Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

13 September 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:22:00 WinXP 70.64.80.231 (GASOC.COM):
SHAW COMMUNICATIONS INC,
SASKATOON, SASKATCHEWAN, CA. (DSL) 		n/a :gg.arrancar.org 135 pcap raw alerts
ruleset 		other
186 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 f3932b94a6
NEW 		910494cc45 [0] none:none
 none|none none trace
T:00:48:00 Win2K-f 98.141.30.215 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:00:51:00 WinXP 116.59.151.243 (-):
MOBILE BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 eda3b7766c
NEW 		7556343561 [0] none:none
 PolyEnE| none trace
T:01:44:00 Win2K-f 125.4.6.138 (ZAQ.NE.JP):
HIGASHI-OSAKA CABLE TELEVISION CO. LTD,
OSAKA, OSAKA, JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32
33 of 33		 07fabc79ef
NEW
53bfe15e91
NEW 		none[0]
1473091351[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=81
lines=75
embedded dns 		trace
trace
T:02:05:00 WinXP 62.120.253.27 (-):
EUNET,
FR. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 eda3b7766c
NEW 		7556343561 [0] none:none
 PolyEnE| none trace
T:03:51:00 WinXP 92.55.102.99 (IKBCC.COM):
EU-ZZ,
UK. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 4ceccaec21
NEW 		6ffedb8be7 [0] none:none
 PolyEnE| none trace
T:04:26:00 WinXP 92.114.242.205 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 ebddbaef33
NEW 		246edc390a [0] none:none
 PolyEnE| none trace
T:05:26:00 WinXP 200.100.236.239 (TELESP.NET.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DIAL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
3 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:05:46:00 WinXP 217.203.210.175 (-):
TELECOM ITALIA MOBILE,
IT. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 40 74b3d149e8
NEW 		cef0fa2981 [0] none:none
 PolyEnE| none trace
T:06:00:00 WinXP 78.228.171.127 (PRESTONAUTO.COM):
PROXAD INTERNET SERVICE PROVIDER IN FRANCE,
PARIS, ILE-DE-FRANCE, FR. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		36 of 40 9b47736683
NEW 		79ecd1a24c [0] none:none
 none|none none trace
T:07:27:00 Win2K-f 117.197.112.60 (-):
. 		n/a CZ:qtas.net 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		6 of 40 41fba073ee
NEW 		4009c372b6 [0] none:none
 FASM| none trace
T:07:29:00 WinXP 114.137.20.154 (-):
. 		213.219.245.212:80 RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
3 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 36 6d30ad4b30
NEW 		723226e19b [0] none:none
 PolyEnE| none trace
T:07:45:00 WinXP 114.48.83.40 (-):
. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 40 5285741560
NEW 		60590b8b67 [0] ASM:Graph
 none|none lines=59 trace
T:08:15:00 WinXP 85.179.166.148 (ALICEDSL.DE):
HANSENET-ADSL,
DE. (DSL) 		122.160.232.194:13001 IN:chat-shqip.org 445 pcap raw alerts
ruleset 		ftp
irc
58 lines 		Yeah : 1.8
profile 		none summary
tarball 		10 of 33 d2c26e07fd
NEW 		none[4] none:none
 none|none none trace
T:08:34:00 WinXP 114.137.101.25 (-):
. 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:08:40:00 WinXP 66.72.68.82 (AMERITECH.NET):
AT&T INTERNET SERVICES,
BLOOMINGTON, INDIANA, US. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		25 of 32 94a5a65226
NEW 		none[4] none:none
 none|none none trace
T:08:45:00 Win2K-f 4.190.80.201 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
DES MOINES, IOWA, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:08:50:00 Win2K-f 115.80.2.240 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
258 lines 		Yeah : 1.3
profile 		none summary
tarball 		10 of 41 251a38aa02
NEW 		none[3] none:none
 none|none none trace
T:09:07:00 WinXP 114.48.24.50 (-):
. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
17 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:09:44:00 WinXP 114.48.152.41 (-):
. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 40 5285741560
NEW 		60590b8b67 [0] ASM:Graph
 none|none lines=59 trace
T:10:54:00 Win2K-f 92.225.239.200 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. 		n/a CZ:qtas.net 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		6 of 40 41fba073ee
NEW 		4009c372b6 [0] none:none
 FASM| none trace
T:11:17:00 WinXP 118.231.135.167 (-):
. 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		33 of 36 d61760f6a1
NEW 		22542b9b5e [0] none:none
 PolyEnE| none trace
T:11:32:00 Win2K-f 58.237.132.254 (-):
THRUNET-INFRA-DAEGU11,
SEOUL, KYONGGI-DO, KR. 		218.93.205.30:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:dl.guarddog2009.com
CN:gidromash.cn
CN:ottopay.cn
US:64.235.53.208:80 		135 pcap raw alerts
ruleset 		irc
http
146 lines 		Yeah : 1.8
profile 		none summary
tarball 		12 of 40
30 of 33
28 of 33
19 of 41		 38e8f258e7
NEW
533d15b5ce
NEW
58c343a8d8
NEW
95ca496b37
NEW 		871a2e904e [0]
c67adf46e2[0]
none [0]
9c39a10179[0] 		none:none
ASM:Graph
none:none
none:none
 none|none
tElock|
Armadillo|
none|none 		none
lines=126
embedded dns
lines=91
none 		trace
trace
trace
trace
T:11:42:00 WinXP 77.54.45.116 (REV.VODAFONE.PT):
GPRS POOLS,
PT. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 40 824d6a706e
NEW 		a66fd13bcb [0] none:none
 PolyEnE| none trace
T:12:07:00 WinXP 84.224.3.220 (PGSM.HU):
PANNON GSM TELECOMMUNICATIONS INC,
BUDAPEST, BUDAPEST, HU. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 1a2c0e6130
NEW 		none[0] none:none
 none|none lines=60 trace
T:12:16:00 WinXP 78.39.216.19 (-):
INFORMATION TECHNOLOGY COMPANY (ITC),
IR. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 708f64b1b7
NEW 		a18ef8ac1f [0] none:none
 PolyEnE| none trace
T:13:22:00 Win2K-f 41.206.134.20 (-):
VODAFONE EGYPT,
EG. 		n/a CZ:qtas.net 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		6 of 40 41fba073ee
NEW 		4009c372b6 [0] none:none
 FASM| none trace
T:13:29:00 WinXP 64.33.132.124 (AIRSTREAMCOMM.NET):
TRI COUNTY TELEPHONE,
WISCONSIN, US. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:14:18:00 WinXP 189.48.49.34 (BRASILTELECOM.NET.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. 		n/a   445 pcap raw alerts
ruleset 		http
4 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:14:24:00 WinXP 67.212.101.243 (-):
. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 40 824d6a706e
NEW 		a66fd13bcb [0] none:none
 PolyEnE| none trace
T:14:51:00 WinXP 72.64.30.16 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
CHARLESTON, WEST VIRGINIA, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:14:54:00 WinXP 4.141.86.223 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
LEVERETT, MASSACHUSETTS, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
582 lines 		Yeah : 1.3
profile 		none summary
tarball 		28 of 41 b8076e37ae
NEW 		52953fed05 [0] none:none
 StarForce| none trace
T:14:56:00 Win2K-f 211.124.136.86 (ZAQ.NE.JP):
KITAKAWACHI CABLE NET CO LTD,
OSAKA, OSAKA, JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 33
33 of 33		 2e45ae247e
NEW
53bfe15e91
NEW 		36aa8cd03d [0]
1473091351[0] 		none:none
ASM:Graph
 Armadillo|
tElock| 		none
lines=75
embedded dns 		trace
trace
T:15:12:00 WinXP 71.111.202.190 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
DURHAM, NORTH CAROLINA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:15:43:00 WinXP 114.48.3.220 (-):
. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 37 1987904b12
NEW 		9fd17c99f9 [0] ASM:Graph
 PolyEnE| lines=68 trace
T:17:28:00 WinXP 66.56.168.74 (RR.COM):
ROAD RUNNER HOLDCO LLC,
GREENSBORO, NORTH CAROLINA, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:17:57:00 Win2K-f 202.157.41.194 (WAKUWAKU-LAND.COM):
KUMAMOTO CABLE NETWORK CORPORATION,
KUMAMOTO, KUMAMOTO, JP. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:18:21:00 WinXP 69.85.112.201 (SPEAKEASY.NET):
US. 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
T:20:08:00 WinXP 4.231.84.128 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
US. (DIAL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 41 854a629c22
NEW 		b093eb447c [0] none:none
 PolyEnE| none trace
T:20:27:00 Win2K-f 70.60.210.56 (RR.COM):
ROAD RUNNER HOLDCO LLC,
COLUMBIA, SOUTH CAROLINA, US. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:20:30:00 WinXP 82.200.217.34 (DIAL.ONLINE.KZ):
DIAL-UP FOR KAZAKHSTAN ONLINE,
KZ. (DIAL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 eda3b7766c
NEW 		7556343561 [0] none:none
 PolyEnE| none trace
T:20:57:00 Win2K-f 188.192.24.134 (DAVITA.COM):
VARIOUS REGISTRIES,
UK. 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 1dc6518cdb
NEW 		ada684ff4d [0] none:none
 Armadillo| none trace
T:21:00:00 Win2K-f 61.217.161.58 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. 		66.252.13.214:2081 US:s.unicat.org 445 pcap raw alerts
ruleset 		ftp
irc
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41 67a66839f7
NEW 		7b1fc808a3 [0] none:none
 none|none none trace
T:21:02:00 WinXP 89.195.19.5 (-):
ORANGE,
UK. 		66.252.13.212:16667 US:bbs.moiservice.com 135 pcap raw alerts
ruleset 		irc
362 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 41 ecdd8be2f9
NEW 		04c2f317fa [0] none:none
 Stranik| none trace
T:21:09:00 WinXP 96.49.141.57 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:21:55:00 WinXP 114.37.138.178 (-):
. 		66.252.13.214:2081 US:s.unicat.org 445 pcap raw alerts
ruleset 		ftp
irc
17 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41 8abb75cb76
NEW 		d343494cab [0] none:none
 none|none none trace
T:22:00:00 Win2K-f 92.229.54.217 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. 		n/a   445 pcap raw alerts
ruleset 		ftp
11 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:22:07:00 WinXP 114.42.164.139 (-):
. 		n/a US:s.unicat.org
US:66.252.13.214:2081 		445 pcap raw alerts
ruleset 		ftp
14 lines 		Yeah : 0.8
profile 		none summary
tarball 		37 of 41 5e28e18186
NEW 		aa4463e63f [0] none:none
 none|none none trace
T:22:14:00 WinXP 122.125.63.237 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 		n/a US:s.unicat.org
US:66.252.13.214:2081 		445 pcap raw alerts
ruleset 		ftp
14 lines 		Yeah : 0.8
profile 		none summary
tarball 		37 of 41 67a66839f7
NEW 		7b1fc808a3 [0] none:none
 none|none none trace
T:22:17:00 Win2K-f 91.64.247.67 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
DE. 		n/a US:s.unicat.org
US:66.252.13.214:2081 		445 pcap raw alerts
ruleset 		ftp
14 lines 		Yeah : 0.8
profile 		none summary
tarball 		38 of 41 0b24e62ad9
NEW 		3e473e0302 [0] none:none
 StarForce| none trace
T:23:12:00 Win2K-f 189.121.99.55 (-):
. 		n/a US:s.unicat.org
US:66.252.13.214:2081 		445 pcap raw alerts
ruleset 		ftp
14 lines 		Yeah : 0.8
profile 		none summary
tarball 		38 of 41 e9396f8538
NEW 		ebeffe0338 [0] none:none
 none|none none trace
T:23:59:00 WinXP 119.154.12.185 (-):
. 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 eda3b7766c
NEW 		7556343561 [0] none:none
 PolyEnE| none trace