Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

20 August 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:33:00 Win2K-f 72.67.206.75 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
LOS ANGELES, CALIFORNIA, US. (100Mbps) n/a 135 pcap raw alerts
ruleset other
1008 lines Yeah : 1.3
profile none summary
tarball 14 of 41 9311f44e4c
NEW none[3] none:none
pex| none trace

T:00:34:00 WinXP 83.21.155.132 (TPNET.PL):
NEOSTRADA PLUS,
POZNAN, WIELKOPOLSKIE, PL. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:01:58:00 WinXP 62.63.208.127 (TYFON.SE):
TYFON SVENSKA AB,
SE. n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball 29 of 29 d175bad0e6
NEW none[0] ASM:Graph
tElock| lines=81
embedded dns trace

T:02:14:00 WinXP 212.171.218.237 (POOL212171.INTERBUSINESS.IT):
TELECOM ITALIA S.P.A,
IT. n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
NEW none[0] none:none
PolyEnE| lines=93
embedded dns trace

T:02:49:00 WinXP 79.162.164.241 (-):
IDEA,
PL. n/a :proxim.ircgalaxy.pl
RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 34 of 36 9bb68450cd
NEW c2d5ac2315 [0] ASM:Graph
PolyEnE| lines=73
embedded dns trace

T:02:55:00 WinXP 93.146.52.247 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:03:26:00 WinXP 220.156.133.180 (BMOBILE.NE.JP):
JAPAN COMMUNICATION INC,
JP. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 f608196406
NEW ed2f2b7c91 [0] none:none
PolyEnE| none trace

T:05:41:00 WinXP 200.209.164.251 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 39 of 41 0505ea7e51
NEW 6fde8a0b6c [0] none:none
PolyEnE| none trace

T:05:58:00 Win2K-f 113.252.76.228 (-):
. n/a 135 pcap raw alerts
ruleset other
4 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

06:25:00 Win2K-f 59.104.202.203 (SEED.NET.TW):
DIGITAL UNITED I,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:06:43:00 WinXP 203.73.84.192 (SEED.NET.TW):
DIGITAL UNITED INC,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:07:03:00 WinXP 65.191.70.237 (RR.COM):
ROAD RUNNER HOLDCO LLC,
FAYETTEVILLE, NORTH CAROLINA, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 33
33 of 33 4c3df24b32
NEW
53bfe15e91
NEW none[0]
1473091351[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=81
lines=75
embedded dns trace
trace

T:07:17:00 WinXP 173.19.142.38 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:07:26:00 Win2K-f 68.207.156.161 (RR.COM):
ROAD RUNNER HOLDCO LLC,
BRADENTON, FLORIDA, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:07:37:00 Win2K-f 218.220.156.238 (ZAQ.NE.JP):
HIGASHI-OSAKA CABLE TELEVISION CO. LTD,
OSAKA, OSAKA, JP. n/a 135 pcap raw alerts
ruleset other
272 lines Yeah : 1.3
profile none summary
tarball 37 of 41 361f33c5c4
NEW 67879d1538 [0] none:none
PolyEnE| none trace

T:08:10:00 Win2K-f 110.13.57.100 (-):
. 218.93.205.23:65520 :proxim.ircgalaxy.pl
US:microsoft.com
:dretis.cn
CN:211.95.79.170:80 135 pcap raw alerts
ruleset irc
133 lines Yeah : 1.8
profile none summary
tarball 29 of 32
28 of 32 8a75955033
NEW
9276c8b36b
NEW 2bf3e548b9 [0]
none [0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=126
embedded dns
lines=81 trace
trace

T:08:48:00 Win2K-f 125.58.87.23 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
6 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

09:02:00 WinXP 189.99.62.95 (-):
. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 c3be1629e5
NEW 5b893564fb [0] none:none
PolyEnE| none trace

T:09:58:00 Win2K-f 210.169.132.115 (ANTHNET.CO.JP):
CORE CREATE SYSTEM CO. LTD,
JP. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:10:06:00 WinXP 85.132.5.169 (AZ-IX.NET):
PROVIDER LOCAL REGISTRY,
BAKU, ABSERON, AZ. 218.93.205.23:65520 :proxim.ircgalaxy.pl
:dretis.cn
CN:211.95.79.170:80 445 pcap raw alerts
ruleset http
irc
4 lines Yeah : 1.3
profile none summary
tarball 39 of 41 4c72619e84
NEW 74dc3462fc [0] none:none
PolyEnE| none trace

T:11:19:00 WinXP 207.5.236.176 (SUSCOM-MAINE.NET):
GREAT WORKS INTERNET,
BRUNSWICK, MAINE, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:11:35:00 WinXP 114.48.14.27 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:11:47:00 WinXP 24.33.87.72 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CINCINNATI, OHIO, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
130 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:12:01:00 WinXP 69.85.123.4 (SPEAKEASY.NET):
US. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 35 of 35 9716d7995a
NEW c3a5354b6f [0] none:none
PolyEnE| none trace

T:12:07:00 Win2K-f 24.87.20.244 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
VANCOUVER, BRITISH COLUMBIA, CA. n/a :irc.zief.pl
:proxim.ircgalaxy.pl
:dretis.cn
:onuka.cn
US:client155.faster-hosting.com
:groups.yahoo.com
US:us.js2.yimg.com
:l.yimg.com
US:us.i1.yimg.com
US:ads.yimg.com
:ad.yieldmanager.com
US:us.bcast1.yimg.com
US:128.241.217.10:80
CN:211.95.79.170:80
US:66.94.242.24:80 135 pcap raw alerts
ruleset http
http
http
http
http
http
http
715 lines Yeah : 1.3
profile none summary
tarball 17 of 41
6 of 41
34 of 40 36b2aae01e
NEW
7802bc7536
NEW
a72398081f
NEW a4b7eefc40 [0]
6f28f8355a[0]
3f0ad45d1c[0] none:none
none:none
none:none
StarForce|
Mew|
tElock| none
none
none trace
trace
trace

T:12:16:00 Win2K-f 92.6.196.53 (-):
CARPHONE WAREHOUSE BROADBAND SERVICES,
UK. n/a :edit.yahoo.com
US:a248.e.akamai.net
:rtb.pclick.yahoo.com
US:login.yahoo.com 445 pcap raw alerts
ruleset http
10 lines Argh : 0.3
profile none summary
tarball none none none none none none none

13:36:00 WinXP 24.105.219.43 (MHCABLE.COM):
MID-HUDSON CABLEVISION INC. (CATSKILL),
HUDSON, NEW YORK, US. (DSL) 218.93.205.23:65520 :proxim.ircgalaxy.pl
:dretis.cn 445 pcap raw alerts
ruleset http
irc
19 lines Yeah : 1.3
profile none summary
tarball 35 of 36 04ed4d2967
NEW e8aa304d1c [0] none:none
PolyEnE| none trace

T:13:45:00 WinXP 79.132.204.62 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 14302579d2
NEW 2d61d0464e [0] none:none
PolyEnE| none trace

T:14:16:00 WinXP 187.20.246.75 (-):
. n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 2f6cc0e618
NEW f8f316af28 [0] none:none
PolyEnE| none trace

T:15:52:00 WinXP 74.75.26.41 (RR.COM):
ROAD RUNNER HOLDCO LLC,
PITTSFIELD, MASSACHUSETTS, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 33
33 of 33 4c3df24b32
NEW
53bfe15e91
NEW none[0]
1473091351[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=81
lines=75
embedded dns trace
trace

T:16:01:00 WinXP 71.148.35.37 (SBCGLOBAL.NET):
KASSA KASSA,
PLANO, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:16:08:00 Win2K-f 24.164.58.226 (RR.COM):
ROAD RUNNER HOLDCO LLC,
LAKELAND, FLORIDA, US. n/a 135 pcap raw alerts
ruleset other
11 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:17:51:00 WinXP 69.85.97.150 (ELLIJAY.COM):
ELLIJAY COMMUNITY TELEVISION,
BLUE RIDGE, GEORGIA, US. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 35 of 35 9716d7995a
NEW c3a5354b6f [0] none:none
PolyEnE| none trace

T:17:54:00 Win2K-f 98.141.160.199 (-):
. n/a 135 pcap raw alerts
ruleset other
19 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:17:58:00 Win2K-f 24.26.123.12 (RR.COM):
ROAD RUNNER HOLDCO LLC,
MELBOURNE, FLORIDA, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
6 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:18:04:00 WinXP 71.70.233.173 (RR.COM):
ROAD RUNNER HOLDCO LLC,
RALEIGH, NORTH CAROLINA, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:16:00 WinXP 173.20.140.66 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 40 of 41
39 of 41 5e3a9c2d9d
NEW
630308d06b
NEW dbc48b815a [0]
847d302e37[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:18:33:00 WinXP 203.118.238.245 (-):
GRAND TAINAN TECHNOLOGY CO.LTD,
TAINAN, KAO-HSIUNG, TW. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:59:00 Win2K-f 211.20.222.150 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 61.120.62.28:3305 TH:cx10man.weedns.com 135 pcap raw alerts
ruleset irc
695 lines Yeah : 1.8
profile none summary
tarball 28 of 41 b8076e37ae
NEW 52953fed05 [0] none:none
StarForce| none trace

T:19:34:00 WinXP 121.121.146.74 (MAXIS.NET.MY):
MAXIS COMMUNICATIONS BHD,
MY. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 eda3b7766c
NEW 7556343561 [0] none:none
PolyEnE| none trace

T:19:35:00 Win2K-f 4.234.0.25 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MIAMI, FLORIDA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:20:30:00 Win2K-f 172.192.44.128 (AOL.COM):
AMERICA ONLINE,
RESTON, VIRGINIA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:20:54:00 Win2K-f 24.234.205.141 (COX.NET):
COX COMMUNICATIONS INC,
LAS VEGAS, NEVADA, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:21:23:00 Win2K-f 4.177.18.9 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
SAN DIEGO, CALIFORNIA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:22:52:00 Win2K-f 71.102.163.22 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
LOS ANGELES, CALIFORNIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

23:35:00 Win2K-f 124.66.160.131 (-):
PT ANTAR MITRA PRAKARSA,
JAKARTA, JAKARTA RAYA (DJAKARTA RAYA), ID. n/a US:www.maxmind.com
US:www.getmyip.org
US:getmyip.co.uk
:checkip.dyndns.org
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80 445 pcap raw alerts
ruleset http
3 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace