77.23.116.135 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:07:19:00 WinXP 195.252.86.199 (BEOTEL.NET):
BEOTELNET-ISPMODEMI,
CS. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
07:20:00 WinXP 200.219.73.8 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
3 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:07:49:00 WinXP 110.15.110.122 (-):
. 		218.93.205.24:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:dretis.cn
CN:211.95.79.170:80 		135 pcap raw alerts
ruleset 		irc
131 lines 		Yeah : 1.8
profile 		none summary
tarball 		none
none		 3dcf5dead2
NEW
e6ae766231
NEW 		none[3]
none [3] 		none:none
none:none
 none|none
none|none 		none
none 		trace
trace
T:08:38:00 WinXP 80.218.15.54 (HISPEED.CH):
CABLECOMMAIN-NET,
ZURICH, ZURICH, CH. 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:10:41:00 WinXP 67.150.83.37 (MDSG-PACWEST.COM):
PAC-WEST MANAGED MODEM NAS POOL,
LOS ANGELES, CALIFORNIA, US. 		n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:11:16:00 Win2K-f 96.8.212.162 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:11:33:00 WinXP 63.246.121.100 (SPEAKEASY.NET):
US. 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:12:21:00 WinXP 93.102.44.142 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. 		n/a US:www.yahoo.com
:jbeegvia.ru 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:12:38:00 Win2K-f 4.156.96.188 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
BOSTON, MASSACHUSETTS, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
112 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:12:39:00 WinXP 24.234.68.126 (COX.NET):
COX COMMUNICATIONS INC,
LAS VEGAS, NEVADA, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:13:16:00 WinXP 83.21.155.63 (TPNET.PL):
NEOSTRADA PLUS,
POZNAN, WIELKOPOLSKIE, PL. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:14:35:00 WinXP 172.164.5.109 (AOL.COM):
AMERICA ONLINE,
US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
155 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:15:19:00 WinXP 88.210.65.173 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
LISBON, LISBOA, PT. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:15:22:00 WinXP 88.130.218.112 (VERSANETONLINE.DE):
VERSATEL NORD-DEUTSCHLAND GMBH,
DORTMUND, NORDRHEIN-WESTFALEN, DE. 		n/a   445 pcap raw alerts
ruleset 		ftp
14 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:15:26:00 WinXP 122.16.219.7 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. 		n/a   445 pcap raw alerts
ruleset 		ftp
13 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:15:38:00 Win2K-f 4.227.199.209 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
ELBERT, COLORADO, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
6 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:15:59:00 WinXP 114.48.33.186 (-):
. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:16:45:00 Win2K-f 75.179.184.106 (RR.COM):
ROAD RUNNER HOLDCO LLC,
COLUMBUS, OHIO, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
114 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:17:31:00 Win2K-f 75.105.134.44 (WILDBLUE.NET):
WILDBLUE COMMUNICATIONS INC,
ENGLEWOOD, COLORADO, US. 		n/a   135 pcap raw alerts
ruleset 		other
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
17:55:00 Win2K-f 112.202.7.112 (-):
. 		n/a US:www.maxmind.com
EU:checkip.dyndns.org
US:getmyip.co.uk
US:www.getmyip.org
DE:131.220.6.26:80
US:65.254.39.170:80
EU:91.198.22.70:80 		445 pcap raw alerts
ruleset 		http
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:18:04:00 Win2K-f 112.202.7.112 (-):
. 		n/a US:www.maxmind.com
:checkip.dyndns.org 		445 pcap raw alerts
ruleset 		http
4 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:19:45:00 WinXP 67.125.140.230 (PACBELL.NET):
AT&T INTERNET SERVICES,
FRESNO, CALIFORNIA, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:20:17:00 Win2K-f 4.242.177.31 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
PORTLAND, OREGON, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
240 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:20:28:00 WinXP 173.25.98.116 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:20:33:00 Win2K-f 173.22.151.17 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:20:36:00 WinXP 4.166.225.108 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MARRERO, LOUISIANA, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
151 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:22:06:00 Win2K-f 98.121.81.223 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:22:33:00 WinXP 63.25.188.40 (UU.NET):
UUNET TECHNOLOGIES INC,
NEWARK, NEW JERSEY, US. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
3 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:22:44:00 WinXP 58.236.167.90 (-):
THRUNET-INFRA-INCHEON10,
SEOUL, KYONGGI-DO, KR. 		218.93.205.24:65520 CN:proxima.ircgalaxy.pl
US:microsoft.com
CN:dretis.cn
CN:211.95.79.170:80 		135 pcap raw alerts
ruleset 		irc
115 lines 		Yeah : 1.8
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:23:19:00 WinXP 71.77.208.118 (RR.COM):
ROAD RUNNER HOLDCO LLC,
JACKSONVILLE, NORTH CAROLINA, US. 		n/a   135 pcap raw alerts
ruleset 		other
55 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:23:22:00 WinXP 211.205.188.74 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. 		218.93.205.24:65520 CN:proxima.ircgalaxy.pl
US:microsoft.com
CN:dretis.cn
CN:kritq.cn 		135 pcap raw alerts
ruleset 		irc
http
159 lines 		Yeah : 1.8
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:23:37:00 WinXP 66.81.170.137 (O1.COM):
O1 DIALUP SERVICES,
SACRAMENTO, CALIFORNIA, US. (DIAL) 		n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:www.proxy-socks.net
:wpad 		445 pcap raw alerts
ruleset 		http
http
http
25 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none