Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

11 August 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

01:45:00 Win2K-f 114.120.170.174 (-):
. n/a US:www.maxmind.com
US:getmyip.co.uk
:checkip.dyndns.org
US:65.254.39.170:80 445 pcap raw alerts
ruleset http
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:01:53:00 Win2K-f 114.120.170.174 (-):
. n/a US:www.maxmind.com
:checkip.dyndns.org 445 pcap raw alerts
ruleset http
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:02:31:00 WinXP 71.68.212.172 (RR.COM):
ROAD RUNNER HOLDCO LLC,
FLORENCE, SOUTH CAROLINA, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 2 of 36
0 of 32 9ba1f1416a
NEW
d41d8cd98f
NEW none[3]
none [3] none:none
ASM:Graph
none|none
none|none none
lines=0 trace
trace

T:02:58:00 WinXP 144.139.91.38 (TMNS.NET.AU):
TELSTRAINTERNET32,
BERWICK, VICTORIA, AU. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
102 lines Yeah : 1.3
profile none summary
tarball 0 of 32 d41d8cd98f
NEW none[3] ASM:Graph
none|none lines=0 trace

T:04:36:00 WinXP 114.48.58.7 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:04:51:00 WinXP 81.131.7.185 (BTOPENWORLD.COM):
BT-WEBPORT,
LONDON, ENGLAND, UK. (DIAL) n/a 445 pcap raw alerts
ruleset ftp
13 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:05:04:00 Win2K-f 222.238.17.184 (-):
HANANET-HIGHBAN-CATHOLICUNIVERSITYOFDAEGU,
KR. 221.5.74.39:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:dretis.cn
CN:kritq.cn
:onuka.cn
US:ns2.msft.net
US:alt2.gmail-smtp-in.l.google.com
US:alt3.gmail-smtp-in.l.google.com
US:alt1.gmail-smtp-in.l.google.com
US:alt4.gmail-smtp-in.l.google.com
CN:222.138.109.99:80 135 pcap raw alerts
ruleset irc
http
250 lines Yeah : 1.8
profile none summary
tarball 0 of 32 d41d8cd98f
NEW none[3] ASM:Graph
none|none lines=0 trace

T:05:12:00 WinXP 220.209.198.71 (INFOWEB.NE.JP):
INFOWEB(FUJITSU LTD.),
TOKYO, TOKYO, JP. (DIAL) n/a 445 pcap raw alerts
ruleset ftp
13 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:05:13:00 Win2K-f 79.76.245.96 (AS9105.COM):
TELINCO,
UK. n/a US:alt4.gmail-smtp-in.l.google.com
US:alt2.gmail-smtp-in.l.google.com
DE:mx-ha01.web.de
US:alt1.gmail-smtp-in.l.google.com
US:alt3.gmail-smtp-in.l.google.com
DE:217.72.192.149:25 445 pcap raw alerts
ruleset irc
41 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:05:52:00 WinXP 114.48.86.130 (-):
. 67.43.236.67:10324 NL:xx.sqlteam.info
:xx.enterhere.biz
CA:xx.nadnadzz.info
CA:67.43.236.67:10324
NL:83.68.16.6:5190 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 1.8
profile none summary
tarball none none none none none none none

T:06:14:00 WinXP 114.48.99.8 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:06:30:00 Win2K-f 117.197.126.196 (-):
. 82.114.87.50:2345 CZ:qtas.net
CZ:t32.marund.net
US:immmsn.info 445 pcap raw alerts
ruleset http
irc
16 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:06:36:00 Win2K-f 130.13.34.57 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. n/a 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:06:43:00 WinXP 115.165.79.92 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:07:16:00 WinXP 114.48.76.22 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:08:24:00 WinXP 208.105.225.199 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 32 d41d8cd98f
NEW none[3] ASM:Graph
none|none lines=0 trace

T:08:54:00 WinXP 86.158.188.91 (BTCENTRALPLUS.COM):
BT-CENTRAL-PLUS,
UK. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:09:46:00 WinXP 81.57.58.69 (PROXAD.NET):
PROXAD / FREE TELECOM,
PARIS, ILE-DE-FRANCE, FR. n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:09:56:00 WinXP 193.250.172.72 (ABO.WANADOO.FR):
WANADOO FRANCE,
PARIS, ILE-DE-FRANCE, FR. n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:wpad 445 pcap raw alerts
ruleset http
http
http
20 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:10:22:00 WinXP 204.119.23.133 (WNONLINE.NET):
WORLDNET COMMUNICATIONS INC,
VANDALIA, ILLINOIS, US. n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
GB:new.egg.com
:wpad 445 pcap raw alerts
ruleset http
http
http
http
52 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:10:50:00 WinXP 130.13.214.16 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:12:17:00 WinXP 118.15.140.97 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:14:22:00 WinXP 71.130.22.21 (PACBELL.NET):
WILLIAM MARTINEZ DBA,
PLANO, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 32 d41d8cd98f
NEW none[3] ASM:Graph
none|none lines=0 trace

T:14:47:00 WinXP 69.85.123.4 (SPEAKEASY.NET):
US. n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:15:48:00 WinXP 200.219.88.149 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:16:45:00 WinXP 61.218.193.218 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
79 lines Yeah : 1.3
profile none summary
tarball none
0 of 32 c332a74878
NEW
d41d8cd98f
NEW none[3]
none [3] none:none
ASM:Graph
none|none
none|none none
lines=0 trace
trace

T:17:16:00 Win2K-f 67.125.140.230 (PACBELL.NET):
AT&T INTERNET SERVICES,
FRESNO, CALIFORNIA, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 2 of 36
0 of 32 9ba1f1416a
NEW
d41d8cd98f
NEW none[3]
none [3] none:none
ASM:Graph
none|none
none|none none
lines=0 trace
trace

T:17:53:00 WinXP 59.112.167.81 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:18:51:00 WinXP 209.250.50.180 (WISPNET.NET):
WISPNET LLC,
PADUCAH, KENTUCKY, US. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:18:53:00 WinXP 24.175.157.109 (RR.COM):
ROAD RUNNER HOLDCO LLC,
DEATSVILLE, ALABAMA, US. n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:20:49:00 WinXP 76.254.87.81 (PACBELL.NET):
AT&T INTERNET SERVICES,
US. n/a 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:22:19:00 Win2K-f 63.246.120.68 (SPEAKEASY.NET):
US. n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:22:31:00 Win2K-f 113.255.9.245 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball none
0 of 32 42e4b3eb67
NEW
d41d8cd98f
NEW none[3]
none [3] none:none
ASM:Graph
none|none
none|none none
lines=0 trace
trace

T:22:55:00 WinXP 70.184.122.208 (COX.NET):
COX COMMUNICATIONS,
PHOENIX, ARIZONA, US. 218.93.205.24:65520 216.245.213.194:80 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:www.zief.pl
CN:dretis.cn
CN:kritq.cn
:onuka.cn
:mxs.mail.ru
US:alt4.gmail-smtp-in.l.google.com
US:in1.smtp.messagingengine.com
US:mail7.digitalwaves.co.nz
US:209.190.85.36:25 135 pcap raw alerts
ruleset irc
http
132 lines Yeah : 1.8
profile none summary
tarball 0 of 32 d41d8cd98f
NEW none[3] ASM:Graph
none|none lines=0 trace

T:23:34:00 Win2K-f 219.255.61.196 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. 218.93.205.24:65520 US:microsoft.com
CN:proxim.ircgalaxy.pl
CN:www.zief.pl
CN:dretis.cn
CN:kritq.cn
:onuka.cn
CN:218.93.205.24:65520 135 pcap raw alerts
ruleset irc
http
152 lines Yeah : 1.8
profile none summary
tarball 0 of 32 d41d8cd98f
NEW none[3] ASM:Graph
none|none lines=0 trace