Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

16 August 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
00:20:00 Win2K-f 85.139.142.162 (CPE.NETCABO.PT):
TVCABO-PORTUGAL CABLE MODEM NETWORK,
PT. 		n/a :grkhoods.com
US:tlktkhyd.org
:znwmyqendq.net
:dprknwsl.info
NL:holerj.info
:foltslpzmvp.net
US:metayxn.info
US:alfoyk.org
:xstmopef.com
:wfsjufa.com
US:hyqxnpc.info
:yinbcp.net
US:gnqbbbcrz.org
:nnhqz.biz
:nnqzhqon.net
:icvsik.biz
:kkmqxetp.net
US:pnunjusu.info
:fskxspqo.info
:qmwvgysd.biz
US:naulflfweli.org
US:fcyiybt.org
:bjytrofi.net
:odzydpbixpb.net
:wlimmajlfmj.biz
:zkrimrt.org
:nctnskyt.biz
US:daozah.org
US:yfasccmiol.info
US:mfgxb.org
:dzmpixxaam.com
:andcwfuvn.net
US:htymdbddqal.org
:dxhmlqpbmu.net
:cnkjksbgyuf.biz
NL:ukbgwiai.info
:wpecyx.net
:otwaz.com
US:qmylymvm.org
:nfyifhra.net
US:rqwlqord.info
:tlzbjytye.net
US:usyukflxola.org
US:pxakyl.info
US:hxgvbnykbl.info
US:hakol.com
:mmamewust.com
:giqfqahvpkr.com
:spdqgjlcul.org
:jvievbqlada.net
NL:txvhdr.info
:cacrsz.biz
US:mrvbgu.org
:wrbdh.com
US:xbqtdeakc.org
:zwysgnodz.net
:hpzoh.biz
US:dmqdiefg.info
:hkiwvrskbv.biz
:yggesqnwtk.biz
:uazowv.info
:rteyrkvx.net
NL:whmjk.org
US:minir.info
:qqwlhhp.net
:hsczbabol.com
:vxqsjmue.net
:jqmzjzdivgm.com
US:hlnqncpxuhs.info
:sopkvkapo.biz
US:204.152.184.92:80
US:74.208.64.145:80 		445 pcap raw alerts
ruleset 		http
3 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:00:34:00 WinXP 112.70.49.28 (-):
. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 831f4ee0a7
NEW 		none[0] ASM:Graph
 none|none lines=61 trace
T:01:49:00 WinXP 213.102.109.245 (TELE2.DE):
TELE2 GERMANY GMBH,
KIEL, SCHLESWIG-HOLSTEIN, DE. 		n/a   445 pcap raw alerts
ruleset 		ftp
13 lines 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 1a2c0e6130
NEW 		none[0] none:none
 none|none lines=60 trace
T:02:05:00 WinXP 71.112.121.67 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
BOTHELL, WASHINGTON, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
362 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 fe709c411f
NEW 		e3268e428e [0] none:none
 none|none none trace
T:02:16:00 WinXP 63.151.109.189 (SONIC.COM):
ST OF TX - GEUS,
ASHLAND, OREGON, US. 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:02:49:00 Win2K-f 74.214.47.11 (METROCAST.NET):
GMP CABLE TV,
BERWICK, PENNSYLVANIA, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:02:55:00 WinXP 220.209.254.75 (INFOWEB.NE.JP):
INFOWEB(FUJITSU LTD.),
TOKYO, TOKYO, JP. (DIAL) 		n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:03:50:00 WinXP 85.135.22.222 (-):
CUSTOMER NO. 18576407 NETWORK,
CZ. (100Mbps) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 41 7dc86ba500
NEW 		99d9912e51 [0] none:none
 PolyEnE| none trace
03:57:00 Win2K-f 92.228.223.229 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. 		n/a US:trafficconverter.biz
NL:www.ask.com
US:igjpfjlo.info
:kgvsyfy.info
NL:dprknwsl.info
:bjytrofi.net
:ehgmwjimjq.com
NL:ipafcvnldtd.info
:irfzyojx.net
:hpzoh.biz
:coukukmv.net
:jvievbqlada.net
:gdippldouai.biz
:hwodli.net
US:tiwvoovf.info
:isxzuwyz.info
:wlilwcptqg.net
:rpwqss.net
:icvsik.biz
US:hakol.com
:yggesqnwtk.biz
NL:zkrimrt.org
:pnunjusu.info
:hkiwvrskbv.biz
:nfyifhra.net
US:mfgxb.org
:hnkjqv.biz
:ozzythtv.info
:xduhri.com
NL:yecryfagzh.org
US:dmqdiefg.info
US:rxdslrqjibe.org
US:pxakyl.info
:wsknmk.net
:jgjwcirop.biz
:wpecyx.net
US:mrvbgu.org
:qpgysouda.info
US:usiigfkzfza.info
:kgmonrsp.com
:wfsjufa.com
US:yfasccmiol.info
US:204.152.184.92:80
US:74.208.64.145:80 		445 pcap raw alerts
ruleset 		http
4 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:04:18:00 Win2K-f 70.183.63.227 (COX.NET):
COX COMMUNICATIONS INC,
NEWPORT BEACH, CALIFORNIA, US. 		n/a :imb.f6hbr.in 135 pcap raw alerts
ruleset 		other
288 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 36 d732dd0b4d
NEW 		7fdcb7e309 [0] none:none
 StarForce| none trace
T:04:26:00 WinXP 222.234.215.213 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. 		221.5.74.39:65520 :proxim.ircgalaxy.pl
US:microsoft.com
CN:dretis.cn
CN:211.95.79.170:80
CN:221.5.74.39:65520 		135 pcap raw alerts
ruleset 		irc
131 lines 		Yeah : 1.8
profile 		none summary
tarball 		29 of 32
28 of 32		 8a75955033
NEW
9276c8b36b
NEW 		2bf3e548b9 [0]
none [0] 		ASM:Graph
ASM:Graph
 tElock|
Armadillo| 		lines=126
embedded dns
lines=81 		trace
trace
T:05:19:00 WinXP 114.48.18.216 (-):
. 		n/a   445 pcap raw alerts
ruleset 		ftp
13 lines 		Yeah : 0.8
profile 		none summary
tarball 		37 of 40 5285741560
NEW 		60590b8b67 [0] ASM:Graph
 none|none lines=59 trace
T:06:16:00 WinXP 112.202.41.205 (-):
. 		n/a   445 pcap raw alerts
ruleset 		other
0 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:08:33:00 Win2K-f 4.166.225.206 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MARRERO, LOUISIANA, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
136 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
34 of 41		 9409fca3c1
NEW
c91bf6b822
NEW 		04c1ce33ac [0]
9e9043d11b[0] 		none:none
none:none
 tElock|
tElock| 		none
none 		trace
trace
T:08:59:00 WinXP 203.91.168.214 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, AICHI, JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:10:03:00 Win2K-f 70.183.170.207 (COX.NET):
COX COMMUNICATIONS,
STAFFORD SPRINGS, CONNECTICUT, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
40 of 41		 e1b108bd6d
NEW
fddbf094c8
NEW 		fc828d3918 [0]
fe255f78e8[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:10:28:00 WinXP 81.57.58.69 (PROXAD.NET):
PROXAD / FREE TELECOM,
PARIS, ILE-DE-FRANCE, FR. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 7f38ca84af
NEW 		89991cf07f [0] none:none
 PolyEnE| none trace
T:11:22:00 WinXP 41.202.172.201 (-):
. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 7f38ca84af
NEW 		89991cf07f [0] none:none
 PolyEnE| none trace
T:11:25:00 WinXP 71.127.246.30 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
ITHACA, NEW YORK, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:14:48:00 WinXP 4.226.225.69 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
BANDERA, TEXAS, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:15:06:00 WinXP 130.13.155.22 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 41 b062182bb1
NEW 		1fb7e59bf8 [0] none:none
 PolyEnE| none trace
T:15:15:00 WinXP 119.230.67.175 (-):
. 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		38 of 41 7b313206a2
NEW 		0c866c8cce [0] none:none
 none|none none trace
T:16:07:00 Win2K-f 4.171.81.220 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
4 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:16:17:00 WinXP 93.102.40.125 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. 		n/a US:www.yahoo.com
:jbeegvia.ru
US:www.worldbank.org
NL:www.viruslist.com
:yoiayoi.ru
:wcqahzhzn.ru
:iirpryry.ru
:rihafvu.ru
:wpad
:ryryodokm.ru
:uvjiis.ru
:gwvwka.ru
:jqsbnyzkp.ru
:pvygdo.ru
:fxkyagpnw.ru
:knclvdz.ru
:trsqeigw.ru
:odokeqy.ru
:kelmpsjp.ru
:edjiesp.ru
:vllcdvv.ru
:nuksdln.ru
:tmmeno.ru
:zoxdgqx.ru
:pwvbfz.ru
:nuzbcp.ru
:bqpuqt.ru
:crime-research.ru
:okskyyn.ru
:pnlkria.ru
:kargai.ru
RU:prodexteam.net
RU:alfabank.ru
:kfwfceki.ru
:nhuwxyuw.ru
:udluzuq.ru 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		31 of 32 17028f1eda
NEW 		none[3] none:none
 tElock| none trace
T:16:18:00 WinXP 81.57.58.69 (PROXAD.NET):
PROXAD / FREE TELECOM,
PARIS, ILE-DE-FRANCE, FR. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41 7f38ca84af
NEW 		89991cf07f [0] none:none
 PolyEnE| none trace
T:17:44:00 Win2K-f 98.124.86.240 (-):
. 		61.120.62.28:3305 :cx10man.weedns.com
JP:fx010413.whyI.org
JP:61.120.62.28:3305 		135 pcap raw alerts
ruleset 		irc
695 lines 		Yeah : 1.8
profile 		none summary
tarball 		28 of 41 b8076e37ae
NEW 		52953fed05 [0] none:none
 StarForce| none trace
T:18:31:00 WinXP 89.111.226.182 (TEOL.NET):
TELEKOMSRPSKE,
BA. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 40 f54691063f
NEW 		6039c698cd [0] ASM:Graph
 none|none lines=59 trace
T:18:41:00 WinXP 98.121.70.16 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
65 lines 		Yeah : 1.3
profile 		none summary
tarball 		3 of 33 3ed16ae12d
NEW 		none[0] ASM:Graph
 Armadillo| lines=81 trace
T:19:03:00 WinXP 130.13.180.75 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
T:19:35:00 Win2K-f 4.180.102.147 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
TULSA, OKLAHOMA, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:19:53:00 WinXP 64.85.223.246 (SOCKET.NET):
SOCKET INTERNET SERVICES CORPORATION,
US. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 3ae357d17b
NEW 		none[0] ASM:Graph
 PolyEnE| lines=73 trace
T:21:13:00 Win2K-f 4.177.18.91 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
SAN DIEGO, CALIFORNIA, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
111 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41
36 of 40		 47d3548e36
NEW
d8722af110
NEW 		ab13346633 [0]
ab30a55931[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:22:26:00 WinXP 119.230.94.113 (-):
. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41 7b313206a2
NEW 		0c866c8cce [0] none:none
 none|none none trace
T:22:39:00 Win2K-f 208.105.225.199 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:23:09:00 WinXP 113.252.140.227 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
988 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 14c118316b
NEW 		none[4] none:none
 FSG| none trace