Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

19 September 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:19:00 WinXP 113.254.206.55 (-):
. n/a 135 pcap raw alerts
ruleset other
1000 lines Yeah : 1.3
profile none summary
tarball 16 of 41 416b35a2d1
NEW none[3] none:none
none|none none trace

T:01:43:00 WinXP 77.54.149.83 (REV.VODAFONE.PT):
VODAFONE TELECEL COMUNICACOES PESSOAIS SA,
PT. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 29 of 29 1a2c0e6130
NEW none[0] none:none
none|none lines=60 trace

T:02:35:00 WinXP 58.127.168.64 (HANANET.NET):
HANARO TELECOM INC,
KR. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:02:45:00 Win2K-f 98.141.30.61 (-):
. n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:03:33:00 WinXP 70.149.47.245 (BELLSOUTH.NET):
BELLSOUTH.NET INC,
WESTON, FLORIDA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:04:20:00 WinXP 114.48.19.160 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:04:35:00 WinXP 173.29.130.232 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 36 of 41
38 of 40 067917e07b
NEW
d764c1dcb2
NEW dae35b319c [0]
3d2bc60c5d[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:04:38:00 WinXP 116.126.32.65 (-):
HANARO TELECOM,
SEOUL, KYONGGI-DO, KR. 91.212.220.75:65520 EU:proxima.ircgalaxy.pl
US:microsoft.com
CN:dl.guarddog2009.com
CN:gidromash.cn
CN:ottopay.cn
:www.petdoso.com
174.36.176.242:81 135 pcap raw alerts
ruleset irc
http
137 lines Yeah : 1.8
profile none summary
tarball 21 of 41
12 of 40
34 of 36
29 of 32 1b7635d92c
NEW
38e8f258e7
NEW
99b248336f
NEW
9d677c3f70
NEW 28cf6965a6 [0]
871a2e904e[0]
c64bd1a776[0]
77e75ff10f[0] none:none
none:none
none:none
none:none
MEW|
none|none
Armadillo|
tElock| none
none
none
none trace
trace
trace
trace

T:04:48:00 WinXP 70.64.80.231 (GASOC.COM):
SHAW COMMUNICATIONS INC,
SASKATOON, SASKATCHEWAN, CA. (DSL) 92.240.234.164:3305 :cx10man.weedns.com 135 pcap raw alerts
ruleset irc
611 lines Yeah : 1.8
profile none summary
tarball 40 of 41 433f698638
NEW 4d7d0d3836 [0] none:none
StarForce| none trace

T:05:42:00 WinXP 72.251.90.80 (1DIAL.COM):
AD-BASE SYSTEMS INC. (DBA GLOBALPOPS),
PITTSBURGH, PENNSYLVANIA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:06:13:00 Win2K-f 70.167.86.15 (COX.NET):
COX COMMUNICATIONS,
ATLANTA, GEORGIA, US. n/a 135 pcap raw alerts
ruleset other
1009 lines Yeah : 1.3
profile none summary
tarball 30 of 41 0cf68948b6
NEW none[3] none:none
none|none none trace

T:06:42:00 Win2K-f 83.135.107.84 (VERSANET.DE):
VERSATEL DEUTSCHLAND DYNAMIC POOL,
MARL, NORDRHEIN-WESTFALEN, DE. n/a CZ:qtas.net 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 13 of 41 e4612abb50
NEW a4a4192023 [0] none:none
FASM| none trace

T:07:30:00 Win2K-f 122.55.73.14 (PLDT.NET):
IPG,
PH. n/a 135 pcap raw alerts
ruleset other
1003 lines Yeah : 1.3
profile none summary
tarball 11 of 41 6dad68529b
NEW none[3] none:none
ASPack| none trace

T:07:40:00 WinXP 117.254.4.80 (-):
. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
3 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:08:24:00 WinXP 66.53.80.126 (MDSG-PACWEST.COM):
PAC-WEST MANAGED MODEM NAS POOL,
PHOENIX, ARIZONA, US. n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
NEW none[0] none:none
PolyEnE| lines=93
embedded dns trace

T:08:49:00 WinXP 115.81.159.24 (-):
. n/a 135 pcap raw alerts
ruleset other
366 lines Yeah : 1.3
profile none summary
tarball 40 of 41 ed063b564d
NEW 720b41bd8c [0] none:none
StarForce| none trace

T:09:33:00 WinXP 67.123.204.202 (PACBELL.NET):
RICHARD MULHALL,
SAN FRANCISCO, CALIFORNIA, US. (DSL) 67.43.236.67:10324 NL:xx.sqlteam.info
CA:xx.nadnadzz.info
:idfc.info
NL:83.68.16.6:5190 135 pcap raw alerts
ruleset irc
http
626 lines Yeah : 1.8
profile none summary
tarball 40 of 41
29 of 41
32 of 38 3842e66ff7
NEW
39336e51eb
NEW
524bc0f75c
NEW fc7c8aaf10 [0]
3f5ab71d39[0]
d3e9510bb3[0] none:none
none:none
none:none
EXECrypto|
Neolite|
PENinja S| none
none
none trace
trace
trace

T:09:59:00 WinXP 79.30.30.63 (SRC.ORG):
TELECOM ITALIA NET,
ROME, LAZIO, IT. n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
RU:www.bbin.ru
RU:www.binbank.ru
:wpad 445 pcap raw alerts
ruleset http
http
http
http
50 lines Yeah : 0.8
profile none summary
tarball 39 of 41 ab46ec2f16
NEW bc5a7926df [0] none:none
ASPack| none trace

T:10:57:00 WinXP 189.66.253.167 (-):
. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 39 of 41 f2a8dafb30
NEW 1d0f660523 [0] none:none
PolyEnE| none trace

T:12:18:00 WinXP 202.107.247.8 (CNINFO.NET):
CHINANET-ZJ QUZHOU NODE NETWORK,
BEIJING, BEIJING, CN. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:12:46:00 WinXP 217.203.231.130 (-):
TELECOM ITALIA MOBILE,
IT. n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 41 ed96c03ca8
NEW c0028e9e98 [0] none:none
PolyEnE| none trace

T:12:52:00 WinXP 69.207.45.143 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ITHACA, NEW YORK, US. n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
NEW none[0] none:none
PolyEnE| lines=93
embedded dns trace

T:12:53:00 WinXP 94.40.41.90 (-):
. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:13:46:00 WinXP 87.116.235.226 (TNP.PL):
NETWORK OF INTERNET SERVICE PROVIDER,
PL. 213.219.245.212:80 RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
3 lines Yeah : 1.3
profile none summary
tarball 32 of 32 5818023061
NEW none[0] ASM:Graph
PolyEnE| lines=68 trace

T:13:50:00 Win2K-f 80.104.117.219 (BUSINESS.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A,
PISTOIA, TOSCANA, IT. 83.68.16.6:5190 67.43.236.67:10324 NL:xx.sqlteam.info
CA:xx.nadnadzz.info
CA:67.43.236.67:10324 135 pcap raw alerts
ruleset irc
533 lines Yeah : 1.3
profile none summary
tarball 35 of 41 a4dde6f9e4
NEW none[4] none:none
none|none none trace

T:14:12:00 Win2K-f 41.206.135.9 (-):
VODAFONE EGYPT,
EG. n/a CZ:qtas.net 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 13 of 41 e4612abb50
NEW a4a4192023 [0] none:none
FASM| none trace

T:15:40:00 Win2K-f 96.8.251.29 (-):
. 92.240.234.164:3305 TH:cx10man.weedns.com
FI:fx010413.whyI.org
92.240.234.164:3305 135 pcap raw alerts
ruleset irc
579 lines Yeah : 1.8
profile none summary
tarball 27 of 40 cd3b7b4393
NEW 635000bb46 [0] none:none
StarForce| none trace

T:16:46:00 Win2K-f 98.141.163.84 (-):
. n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:17:55:00 Win2K-f 174.3.47.119 (-):
. n/a 135 pcap raw alerts
ruleset other
556 lines Yeah : 1.3
profile none summary
tarball 41 of 41 9d17d94db1
NEW 9534907764 [0] none:none
Armadillo| none trace

T:18:01:00 WinXP 87.55.74.34 (IP.TELE.DK):
TDC-TELEDANMARK-BREDBAANDSADSL-NET,
DK. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 41 b26ed6eeac
NEW 97c1157bf8 [0] none:none
PolyEnE| none trace

T:18:08:00 WinXP 70.168.11.60 (COX.NET):
COX COMMUNICATIONS,
PROVIDENCE, RHODE ISLAND, US. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:33:00 Win2K-f 68.149.46.80 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
EDMONTON, ALBERTA, CA. (DSL) n/a :teek.ihshsd8.com
:preek.oihduhdd.net
CN:done.blacktiehsbdcs.com 135 pcap raw alerts
ruleset irc
http
539 lines Yeah : 1.3
profile none summary
tarball 23 of 41
40 of 41 3c77533bf6
NEW
4cb946b347
NEW 389c06c67e [0]
1273f26e7a[0] none:none
none:none
StarForce|
Armadillo| none
none trace
trace

T:18:55:00 Win2K-f 65.32.209.114 (RR.COM):
ROAD RUNNER HOLDCO LLC,
TAMPA, FLORIDA, US. n/a 135 pcap raw alerts
ruleset other
186 lines Yeah : 1.3
profile none summary
tarball 39 of 41 74ca348885
NEW 8b0bf5ec45 [0] none:none
none|none none trace

T:19:13:00 WinXP 114.48.2.69 (-):
. n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 449e681a46
NEW a9ed9b3845 [0] none:none
PolyEnE| none trace

T:20:42:00 WinXP 186.9.149.57 (-):
. 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 41 eda3b7766c
NEW 7556343561 [0] none:none
PolyEnE| none trace

T:20:51:00 WinXP 4.242.60.203 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
SPOKANE, WASHINGTON, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
164 lines Yeah : 1.3
profile none summary
tarball 35 of 36
3 of 33 126a1d4446
NEW
3ed16ae12d
NEW 31867051da [0]
none [0] none:none
ASM:Graph
tElock|
Armadillo| none
lines=81 trace
trace

T:21:18:00 WinXP 75.60.228.41 (SBCGLOBAL.NET):
PPPOX POOL - SE1.WOTNOH,
COLUMBUS, OHIO, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace