Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

07 September 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
00:44:00 Win2K-f 202.60.108.60 (-):
HANOI TELECOM CORPORATION,
HANOI, HA NOI, VN. 		n/a US:www.maxmind.com
US:www.getmyip.org
US:getmyip.co.uk
:checkip.dyndns.org
208.78.70.70:80
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:00:47:00 WinXP 87.123.149.251 (VERSANET.DE):
VERSATEL DEUTSCHLAND DYNAMIC POOL,
DE. 		n/a   445 pcap raw alerts
ruleset 		shell
4 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:01:24:00 WinXP 87.6.235.46 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
ROME, LAZIO, IT. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 a0139d7ad8
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:02:05:00 WinXP 130.13.209.185 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
4 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
02:06:00 WinXP 130.13.209.185 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
T:02:14:00 WinXP 62.11.32.65 (DIALUP.TISCALI.IT):
TISCALI ITALIA SPA,
NAPOLI, CAMPANIA, IT. (DIAL) 		n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:wpad 		445 pcap raw alerts
ruleset 		http
http
http
29 lines 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 df17a625ee
NEW 		none[0] none:none
 ASPack| lines=298
embedded dns 		trace
T:03:45:00 Win2K-f 4.226.225.59 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
BANDERA, TEXAS, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:04:11:00 WinXP 119.234.14.246 (-):
. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 36 6b3beaea1a
NEW 		154f174df6 [0] none:none
 PolyEnE| none trace
T:04:25:00 WinXP 203.76.66.181 (KCT.AD.JP):
KURASHIKI CABLE TV CORPORATION,
KURASHIKI, OKAYAMA, JP. 		211.233.45.253:3305 JP:cx10man.weedns.com
:fx010413.whyI.org
FI:gynoman.weedns.com
AR:g.0x20.biz
AR:c010x1.co.cc
:commgr.co.cc
KR:telephone.dd.blueline.be
JP:61.120.62.28:3305 		135 pcap raw alerts
ruleset 		irc
607 lines 		Yeah : 1.8
profile 		none summary
tarball 		40 of 41 5ec55a04a2
NEW 		c77c150cc2 [none] none:none
 StarForce| none none
T:04:49:00 WinXP 208.103.153.103 (CORETEL.NET):
CORETEL AMERICA INC,
ANNAPOLIS, MARYLAND, US. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 41 72134e4b44
NEW 		28c60e99a7 [0] none:none
 PolyEnE| none trace
T:05:24:00 WinXP 196.208.65.86 (TELKOM-IPNET.CO.ZA):
AFRINIC,
JOHANNESBURG, GAUTENG, ZA. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
05:37:00 WinXP 208.103.153.103 (CORETEL.NET):
CORETEL AMERICA INC,
ANNAPOLIS, MARYLAND, US. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		41 of 41 72134e4b44
NEW 		28c60e99a7 [0] none:none
 PolyEnE| none trace
T:05:49:00 WinXP 112.203.83.231 (-):
. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 eda3b7766c
NEW 		7556343561 [0] none:none
 PolyEnE| none trace
T:05:55:00 WinXP 219.114.249.114 (ZAQ.NE.JP):
KITAKAWACHI CABLE NET CO LTD,
JP. 		n/a CN:russia.blacktiehsbdcs.com
:jiets.soidudrf.com
:munirah.nagitiriheiwu.net
CN:218.61.22.10:7575 		135 pcap raw alerts
ruleset 		other
256 lines 		Yeah : 1.3
profile 		none summary
tarball 		18 of 32 bec892aaf3
NEW 		b73f3acec5 [0] none:none
 none|none none trace
T:06:54:00 WinXP 71.113.169.64 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
BLOOMINGTON, ILLINOIS, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
10 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:07:33:00 WinXP 71.100.189.222 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
LAKELAND, FLORIDA, US. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		39 of 40 5e8ccc4190
NEW 		8d5f86583f [0] none:none
 PolyEnE| none trace
T:07:38:00 WinXP 89.247.162.243 (VERSANET.DE):
VERSATEL NORD-DEUTSCHLAND GMBH,
DE. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:09:25:00 WinXP 96.8.226.33 (-):
. 		211.233.45.253:3305 TH:cx10man.weedns.com
JP:fx010413.whyI.org
KR:gynoman.weedns.com
JP:g.0x20.biz
KR:telephone.dd.blueline.be
JP:61.120.62.28:3305 		135 pcap raw alerts
ruleset 		irc
577 lines 		Yeah : 1.8
profile 		none summary
tarball 		23 of 41 a0e262b14d
NEW 		4ae21c0514 [0] none:none
 StarForce| none trace
T:09:39:00 WinXP 151.67.195.127 (38-151.NET24.IT):
IUNET-BNET,
IT. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 470b31abb8
NEW 		c11e97bf10 [none] none:none
 PolyEnE| none none
T:10:06:00 WinXP 61.221.119.126 (HINET.NET):
DATA COMMUNICATION BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. (100Mbps) 		n/a   135 pcap raw alerts
ruleset 		other
55 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 33 57ce4acac2
NEW 		none[0] none:none
 Armadillo| lines=90 trace
T:10:28:00 WinXP 115.163.153.11 (-):
. 		92.240.234.164:3305 AR:cx10man.weedns.com
FI:fx010413.whyI.org
JP:gynoman.weedns.com
FI:g.0x20.biz
KR:telephone.dd.blueline.be
AR:phonewire.dd.blueline.be
:phonelogin.dd.blueline.be
AR:200.49.145.197:3305
KR:211.233.45.253:3305
JP:61.120.62.28:3305 		135 pcap raw alerts
ruleset 		irc
300 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 40 ecdd08f631
NEW 		ef6f81a949 [none] none:none
 StarForce| none none
T:10:29:00 Win2K-f 85.182.28.203 (ALICEDSL.DE):
HANSENET-ADSL,
OBERHAUSEN, NORDRHEIN-WESTFALEN, DE. 		n/a :munirah.nagitiriheiwu.net
CN:bti.jeiahsdod.net
CN:russia.blacktiehsbdcs.com
CN:218.61.22.10:3240
CN:218.61.22.10:7575 		135 pcap raw alerts
ruleset 		irc
http
323 lines 		Yeah : 0.8
profile 		none summary
tarball 		19 of 41
39 of 41		 205bf6f449
NEW
6aecb7ced9
NEW 		7f52ad5fa7 [0]
38dc6db54c[none] 		none:none
none:none
 StarForce|
Armadillo| 		none
none 		trace
none
T:10:32:00 WinXP 80.171.167.249 (HANSENET.DE):
HANSENET TELEKOMMUNIKATION GMBH,
HAMBURG, HAMBURG, DE. (DSL) 		66.252.13.212:16667 US:bbs.moiservice.com
US:66.252.13.212:16667 		135 pcap raw alerts
ruleset 		irc
491 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 be3fb54933
NEW 		925a4f0e7d [none] none:none
 Stranik| none none
T:10:37:00 WinXP 187.21.204.162 (-):
. 		211.233.45.253:3305 :cx10man.weedns.com
KR:fx010413.whyI.org
TH:gynoman.weedns.com
KR:g.0x20.biz
KR:telephone.dd.blueline.be
JP:61.120.62.28:3305 		135 pcap raw alerts
ruleset 		irc
286 lines 		Yeah : 1.3
profile 		none summary
tarball 		23 of 41 a0e262b14d
NEW 		4ae21c0514 [0] none:none
 StarForce| none trace
T:10:40:00 Win2K-f 85.182.31.224 (ALICEDSL.DE):
HANSENET-ADSL,
DE. 		66.252.13.212:16667 US:bbs.moiservice.com 135 pcap raw alerts
ruleset 		irc
329 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 fb6d6364a1
NEW 		b4686ae9ee [none] none:none
 Stranik| none none
T:10:55:00 Win2K-f 222.233.229.102 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, KYONGGI-DO, KR. 		91.212.220.156:65520 :proxim.ircgalaxy.pl
US:microsoft.com
CN:gidromash.cn
CN:ottopay.cn
US:64.235.53.208:80
EU:91.212.220.156:65520 		135 pcap raw alerts
ruleset 		irc
http
136 lines 		Yeah : 1.8
profile 		none summary
tarball 		29 of 32
28 of 32
8 of 41
4 of 41		 8a75955033
NEW
9276c8b36b
NEW
dedb9bcef0
NEW
e0e77eb455
NEW 		2bf3e548b9 [0]
none [0]
23233d4cd8[0]
8179f271af[none] 		ASM:Graph
ASM:Graph
none:none
none:none
 tElock|
Armadillo|
Xtreme-Pr|
none|none 		lines=126
embedded dns
lines=81
none
none 		trace
trace
trace
none
T:11:15:00 WinXP 24.103.196.250 (-):
. 		67.43.236.67:10324 CA:xx.nadnadzz.info
NL:xx.sqlteam.info
CA:xx.ka3ek.com
:idfc.info
CA:67.43.236.67:10324
NL:83.68.16.6:5190 		135 pcap raw alerts
ruleset 		irc
http
352 lines 		Yeah : 1.8
profile 		none summary
tarball 		29 of 41
32 of 38
37 of 40		 39336e51eb
NEW
524bc0f75c
NEW
a0a15f5ebf
NEW 		3f5ab71d39 [0]
d3e9510bb3[0]
c506c7cc86[0] 		none:none
none:none
none:none
 Neolite|
PENinja S|
Mew| 		none
none
none 		trace
trace
trace
11:21:00 WinXP 151.67.195.127 (38-151.NET24.IT):
IUNET-BNET,
IT. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 40 8b2eaac7de
NEW 		fbbb598b37 [none] none:none
 PolyEnE| none none
T:11:44:00 WinXP 66.67.32.212 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ELLENVILLE, NEW YORK, US. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:12:52:00 WinXP 208.100.241.239 (1DIAL.COM):
AD-BASE SYSTEMS INC. (DBA GLOBALPOPS),
PITTSBURGH, PENNSYLVANIA, US. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:12:59:00 Win2K-f 98.141.161.39 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
22 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:13:51:00 Win2K-f 98.141.30.215 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:14:13:00 Win2K-f 69.193.74.22 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:15:53:00 WinXP 4.130.131.82 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
UPLAND, CALIFORNIA, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
10 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:16:52:00 WinXP 69.232.18.154 (PACBELL.NET):
HI STYLES FASHIONS INC,
PLANO, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
19:03:00 Win2K-f 203.223.173.245 (WOL.NET.PK):
CYBERSOFT TECHNOLOGIES PLC,
PK. 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:19:20:00 Win2K-f 70.66.68.184 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
NANAIMO, BRITISH COLUMBIA, CA. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
53 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 73f1082158
NEW 		none[0] none:none
 Armadillo| lines=90 trace