|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| 00:11:00 | WinXP | 83.21.148.134 (TPNET.PL): NEOSTRADA PLUS, POZNAN, WIELKOPOLSKIE, PL. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:02:56:00 | WinXP | 124.241.137.45 (STARCAT.NE.JP): KMN CORPORATION, NAGOYA, AICHI, JP. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 59 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:03:16:00 | WinXP | 112.68.0.149 (-): . |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:03:28:00 | WinXP | 116.120.239.76 (-): HANARO TELECOM, SEOUL, KYONGGI-DO, KR. |
218.93.205.24:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com CN:www.zief.pl IL:xt67ur.wwlax.com CN:dretis.cn IL:bugreport.waverevenue.com IL:tidwhmep.s4upd.com IL:rec.bestrevenue.net US:b155.bundlext.com IL:62.90.134.24:80 |
135 | pcap | raw alerts ruleset |
irc http 143 lines |
Yeah : 1.8 profile |
none | summary tarball |
0 of 32 none |
d41d8cd98f NEW e6ae766231 NEW |
none[3] none [3] |
ASM:Graph none:none |
none|none none|none |
lines=0 none |
trace trace |
| T:06:38:00 | WinXP | 24.29.21.73 (RR.COM): ROAD RUNNER HOLDCO LLC, CINCINNATI, OHIO, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:07:02:00 | WinXP | 64.127.45.57 (RTOL.NET): RAMCO TECHNOLOGIES, GRANTSVILLE, WEST VIRGINIA, US. |
n/a | DE:siliconfireware.ru US:searchportal.information.com US:spi.domainsponsor.com RU:www.bbin.ru RU:www.binbank.ru :wpad US:208.73.210.123:80 DE:217.11.54.126:80 EU:78.47.200.154:80 |
445 | pcap | raw alerts ruleset |
http http http http 33 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:07:08:00 | WinXP | 71.127.246.198 (VERIZON.NET): VERIZON INTERNET SERVICES INC, ITHACA, NEW YORK, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
2 of 36 0 of 32 |
9ba1f1416a NEW d41d8cd98f NEW |
none[3] none [3] |
none:none ASM:Graph |
none|none none|none |
none lines=0 |
trace trace |
| T:07:16:00 | WinXP | 79.163.153.80 (-): IDEA, PL. |
213.219.245.212:80 | CN:proxim.ircgalaxy.pl RU:citi-bank.ru CN:221.5.74.39:65520 |
445 | pcap | raw alerts ruleset |
http irc 3 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:07:19:00 | WinXP | 118.218.10.252 (-): . |
221.5.74.39:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com CN:dretis.cn CN:kritq.cn CN:218.93.205.24:65520 |
135 | pcap | raw alerts ruleset |
irc http 164 lines |
Yeah : 1.8 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:07:53:00 | Win2K-f | 65.34.30.26 (RR.COM): ROAD RUNNER HOLDCO LLC, ORLANDO, FLORIDA, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
15 of 36 2 of 36 |
44f6f7826a NEW 9ba1f1416a NEW |
none[3] none [3] |
none:none none:none |
none|none none|none |
none none |
trace trace |
| T:07:58:00 | WinXP | 173.22.151.17 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:08:15:00 | WinXP | 83.27.113.178 (TPNET.PL): NEOSTRADA PLUS, POZNAN, WIELKOPOLSKIE, PL. (DSL) |
n/a | CN:proxima.ircgalaxy.pl :moscow-advokat.ru |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:08:35:00 | Win2K-f | 72.67.206.75 (VERIZON.NET): VERIZON INTERNET SERVICES INC, LOS ANGELES, CALIFORNIA, US. (100Mbps) |
61.120.62.28:3305 | :cx10man.weedns.com TH:fx010413.whyI.org JP:61.120.62.28:3305 |
135 | pcap | raw alerts ruleset |
irc 607 lines |
Yeah : 1.8 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:08:46:00 | WinXP | 88.185.12.102 (PROXAD.NET): PROXAD / FREE SAS, FR. |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:09:07:00 | WinXP | 72.21.142.114 (-): ACETECH USA INC, LIBERTY LAKE, WASHINGTON, US. |
n/a | EU:siliconfireware.ru US:searchportal.information.com US:spi.domainsponsor.com :wpad |
445 | pcap | raw alerts ruleset |
http http http 29 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:11:19:00 | WinXP | 88.28.96.4 (RIMA-TDE.NET): TELEFONICA MOVILES ESPANA (NCC#2007041930), ES. |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:14:01:00 | Win2K-f | 98.141.163.84 (-): . |
n/a | 135 | pcap | raw alerts ruleset |
other 18 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:15:15:00 | WinXP | 4.169.116.161 (TECHNIP.US): LEVEL 3 COMMUNICATIONS INC, LOS ANGELES, CALIFORNIA, US. (DIAL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 121 lines |
Yeah : 1.3 profile |
none | summary tarball |
2 of 36 0 of 32 |
9ba1f1416a NEW d41d8cd98f NEW |
none[3] none [3] |
none:none ASM:Graph |
none|none none|none |
none lines=0 |
trace trace |
| T:15:35:00 | WinXP | 24.103.196.250 (-): . |
67.43.236.67:10324 | CA:xx.nadnadzz.info :xx.enterhere.biz NL:xx.sqlteam.info CA:xx.ka3ek.com :nadsamcabran12.com CA:67.43.236.67:10324 NL:83.68.16.6:5190 |
135 | pcap | raw alerts ruleset |
irc http 354 lines |
Yeah : 1.8 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:16:05:00 | WinXP | 114.48.148.178 (-): . |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:16:27:00 | WinXP | 70.44.157.58 (PTD.NET): PENTELEDATA INC. - CABLE, PALMERTON, PENNSYLVANIA, US. |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:17:07:00 | WinXP | 209.250.50.46 (WISPNET.NET): WISPNET LLC, PADUCAH, KENTUCKY, US. |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:17:33:00 | WinXP | 208.100.224.156 (1DIAL.COM): AD-BASE SYSTEMS INC. (DBA GLOBALPOPS), FOSTERVILLE, TENNESSEE, US. (DIAL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:17:37:00 | WinXP | 64.24.140.142 (USLEC.NET): USLEC CORP, IRVING, TEXAS, US. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:17:37:00 | WinXP | 71.113.173.236 (VERIZON.NET): VERIZON INTERNET SERVICES INC, BLOOMINGTON, ILLINOIS, US. (DSL) |
n/a | US:gg.arrancar.org US:209.85.51.152:555 |
135 | pcap | raw alerts ruleset |
other 144 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:17:42:00 | Win2K-f | 76.198.233.56 (SBCGLOBAL.NET): PPPOX POOL - BRAS6.STLSMO, ST. LOUIS, MISSOURI, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 144 lines |
Yeah : 1.3 profile |
none | summary tarball |
none none |
2e30e230d6 NEW 8c6cf45208 NEW |
none[3] none [3] |
none:none none:none |
none|none none|none |
none none |
trace trace |
|
| T:17:53:00 | WinXP | 12.65.60.133 (PRSERV.NET): AT&T GLOBAL SERVICES, HOLLYWOOD, FLORIDA, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 79 lines |
Yeah : 1.3 profile |
none | summary tarball |
2 of 36 0 of 32 |
ca832de942 NEW d41d8cd98f NEW |
none[3] none [3] |
none:none ASM:Graph |
none|none none|none |
none lines=0 |
trace trace |
| T:17:53:00 | WinXP | 114.48.203.131 (-): . |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:18:06:00 | Win2K-f | 130.13.36.24 (QWEST.NET): QWEST BROADBAND SERVICES INC, PHOENIX, ARIZONA, US. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 16 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:18:46:00 | WinXP | 189.24.66.169 (BRASILTELECOM.NET.BR): COMITE GESTOR DA INTERNET NO BRASIL, BR. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:19:51:00 | WinXP | 210.202.122.39 (EBTNET.NET): ASIA PACIFIC ON-LINE SERVICES INC, TW. (DSL) |
61.120.62.28:3305 | GB:cx10man.weedns.com AR:fx010413.whyI.org JP:61.120.62.28:3305 |
135 | pcap | raw alerts ruleset |
irc 607 lines |
Yeah : 1.8 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:20:02:00 | WinXP | 130.13.214.16 (QWEST.NET): QWEST BROADBAND SERVICES INC, PHOENIX, ARIZONA, US. |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 20:27:00 | WinXP | 130.13.214.16 (QWEST.NET): QWEST BROADBAND SERVICES INC, PHOENIX, ARIZONA, US. |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:20:55:00 | WinXP | 24.234.221.225 (COX.NET): COX COMMUNICATIONS INC, LAS VEGAS, NEVADA, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:21:32:00 | Win2K-f | 125.4.241.76 (ZAQ.NE.JP): KITAKAWACHI CABLE NET CO LTD, JP. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 111 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:21:47:00 | Win2K-f | 116.123.204.133 (-): HANARO TELECOM, SEOUL, KYONGGI-DO, KR. |
221.5.74.39:65520 | CN:proxima.ircgalaxy.pl US:microsoft.com CN:www.zief.pl CN:dretis.cn CN:kritq.cn :onuka.cn |
135 | pcap | raw alerts ruleset |
irc http 126 lines |
Yeah : 1.8 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:22:21:00 | WinXP | 118.218.132.105 (-): . |
218.93.205.24:65520 216.245.213.194:80 | CN:proxima.ircgalaxy.pl US:microsoft.com CN:www.zief.pl CN:dretis.cn CN:kritq.cn :onuka.cn :mxs.mail.ru US:alt4.gmail-smtp-in.l.google.com US:in1.smtp.messagingengine.com US:mail7.digitalwaves.co.nz CN:211.95.79.170:80 |
135 | pcap | raw alerts ruleset |
irc http 125 lines |
Yeah : 1.8 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |