|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:07:00 | Win2K-f | 72.66.8.36 (VERIZON.NET): GAIP INC, VIENNA, VIRGINIA, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:00:43:00 | WinXP | 121.121.107.49 (MAXIS.NET.MY): MAXIS COMMUNICATIONS BHD, MY. |
n/a | :moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
other 0 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 492957db81 NEW |
none[0] | ASM:Graph |
PolyEnE| | lines=69 embedded dns |
trace |
| T:01:30:00 | WinXP | 121.121.83.179 (MAXIS.NET.MY): MAXIS COMMUNICATIONS BHD, MY. |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | 912a073945 NEW |
7874c7f21e [0] | none:none |
PolyEnE| | none | trace |
| T:01:32:00 | Win2K-f | 173.28.214.210 (-): . |
n/a | US:s.unicat.org US:66.252.13.214:2081 |
445 | pcap | raw alerts ruleset |
ftp 14 lines |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | 2e8703b63a NEW |
570d889860 [0] | none:none |
none|none | none | trace |
| T:02:30:00 | WinXP | 151.100.138.20 (IPPOCRATE.UNIROMA1.IT): UNIVERSITA' DEGLI STUDI DI ROMA LA SAPIENZA, ROME, LAZIO, IT. |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 2c31e3c966 NEW |
dca1fa0c85 [0] | none:none |
PolyEnE| | none | trace |
| T:03:19:00 | WinXP | 99.155.29.172 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:03:31:00 | WinXP | 121.216.104.144 (BIGPOND.NET.AU): TELSTRAINTERNET45, CANBERRA, AUSTRALIAN CAPITAL TERRITORY, AU. |
92.240.234.164:3305 | JP:cx10man.weedns.com | 135 | pcap | raw alerts ruleset |
irc 590 lines |
Yeah : 1.8 profile |
none | summary tarball |
23 of 41 | a0e262b14d NEW |
4ae21c0514 [0] | none:none |
StarForce| | none | trace |
| T:03:44:00 | Win2K-f | 216.168.114.248 (FRONTENAC.NET): NORTH FRONTENAC TELEPHONE COMPANY, ONTARIO, CA. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
other 0 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:04:32:00 | Win2K-f | 61.221.250.18 (HINET.NET): DATA COMMUNICATION BUSINESS GROUP CHUNGHWA TELECOM CO. LTD, TW. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW 57ce4acac2 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:05:10:00 | WinXP | 116.127.124.36 (-): HANARO TELECOM, SEOUL, KYONGGI-DO, KR. |
91.212.220.75:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com CN:gidromash.cn CN:ottopay.cn :www.petdoso.com GB:www.businesstomb.com US:www.cultural-india.org NL:kona.kontera.com CN:www.softwaresdev.com CN:221.10.254.173:80 |
135 | pcap | raw alerts ruleset |
irc http 823 lines |
Yeah : 1.8 profile |
none | summary tarball |
21 of 41 21 of 41 12 of 40 29 of 32 26 of 41 28 of 32 |
1b7635d92c NEW 2315f33b48 NEW 38e8f258e7 NEW 8a75955033 NEW 8f7d194ec8 NEW 9276c8b36b NEW |
28cf6965a6 [0] beaf33437c[0] 871a2e904e[0] 2bf3e548b9[0] 61110958ea[0] none [0] |
none:none none:none none:none ASM:Graph none:none ASM:Graph |
MEW| ASProtect| none|none tElock| ASProtect| Armadillo| |
none none none lines=126 embedded dns none lines=81 |
trace trace trace trace trace trace |
| T:06:01:00 | WinXP | 65.78.216.23 (WVFIBERNET.NET): FIBERNET, GRANTSVILLE, WEST VIRGINIA, US. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 32 | 741e3b03b3 NEW |
none[0] | none:none |
none|none | lines=61 | trace | |
| T:06:23:00 | WinXP | 92.40.163.131 (IKBCC.COM): EU-ZZ, UK. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | af61613efc NEW |
33bace5770 [0] | none:none |
none|none | none | trace | |
| T:06:42:00 | WinXP | 86.155.81.79 (BTCENTRALPLUS.COM): BT-CENTRAL-PLUS, UK. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
29 of 29 | 831f4ee0a7 NEW |
none[0] | ASM:Graph |
none|none | lines=61 | trace | |
| T:06:47:00 | Win2K-f | 218.48.155.180 (HANANET.NET): HANARO TELECOM INC, KR. |
218.93.205.30:65520 91.212.220.75:65520 | US:microsoft.com CN:proxima.ircgalaxy.pl CN:dl.guarddog2009.com CN:gidromash.cn CN:ottopay.cn :www.petdoso.com CN:streq.cn :horobl.cn CN:211.95.79.170:80 |
135 | pcap | raw alerts ruleset |
irc http 124 lines |
Yeah : 1.8 profile |
none | summary tarball |
31 of 33 21 of 41 12 of 40 4 of 41 31 of 33 19 of 41 |
168aab35a3 NEW 1b7635d92c NEW 38e8f258e7 NEW 5e16714bab NEW 667f0c59f3 NEW 95ca496b37 NEW |
60b730b97e [0] 28cf6965a6[0] 871a2e904e[0] none [4] 8fe2be2095[0] 9c39a10179[0] |
ASM:Graph none:none none:none none:none ASM:Graph none:none |
tElock| MEW| none|none none|none Armadillo| none|none |
lines=120 embedded dns none none none lines=91 none |
trace trace trace trace trace trace |
| T:07:23:00 | WinXP | 86.105.216.12 (PANEVO.RO): SC PAN ELECTRO SRL, RO. |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | ed96c03ca8 NEW |
c0028e9e98 [0] | none:none |
PolyEnE| | none | trace |
| T:07:44:00 | WinXP | 124.8.128.131 (TFN.NET.TW): TAIWAN FIXED NETWORK CO. LTD, KAOHSIUNG, KAO-HSIUNG, TW. |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | ed96c03ca8 NEW |
c0028e9e98 [0] | none:none |
PolyEnE| | none | trace |
| T:08:19:00 | WinXP | 92.114.192.66 (APEXCOVANTAGE.COM): EU-ZZ, UK. |
218.93.205.30:65520 | CN:proxim.ircgalaxy.pl CN:gidromash.cn CN:ottopay.cn :www.petdoso.com 174.36.176.242:81 |
445 | pcap | raw alerts ruleset |
http irc 19 lines |
Yeah : 1.3 profile |
none | summary tarball |
21 of 41 12 of 40 37 of 39 |
1b7635d92c NEW 38e8f258e7 NEW dab4da4e21 NEW |
28cf6965a6 [0] 871a2e904e[0] e63b813015[0] |
none:none none:none ASM:Graph |
MEW| none|none PolyEnE| |
none none lines=134 |
trace trace trace |
| T:08:48:00 | WinXP | 121.121.163.66 (MAXIS.NET.MY): MAXIS COMMUNICATIONS BHD, MY. |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:09:10:00 | WinXP | 68.225.84.48 (COX.NET): COX COMMUNICATIONS, NEWPORT NEWS, VIRGINIA, US. |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
34 of 36 | fcd4bae1af NEW |
0286c9069c [0] | none:none |
PolyEnE| | none | trace |
| T:09:13:00 | Win2K-f | 59.120.228.224 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 53 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 33 | 57ce4acac2 NEW |
none[0] | none:none |
Armadillo| | lines=90 | trace | |
| T:10:01:00 | WinXP | 69.85.123.4 (SPEAKEASY.NET): US. |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
35 of 35 | 9716d7995a NEW |
c3a5354b6f [0] | none:none |
PolyEnE| | none | trace |
| T:10:10:00 | WinXP | 88.130.184.189 (VERSANETONLINE.DE): VERSATEL NORD-DEUTSCHLAND GMBH, DORTMUND, NORDRHEIN-WESTFALEN, DE. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 14 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 32 | 741e3b03b3 NEW |
none[0] | none:none |
none|none | lines=61 | trace | |
| T:10:36:00 | Win2K-f | 58.71.45.90 (PLDT.NET): IPG, PH. |
200.49.145.197:3305 | TH:cx10man.weedns.com FI:fx010413.whyI.org TH:gynoman.weedns.com FI:g.0x20.biz 92.240.234.164:3305 |
135 | pcap | raw alerts ruleset |
irc 609 lines |
Yeah : 1.8 profile |
none | summary tarball |
40 of 41 | 3f8fb954df NEW |
3ae32232fb [0] | none:none |
StarForce| | none | trace |
| T:10:37:00 | WinXP | 200.219.120.206 (STERLINGSTUDENTS.NET): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 694802b8ef NEW |
433eb20eb6 [0] | none:none |
PolyEnE| | none | trace |
| T:12:00:00 | Win2K-f | 71.79.175.186 (RR.COM): ROAD RUNNER HOLDCO LLC, CANTON, OHIO, US. |
n/a | AR:cx10man.weedns.com | 135 | pcap | raw alerts ruleset |
irc 694 lines |
Yeah : 1.3 profile |
none | summary tarball |
28 of 41 | b8076e37ae NEW |
52953fed05 [0] | none:none |
StarForce| | none | trace |
| T:12:56:00 | WinXP | 78.8.75.64 (NET.PL): DIALOG, WROCLAW, DOLNOSLASKIE, PL. |
n/a | :moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
37 of 40 | d4da7626da NEW |
4fec689aa6 [0] | ASM:Graph |
PolyEnE| | lines=93 embedded dns |
trace |
| T:13:01:00 | WinXP | 74.214.47.11 (METROCAST.NET): GMP CABLE TV, BERWICK, PENNSYLVANIA, US. |
194.109.11.65:6556 | :0x80.my-secure.name NL:0x80.my1x1.com NL:0x80.martiansong.com NL:0x80.goingformars.com NL:194.109.11.65:6556 |
135 | pcap | raw alerts ruleset |
other 123 lines |
Yeah : 1.8 profile |
none | summary tarball |
33 of 33 | e30fb27bda NEW |
90ee26f451 [0] | ASM:Graph |
MEW| | lines=185 embedded dns |
trace |
| T:13:14:00 | WinXP | 193.248.104.183 (ABO.WANADOO.FR): TELECOM, METZ, NANTERRE, FR. |
n/a | 445 | pcap | raw alerts ruleset |
ftp 13 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 1a2c0e6130 NEW |
none[0] | none:none |
none|none | lines=60 | trace | |
| T:13:26:00 | WinXP | 114.48.19.10 (-): . |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 14 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 40 | 5285741560 NEW |
60590b8b67 [0] | ASM:Graph |
none|none | lines=59 | trace | |
| T:13:56:00 | WinXP | 200.219.97.158 (STERLINGSTUDENTS.NET): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | :moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 2f6cc0e618 NEW |
f8f316af28 [0] | none:none |
PolyEnE| | none | trace |
| 13:58:00 | WinXP | 72.21.131.167 (-): ACETECH USA INC, LIBERTY LAKE, WASHINGTON, US. |
n/a | :moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
other 0 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 042774a2b7 NEW |
none[0] | none:none |
PolyEnE| | lines=69 embedded dns |
trace |
| T:14:22:00 | WinXP | 130.13.48.131 (QWEST.NET): QWEST BROADBAND SERVICES INC, PHOENIX, ARIZONA, US. |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 16 lines |
Yeah : 1.3 profile |
none | summary tarball |
36 of 41 | 894e794b2b NEW |
aeb41eb7b9 [0] | none:none |
Obsidium| | none | trace | |
| T:14:40:00 | Win2K-f | 70.64.207.200 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, MOOSE JAW, SASKATCHEWAN, CA. (DSL) |
n/a | TH:cx10man.weedns.com JP:fx010413.whyI.org 92.240.234.164:3305 |
135 | pcap | raw alerts ruleset |
irc 606 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | c4c3a5fede NEW |
0486bcf632 [0] | none:none |
StarForce| | none | trace |
| T:15:18:00 | WinXP | 114.48.21.82 (-): . |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 40 | 5285741560 NEW |
60590b8b67 [0] | ASM:Graph |
none|none | lines=59 | trace | |
| T:15:19:00 | WinXP | 70.168.133.58 (COX.NET): COX COMMUNICATIONS, ALEXANDRIA, VIRGINIA, US. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:15:28:00 | Win2K-f | 67.10.91.238 (RR.COM): ROAD RUNNER HOLDCO LLC, HOUSTON, TEXAS, US. (100Mbps) |
194.109.11.65:6556 | NL:0x80.online-software.org NL:0x80.martiansong.com |
135 | pcap | raw alerts ruleset |
other 193 lines |
Yeah : 1.8 profile |
none | summary tarball |
32 of 32 | 15d4d85dc0 NEW |
4c95ae4b3d [0] | ASM:Graph |
StarForce| | lines=212 embedded dns |
trace |
| T:17:02:00 | WinXP | 125.4.6.138 (ZAQ.NE.JP): HIGASHI-OSAKA CABLE TELEVISION CO. LTD, OSAKA, OSAKA, JP. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 33 of 33 |
07fabc79ef NEW 53bfe15e91 NEW |
none[0] 1473091351[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=81 lines=75 embedded dns |
trace trace |
| T:18:09:00 | Win2K-f | 206.169.115.253 (-): TIME WARNER TELECOM INC, ZIHUATANEJO, GUERRERO, MX. |
n/a | AR:cx10man.weedns.com | 135 | pcap | raw alerts ruleset |
irc 710 lines |
Yeah : 1.3 profile |
none | summary tarball |
34 of 41 | deffdf68e8 NEW |
2b011e15ba [0] | none:none |
StarForce| | none | trace |
| T:18:59:00 | WinXP | 118.87.20.81 (-): . |
67.43.236.67:10324 | CA:xx.nadnadzz.info :idfc.info CA:67.43.236.67:10324 |
135 | pcap | raw alerts ruleset |
irc http 343 lines |
Yeah : 1.8 profile |
none | summary tarball |
29 of 41 32 of 38 38 of 41 |
39336e51eb NEW 524bc0f75c NEW 820b27d4c6 NEW |
3f5ab71d39 [0] d3e9510bb3[0] 1102de0215[0] |
none:none none:none none:none |
Neolite| PENinja S| Armadillo| |
none none none |
trace trace trace |
| T:19:41:00 | WinXP | 4.229.198.67 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, US. (DIAL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:20:17:00 | Win2K-f | 68.146.210.170 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, CALGARY, ALBERTA, CA. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 48 lines |
Yeah : 1.3 profile |
none | summary tarball |
12 of 41 | 9afe4b7bf1 NEW |
none[3] | none:none |
none|none | none | trace | |
| T:22:26:00 | WinXP | 203.73.84.7 (SEED.NET.TW): DIGITAL UNITED INC, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 85 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW 57ce4acac2 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:22:36:00 | Win2K-f | 211.124.136.73 (ZAQ.NE.JP): KITAKAWACHI CABLE NET CO LTD, OSAKA, OSAKA, JP. |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 33 33 of 33 |
2e45ae247e NEW 53bfe15e91 NEW |
36aa8cd03d [0] 1473091351[0] |
none:none ASM:Graph |
Armadillo| tElock| |
none lines=75 embedded dns |
trace trace |