Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

24 September 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:20:00 Win2K-f 72.66.8.36 (VERIZON.NET):
GAIP INC,
VIENNA, VIRGINIA, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:00:54:00 Win2K-f 96.49.4.72 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
RICHMOND, BRITISH COLUMBIA, CA. (DSL) 		92.240.234.164:3305 FI:cx10man.weedns.com 135 pcap raw alerts
ruleset 		irc
607 lines 		Yeah : 1.8
profile 		none summary
tarball 		39 of 41 616f21b486
NEW 		348063e1c2 [0] none:none
 StarForce| none trace
T:03:33:00 WinXP 218.63.112.213 (163DATA.COM.CN):
CHINANET YUNNAN PROVINCE NETWORK,
BEIJING, BEIJING, CN. (DIAL) 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:04:40:00 WinXP 118.15.6.72 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
YOKOHAMA, KANAGAWA, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 40 d5966f5d2c
NEW 		30f4c38c14 [0] none:none
 none|none none trace
T:06:48:00 Win2K-f 207.5.155.42 (SUSCOM-MAINE.NET):
GREAT WORKS INTERNET,
BRUNSWICK, MAINE, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:07:38:00 WinXP 200.226.85.203 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		n/a   445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:07:55:00 WinXP 86.155.14.171 (BTOPENWORLD.COM):
BT BROADBAND,
LONDON, ENGLAND, UK. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 831f4ee0a7
NEW 		none[0] ASM:Graph
 none|none lines=61 trace
T:09:59:00 WinXP 63.22.194.52 (UU.NET):
UUNET TECHNOLOGIES INC,
DALLAS, TEXAS, US. (DSL) 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:10:08:00 WinXP 119.234.129.202 (-):
SINGTEL MOBILE,
SINGAPORE, SINGAPORE, SG. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41 3e5008bdc8
NEW 		70b0a4edc9 [0] none:none
 PolyEnE| none trace
T:11:49:00 WinXP 112.110.40.69 (-):
ICL-NET,
IN. (100Mbps) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		41 of 41 b26ed6eeac
NEW 		97c1157bf8 [0] none:none
 PolyEnE| none trace
T:13:04:00 WinXP 220.210.183.177 (2IIJ.NET):
INTERNET INITIATIVE JAPAN INC,
TOKYO, TOKYO, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:13:34:00 Win2K-f 172.162.47.183 (AOL.COM):
AMERICA ONLINE,
US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
107 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:15:14:00 WinXP 219.67.173.111 (ODN.AD.JP):
OPEN DATA NETWORK(JAPAN TELECOM CO. LTD.),
TOKYO, TOKYO, JP. (DSL) 		218.93.205.30:65520 CN:proxim.ircgalaxy.pl
CN:gidromash.cn
CN:ottopay.cn
:www.petdoso.com
174.36.176.242:81
CN:218.93.205.30:65520 		445 pcap raw alerts
ruleset 		http
irc
28 lines 		Yeah : 1.3
profile 		none summary
tarball 		7 of 41
37 of 39
15 of 41		 c7830331fc
NEW
dab4da4e21
NEW
f97bcf8374
NEW 		7953649664 [0]
e63b813015[0]
none [4] 		none:none
ASM:Graph
none:none
 tElock|
PolyEnE|
pex| 		none
lines=134
none 		trace
trace
trace
T:16:15:00 WinXP 219.105.123.55 (ADACHI.NE.JP):
CABLE TELEVISION ADACHI CORP,
TOKYO, TOKYO, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
13 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 2cb7fb5674
NEW 		4bf8dcd347 [0] none:none
 none|none none trace
T:16:35:00 Win2K-f 211.20.54.54 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
38 of 41		 3f136c55b3
NEW
ac394d7d5f
NEW 		f4e18974f3 [0]
c9a79e75f5[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
16:38:00 Win2K-f 202.51.195.165 (INFOASIAMEDIA.COM):
PT. SEJAHTERA GLOBALINDO,
JAKARTA, JAKARTA RAYA, ID. (DSL) 		n/a US:www.maxmind.com
US:www.getmyip.org
US:getmyip.co.uk
:checkip.dyndns.org 		445 pcap raw alerts
ruleset 		http
7 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 dc331fb791
NEW 		none[3] none:none
 UPX| none trace
T:17:02:00 Win2K-f 216.208.194.48 (BELL.CA):
BELL CANADA,
TRENTON, ONTARIO, CA. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
4 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:18:14:00 WinXP 63.246.125.200 (ALTUSCGI.NET):
PRIVATE CABLE ISP SUBSCRIBER (GEORGETOWN SC MARKET),
GEORGETOWN, SOUTH CAROLINA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:19:24:00 Win2K-f 70.184.253.14 (COX.NET):
COX COMMUNICATIONS,
TULSA, OKLAHOMA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
20:07:00 Win2K-f 201.173.64.69 (INTERCABLE.NET):
TELEVISION INTERNACIONAL S.A. DE C.V,
MONTERREY, NUEVO LEON, MX. (100Mbps) 		n/a US:www.maxmind.com
US:www.getmyip.org
US:getmyip.co.uk
:checkip.dyndns.org
US:65.254.39.170:80
US:67.15.94.80:80
US:75.126.138.202:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		7 of 37 7587773eea
NEW 		none[3] none:none
 StarForce| none trace
T:20:15:00 Win2K-f 201.173.64.69 (INTERCABLE.NET):
TELEVISION INTERNACIONAL S.A. DE C.V,
MONTERREY, NUEVO LEON, MX. (100Mbps) 		n/a US:www.maxmind.com
US:getmyip.co.uk
:checkip.dyndns.org 		445 pcap raw alerts
ruleset 		http
6 lines 		Yeah : 0.8
profile 		none summary
tarball 		7 of 37 7587773eea
NEW 		none[3] none:none
 StarForce| none trace
T:20:17:00 WinXP 66.217.107.159 (MCLEODUSA.NET):
PAETEC COMMUNICATIONS INC,
ORLANDO, FLORIDA, US. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:20:17:00 WinXP 64.61.221.172 (CPTELECOM.NET):
CP INTERNET,
MINNEAPOLIS, MINNESOTA, US. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		33 of 35 e9fcd6f257
NEW 		2e05bc2272 [0] ASM:Graph
 PolyEnE| lines=68 trace
T:20:28:00 WinXP 87.123.175.235 (VERSANET.DE):
VERSATEL DEUTSCHLAND,
MARL, NORDRHEIN-WESTFALEN, DE. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 e7c51ffa22
NEW 		eec31d126a [0] none:none
 Armadillo| none trace
T:20:41:00 WinXP 59.94.243.217 (10/24.BSNL.IN):
NIB (NATIONAL INTERNET BACKBONE),
CHANDIGARH, CHANDIGARH, IN. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
13 lines 		Yeah : 0.8
profile 		none summary
tarball 		36 of 41 5415d3efd3
NEW 		4414fb5b29 [0] none:none
 StarForce| none trace
T:20:48:00 Win2K-f 113.10.95.142 (-):
STARHUB HSDPA SG,
SG. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 d2b1bb8036
NEW 		2567893896 [0] none:none
 Armadillo| none trace
T:21:18:00 Win2K-f 96.49.5.64 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
RICHMOND, BRITISH COLUMBIA, CA. (DSL) 		n/a :xx.nadnadzz.info 135 pcap raw alerts
ruleset 		other
328 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41 fe8a885155
NEW 		69395d4636 [0] none:none
 Mew| none trace
T:21:30:00 WinXP 218.171.54.9 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		66.252.13.212:16667 US:bbs.moiservice.com
US:66.252.13.212:16667 		445 pcap raw alerts
ruleset 		ftp
irc
21 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 b706f30385
NEW 		e7124c9b61 [0] none:none
 Stranik| none trace
T:21:42:00 Win2K-f 114.51.6.152 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 542da77cf8
NEW 		603982d8b5 [0] none:none
 Armadillo| none trace
T:21:57:00 Win2K-f 88.134.208.137 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
LANDAU, RHEINLAND-PFALZ, DE. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		38 of 41 349442508a
NEW 		0f91fe7eee [0] none:none
 Armadillo| none trace
T:21:58:00 WinXP 119.234.133.249 (-):
SINGTEL MOBILE,
SINGAPORE, SINGAPORE, SG. (DSL) 		66.252.13.212:16667 US:bbs.moiservice.com
US:66.252.13.212:16667 		445 pcap raw alerts
ruleset 		ftp
irc
20 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41 a9f42d6a01
NEW 		bc448cfb0e [0] none:none
 Stranik| none trace
T:22:13:00 WinXP 114.48.174.152 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) 		66.252.13.212:16667 US:bbs.moiservice.com
US:66.252.13.212:16667 		445 pcap raw alerts
ruleset 		ftp
irc
21 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 e564ed1ae7
NEW 		0b960ccef8 [0] none:none
 Stranik| none trace
T:22:18:00 Win2K-f 114.58.53.65 (YR.COM):
PT. INDOSAT MEGA MEDIA,
JAKARTA, JAKARTA RAYA, ID. (DIAL) 		66.252.13.212:16667 US:bbs.moiservice.com
US:66.252.13.212:16667 		445 pcap raw alerts
ruleset 		ftp
irc
27 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 340f8c11e3
NEW 		f57d7bb94a [0] none:none
 Stranik| none trace
T:22:22:00 WinXP 78.226.242.164 (PROXAD.NET):
PROXAD / FREE SAS,
PARIS, ILE-DE-FRANCE, FR. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 db4ee77c04
NEW 		bf861f894b [0] none:none
 Armadillo| none trace
T:22:27:00 Win2K-f 122.121.213.230 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 20ce1f9dac
NEW 		38a7e9dd10 [0] none:none
 Stranik| none trace
T:22:47:00 Win2K-f 94.21.222.122 (DIGIKABEL.HU):
EGYESULT MAGYAR KABELTELEVIZIO LTD,
BUDAPEST, BUDAPEST, HU. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 41249030df
NEW 		67b606b0cc [0] none:none
 Armadillo| none trace
T:22:53:00 Win2K-f 91.65.120.176 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BERLIN, BERLIN, DE. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 5b0cd2842d
NEW 		672c29612e [0] none:none
 Armadillo| none trace
T:22:55:00 WinXP 99.164.23.178 (SBCGLOBAL.NET):
RANI PAL LLC,
PLANO, TEXAS, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
262 lines 		Yeah : 1.3
profile 		none summary
tarball 		24 of 41
11 of 36		 b8d2b9da8b
NEW
c4c5a56ffe
NEW 		b8d2b9da8b [1]
8bef2f9170[0] 		ASM:Graph
none:none
 StarForce|
StarForce| 		lines=3
none 		trace
trace
T:23:07:00 Win2K-f 114.51.13.109 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 542da77cf8
NEW 		603982d8b5 [0] none:none
 Armadillo| none trace
T:23:14:00 WinXP 117.254.19.146 (STERLINGSTUDENTS.NET):
NIB (NATIONAL INTERNET BACKBONE),
NEW DELHI, DELHI, IN. (DSL) 		66.252.13.212:16667 US:bbs.moiservice.com
US:66.252.13.212:16667 		445 pcap raw alerts
ruleset 		ftp
irc
24 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 b706f30385
NEW 		e7124c9b61 [0] none:none
 Stranik| none trace
T:23:21:00 Win2K-f 92.82.81.138 (ROMTELECOM.NET):
ROMTELECOM DATA NETWORK,
BUCHAREST, BUCURESTI, RO. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 7d572825b4
NEW 		a10677995e [0] none:none
 StarForce| none trace
T:23:24:00 WinXP 88.134.239.89 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BEXBACH, SAARLAND, DE. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		38 of 41 ec8151d5d8
NEW 		a8a8cf9a56 [0] none:none
 Armadillo| none trace
T:23:27:00 WinXP 98.141.9.117 (CAVTEL.NET):
CAVALIER TELEPHONE,
VIRGINIA BEACH, VIRGINIA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:23:43:00 WinXP 92.249.214.40 (DIGIKABEL.HU):
MISKOLC FIBER,
MISKOLC, MISKOLC, HU. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		33 of 41 de37f2fc47
NEW 		bac4cc6eec [0] none:none
 Armadillo| none trace
T:23:45:00 Win2K-f 61.228.151.202 (PRESTONAUTO.COM):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		33 of 41 de37f2fc47
NEW 		bac4cc6eec [0] none:none
 Armadillo| none trace
T:23:47:00 Win2K-f 122.120.10.59 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 b2935311d9
NEW 		eb9fd83c1e [0] none:none
 Armadillo| none trace
T:23:48:00 WinXP 85.64.133.201 (BARAK-ONLINE.NET):
BARAK I.T.C,
TEL AVIV, TEL AVIV, IL. (DSL) 		n/a   445 pcap raw alerts
ruleset 		other
0 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:23:57:00 WinXP 91.65.206.199 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
DE. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 899cdfd678
NEW 		1e70b1a3b7 [0] none:none
 Armadillo| none trace