|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:01:05:00 | WinXP | 67.52.237.4 (RR.COM): ROAD RUNNER HOLDCO LLC, KANSAS CITY, MISSOURI, US. |
n/a | 445 | pcap | raw alerts ruleset |
other 2 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:01:06:00 | Win2K-f | 24.64.204.112 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, BRITISH COLUMBIA, CA. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 410 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | 573e0f1183 NEW |
6935c81bb4 [0] | none:none |
ASPack| | none | trace | |
| T:01:29:00 | WinXP | 119.234.137.181 (-): . |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | 282896b0cf NEW |
12242f4578 [0] | none:none |
PolyEnE| | none | trace |
| T:02:55:00 | WinXP | 86.155.85.227 (BTCENTRALPLUS.COM): BT-CENTRAL-PLUS, UK. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
29 of 29 | 831f4ee0a7 NEW |
none[0] | ASM:Graph |
none|none | lines=61 | trace | |
| T:05:31:00 | WinXP | 77.254.79.53 (COM.PL): NETIA, PL. |
n/a | :moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
38 of 40 | 4740471483 NEW |
db0cbac4be [0] | none:none |
PolyEnE| | none | trace |
| T:05:42:00 | WinXP | 63.246.122.215 (SPEAKEASY.NET): US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:06:39:00 | WinXP | 98.141.9.117 (-): . |
n/a | 135 | pcap | raw alerts ruleset |
other 19 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:07:20:00 | Win2K-f | 66.66.248.184 (RR.COM): ROAD RUNNER HOLDCO LLC, SCHENECTADY, NEW YORK, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 59 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 8 of 33 |
53bfe15e91 NEW b7082104e4 NEW |
1473091351 [0] c5b49e7b82[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=75 embedded dns lines=41 |
trace trace |
| T:07:31:00 | WinXP | 81.9.189.175 (CM-81-9-189-10.TELECABLE.ES): TELECABLE, OVIEDO, ASTURIAS, ES. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
32 of 32 | b502f83a7c NEW |
28f5be93b0 [0] | none:none |
PolyEnE| | none | trace |
| T:09:19:00 | WinXP | 209.42.184.40 (WISPNET.NET): WISPNET LLC, KENTUCKY, US. |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 1.3 profile |
none | summary tarball |
35 of 36 | b27d73bfcb NEW |
473c6454ce [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:09:29:00 | WinXP | 173.19.218.248 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 41 38 of 41 |
692f9bb8df NEW d482a2bec3 NEW |
2bf6f4e9f0 [0] 50a83c6b54[0] |
none:none none:none |
Armadillo| tElock| |
none none |
trace trace |
| T:11:33:00 | WinXP | 72.184.143.254 (RR.COM): ROAD RUNNER HOLDCO LLC, HERNDON, VIRGINIA, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:12:05:00 | WinXP | 74.68.25.33 (RR.COM): ROAD RUNNER HOLDCO LLC, STATEN ISLAND, NEW YORK, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 61 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 8 of 33 |
53bfe15e91 NEW b7082104e4 NEW |
1473091351 [0] c5b49e7b82[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=75 embedded dns lines=41 |
trace trace |
| T:12:11:00 | Win2K-f | 24.234.68.126 (COX.NET): COX COMMUNICATIONS INC, LAS VEGAS, NEVADA, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:12:53:00 | WinXP | 89.111.226.253 (TEOL.NET): TELEKOMSRPSKE, BA. (DIAL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 16 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 40 | f54691063f NEW |
6039c698cd [0] | ASM:Graph |
none|none | lines=59 | trace | |
| T:13:47:00 | Win2K-f | 98.141.161.39 (-): . |
n/a | 135 | pcap | raw alerts ruleset |
other 22 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:13:52:00 | WinXP | 114.48.134.126 (-): . |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 14 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 40 | 5285741560 NEW |
60590b8b67 [0] | ASM:Graph |
none|none | lines=59 | trace | |
| T:14:00:00 | Win2K-f | 130.13.50.70 (QWEST.NET): QWEST BROADBAND SERVICES INC, PHOENIX, ARIZONA, US. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 16 lines |
Yeah : 1.3 profile |
none | summary tarball |
36 of 41 | 894e794b2b NEW |
aeb41eb7b9 [0] | none:none |
Obsidium| | none | trace | |
| 17:04:00 | WinXP | 130.13.155.22 (QWEST.NET): QWEST BROADBAND SERVICES INC, PHOENIX, ARIZONA, US. |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | 3b42f49069 NEW |
f4dc842173 [0] | none:none |
PolyEnE| | none | trace |
| T:17:20:00 | WinXP | 121.121.238.73 (MAXIS.NET.MY): MAXIS COMMUNICATIONS BHD, MY. |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | ed96c03ca8 NEW |
c0028e9e98 [0] | none:none |
PolyEnE| | none | trace |
| T:17:34:00 | WinXP | 75.49.19.243 (SBCGLOBAL.NET): PPPOX POOL - SE1.WOTNOH, DALLAS, TEXAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:17:48:00 | Win2K-f | 81.84.237.234 (CPE.NETCABO.PT): TVCABO-PORTUGAL CABLE MODEM NETWORK, PT. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | a614f40eee NEW |
6fc8ab301a [0] | none:none |
Armadillo| | none | trace | |
| T:17:52:00 | Win2K-f | 124.11.66.3 (TFN.NET.TW): TAIWAN FIXED NETWORK CO. LTD, TAIPEI, T'AI-PEI, TW. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
38 of 41 | 4e111574b1 NEW |
3218c1a37b [0] | none:none |
Armadillo| | none | trace | |
| T:17:53:00 | WinXP | 189.55.91.45 (BRASILTELECOM.NET.BR): COMITE GESTOR DA INTERNET NO BRASIL, BR. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 10 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:17:56:00 | WinXP | 60.234.102.43 (ORCON.NET.NZ): ORCON INTERNET LTD SUPPORT, AUCKLAND, AUCKLAND, NZ. |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:18:00:00 | Win2K-f | 114.51.143.101 (-): . |
n/a | 445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | a6a3f9e3eb NEW |
be9f85bc09 [0] | none:none |
Armadillo| | none | trace | |
| T:18:05:00 | WinXP | 61.94.18.133 (TELKOM.NET.ID): PT TELKOM INDONESIA, SURABAYA, JAWA TIMUR (DJAWA TIMUR), ID. |
66.252.13.212:16667 | US:bbs.moiservice.com | 445 | pcap | raw alerts ruleset |
ftp irc 41 lines |
Yeah : 1.3 profile |
none | summary tarball |
34 of 41 | 9f3b1457b6 NEW |
e7124c9b61 [0] | none:none |
Stranik| | none | trace |
| T:18:11:00 | WinXP | 78.235.173.110 (PRESTONAUTO.COM): PROXAD INTERNET SERVICE PROVIDER IN FRANCE, PARIS, ILE-DE-FRANCE, FR. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
38 of 41 | 73f43c46b3 NEW |
f5ba941091 [0] | none:none |
Armadillo| | none | trace | |
| T:18:33:00 | Win2K-f | 114.39.77.150 (-): . |
n/a | US:f.unicat.org US:66.252.13.214:9890 |
445 | pcap | raw alerts ruleset |
ftp 14 lines |
Yeah : 0.8 profile |
none | summary tarball |
13 of 31 | e8d4d8cde1 NEW |
none[0] | none:none |
ASProtect| | lines=585 embedded dns |
trace |
| T:18:45:00 | Win2K-f | 67.8.56.42 (RR.COM): ROAD RUNNER HOLDCO LLC, NAPLES, FLORIDA, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:19:00:00 | Win2K-f | 119.234.138.145 (-): . |
n/a | 445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 41 | 5b98810cf2 NEW |
fbe2a89f62 [0] | none:none |
Stranik| | none | trace | |
| T:19:01:00 | WinXP | 189.33.99.68 (BRASILTELECOM.NET.BR): COMITE GESTOR DA INTERNET NO BRASIL, BR. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | 9621fc8b88 NEW |
a73753125a [0] | none:none |
Armadillo| | none | trace | |
| T:19:15:00 | WinXP | 188.192.152.16 (DAVITA.COM): VARIOUS REGISTRIES, UK. |
66.252.13.214:2081 | US:s.unicat.org | 445 | pcap | raw alerts ruleset |
ftp irc 21 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | 67ad016b7b NEW |
6b0aa5a41d [0] | none:none |
none|none | none | trace |
| T:19:27:00 | WinXP | 117.20.159.83 (KMTCSIN.COM.SG): STARHUB INTERNET PTE LTD, SG. |
66.252.13.214:2081 | US:s.unicat.org | 445 | pcap | raw alerts ruleset |
ftp irc 21 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | 93ff5306d2 NEW |
3af74740fd [0] | none:none |
none|none | none | trace |
| T:19:28:00 | WinXP | 189.99.33.156 (-): . |
66.252.13.214:2081 | US:s.unicat.org | 445 | pcap | raw alerts ruleset |
ftp irc 21 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | f7c3c7dd92 NEW |
39c2017a72 [0] | none:none |
none|none | none | trace |
| T:19:51:00 | Win2K-f | 189.113.236.250 (-): . |
66.252.13.214:2081 | US:s.unicat.org | 445 | pcap | raw alerts ruleset |
ftp irc 21 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 | 4685273c70 NEW |
5c2008d8f8 [0] | none:none |
none|none | none | trace |
| T:19:53:00 | Win2K-f | 77.20.103.194 (APEXCOVANTAGE.COM): EU-ZZ, UK. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | 1f2df711be NEW |
39bbc8229d [0] | none:none |
Armadillo| | none | trace | |
| T:20:08:00 | Win2K-f | 61.94.213.171 (TELKOM.NET.ID): PT TELKOM INDONESIA, ID. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 11 lines |
Yeah : 0.8 profile |
none | summary tarball |
27 of 32 | 6c36e19037 NEW |
9a2e60aec3 [0] | none:none |
none|none | none | trace | |
| T:20:10:00 | WinXP | 61.94.189.41 (TELKOM.NET.ID): PT TELKOM INDONESIA, DENPASAR, BALI, ID. |
66.252.13.212:16667 | US:bbs.moiservice.com | 445 | pcap | raw alerts ruleset |
ftp irc 20 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 41 | 1b0e5044fc NEW |
e7124c9b61 [0] | none:none |
Stranik| | none | trace |
| T:20:22:00 | WinXP | 173.27.192.242 (-): . |
66.252.13.212:16667 | US:bbs.moiservice.com | 445 | pcap | raw alerts ruleset |
ftp irc 20 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | 50af345b12 NEW |
899f8749bf [0] | none:none |
Stranik| | none | trace |
| T:20:27:00 | Win2K-f | 189.120.19.16 (-): . |
66.252.13.214:2081 | US:s.unicat.org | 445 | pcap | raw alerts ruleset |
ftp irc 33 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | fc2bf8d120 NEW |
9224dd16f5 [0] | none:none |
none|none | none | trace |
| T:21:02:00 | WinXP | 123.195.13.166 (ETHOME.COM.TW): TUNG HO MULTIMEDIA CO. LTD, TAIPEI, T'AI-PEI, TW. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | eb4d8f8eaa NEW |
78ac78bccc [0] | none:none |
Armadillo| | none | trace | |
| T:21:12:00 | WinXP | 218.172.54.62 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TW. |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 40 | 824d6a706e NEW |
a66fd13bcb [0] | none:none |
PolyEnE| | none | trace |
| T:21:16:00 | WinXP | 172.135.173.92 (AOL.COM): AMERICA ONLINE, RESTON, VIRGINIA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 124 lines |
Yeah : 1.3 profile |
none | summary tarball |
36 of 41 | fc79d13f4f NEW |
fc79d13f4f [1] | ASM:Graph |
Armadillo| | lines=82 | trace | |
| T:21:36:00 | Win2K-f | 61.227.129.25 (HINET.NET): DATA COMMUNICATION BUSINESS GROUP CHUNGHWA TELECOM CO. LTD, TW. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
33 of 41 | de37f2fc47 NEW |
bac4cc6eec [0] | none:none |
Armadillo| | none | trace | |
| T:21:43:00 | WinXP | 76.75.84.52 (NEXICOM.NET): NEXICOM INC, CA. |
n/a | US:s.unicat.org US:66.252.13.214:2081 |
445 | pcap | raw alerts ruleset |
ftp 14 lines |
Yeah : 0.8 profile |
none | summary tarball |
38 of 41 | 14c1a5ade2 NEW |
9e89cc22d5 [0] | none:none |
none|none | none | trace |
| T:22:01:00 | WinXP | 24.46.153.115 (OPTONLINE.NET): OPTIMUM ONLINE (CABLEVISION SYSTEMS), HARRISON, NEW YORK, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:22:12:00 | WinXP | 114.38.179.248 (-): . |
n/a | 445 | pcap | raw alerts ruleset |
ftp 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
33 of 41 | de37f2fc47 NEW |
bac4cc6eec [0] | none:none |
Armadillo| | none | trace | |
| T:22:19:00 | WinXP | 174.3.47.119 (-): . |
n/a | 135 | pcap | raw alerts ruleset |
other 395 lines |
Yeah : 1.3 profile |
none | summary tarball |
32 of 41 | 1f8405c802 NEW |
16d9ca60c2 [0] | none:none |
ASPack| | none | trace | |
| T:22:34:00 | WinXP | 122.121.158.42 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TW. |
66.252.13.212:16667 | US:bbs.moiservice.com US:66.252.13.212:16667 |
445 | pcap | raw alerts ruleset |
ftp irc 48 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 40 | 9f5b49bb41 NEW |
e7124c9b61 [0] | none:none |
Stranik| | none | trace |
| 23:00:00 | Win2K-f | 203.99.57.178 (DSL.NET.PK): MICRONET BROADBAND (PVT) LTD, ISLAMABAD, ISLAMABAD, PK. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 2 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |