Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

28 September 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:41:00 Win2K-f 70.167.73.201 (COX.NET):
COX COMMUNICATIONS,
OCEANSIDE, CALIFORNIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:02:11:00 WinXP 218.163.44.249 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 fc21e133bb
NEW 6731b98370 [0] none:none
PolyEnE| none trace

T:03:18:00 WinXP 85.177.251.236 (ALICEDSL.DE):
HANSENET-ADSL,
HAMBURG, HAMBURG, DE. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 39 of 41 d1f309e51c
NEW c903a7971c [0] none:none
Armadillo| none trace

T:03:30:00 Win2K-f 96.8.204.191 (GVTC.COM):
GUADALUPE VALLEY TELEPHONE COOPERATIVE INC,
NEW BRAUNFELS, TEXAS, US. (DSL) n/a 135 pcap raw alerts
ruleset other
10 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:03:38:00 Win2K-f 74.215.65.114 (FUSE.NET):
FUSE INTERNET ACCESS,
HAMILTON, OHIO, US. (DSL) n/a 135 pcap raw alerts
ruleset other
186 lines Yeah : 1.3
profile none summary
tarball 39 of 41 4baf02c545
NEW b5ff98d951 [0] none:none
none|none none trace

T:03:56:00 WinXP 63.27.184.250 (UU.NET):
UUNET TECHNOLOGIES INC,
US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
79 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:04:08:00 Win2K-f 4.231.2.152 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
JACKSON, MISSISSIPPI, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
87 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:04:24:00 WinXP 70.60.102.105 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CHARLOTTE, NORTH CAROLINA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:04:31:00 WinXP 78.228.219.27 (PROXAD.NET):
PROXAD / FREE SAS,
PARIS, ILE-DE-FRANCE, FR. (DSL) n/a 445 pcap raw alerts
ruleset shell
2 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:05:21:00 WinXP 92.114.192.36 (HOST-STATIC-92-115-28-10.MOLDTELECOM.MD):
JSC MOLDTELECOM SA,
CHISINAU, CHISINAU, MD. (DSL) 218.93.205.30:65520 EU:proxim.ircgalaxy.pl
:nenastiya.cn
CN:dl.guarddog2009.com
:www.petdoso.com
174.36.176.242:81
CN:218.93.205.30:65520 445 pcap raw alerts
ruleset http
irc
19 lines Yeah : 1.3
profile none summary
tarball 2 of 41
23 of 41
37 of 39
11 of 41 428d526489
NEW
5d721a4dee
NEW
dab4da4e21
NEW
f57343412f
NEW none[4]
6afc8cafab[0]
e63b813015[0]
none [4] none:none
none:none
ASM:Graph
none:none
PEQuake|
UPX|
PolyEnE|
StarForce| none
none
lines=134
none trace
trace
trace
trace

T:05:48:00 WinXP 81.9.191.91 (CM-81-9-237-10.TELECABLE.ES):
TELECABLE,
OVIEDO, ASTURIAS, ES. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 32 of 32 b502f83a7c
NEW 28f5be93b0 [0] none:none
PolyEnE| none trace

T:06:07:00 Win2K-f 203.91.165.198 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:06:17:00 Win2K-f 211.202.71.198 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 91.212.220.75:65520 US:microsoft.com
EU:proxim.ircgalaxy.pl
:www.petdoso.com
174.36.176.242:81 135 pcap raw alerts
ruleset irc
http
125 lines Yeah : 1.8
profile none summary
tarball 2 of 41
30 of 33
28 of 33 428d526489
NEW
533d15b5ce
NEW
58c343a8d8
NEW none[4]
c67adf46e2[0]
none [0] none:none
ASM:Graph
none:none
PEQuake|
tElock|
Armadillo| none
lines=126
embedded dns
lines=91 trace
trace
trace

T:06:31:00 Win2K-f 190.176.199.9 (COM.AR):
TELEFONICA DE ARGENTINA,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) 218.93.205.30:65520 91.212.220.75:65520 EU:proxim.ircgalaxy.pl
:nenastiya.cn
:www.petdoso.com
CN:dl.guarddog2009.com
174.36.176.242:81 445 pcap raw alerts
ruleset irc
http
18 lines Yeah : 1.3
profile none summary
tarball 2 of 41
23 of 41
11 of 41 428d526489
NEW
5d721a4dee
NEW
f57343412f
NEW none[4]
6afc8cafab[0]
none [4] none:none
none:none
none:none
PEQuake|
UPX|
StarForce| none
none
none trace
trace
trace

T:07:17:00 Win2K-f 114.205.194.148 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 91.212.220.75:65520 US:microsoft.com
EU:proxim.ircgalaxy.pl
EU:91.212.220.75:65520 135 pcap raw alerts
ruleset irc
132 lines Yeah : 1.8
profile none summary
tarball 30 of 33
28 of 33 533d15b5ce
NEW
58c343a8d8
NEW c67adf46e2 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=126
embedded dns
lines=91 trace
trace

T:09:17:00 Win2K-f 61.220.144.103 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
82 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:20:00 WinXP 66.133.222.10 (MINDSPRING.COM):
EARTHLINK INC,
TORRANCE, CALIFORNIA, US. (DSL) n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:wpad
RU:www.bbin.ru
RU:www.binbank.ru 445 pcap raw alerts
ruleset http
http
http
http
47 lines Yeah : 0.8
profile none summary
tarball 29 of 29 df17a625ee
NEW none[0] none:none
ASPack| lines=298
embedded dns trace

T:11:42:00 WinXP 4.191.64.251 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
DEER PARK, TEXAS, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:14:02:00 Win2K-f 65.191.116.144 (RR.COM):
ROAD RUNNER HOLDCO LLC,
FAYETTEVILLE, NORTH CAROLINA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 33
33 of 33 4c3df24b32
NEW
53bfe15e91
NEW none[0]
1473091351[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=81
lines=75
embedded dns trace
trace

T:14:14:00 Win2K-f 196.208.70.105 (TELKOMADSL.CO.ZA):
AFRINIC,
ROODEPOORT, GAUTENG, ZA. (DSL) n/a 135 pcap raw alerts
ruleset other
247 lines Yeah : 1.3
profile none summary
tarball 40 of 41
39 of 41 1bc51bf964
NEW
e33c8e30b9
NEW 4ab7eeaf6c [0]
95caa6a57d[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:14:28:00 WinXP 65.26.121.145 (RR.COM):
ROAD RUNNER HOLDCO LLC,
MISSION, KANSAS, US. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 29 of 29 d6df3972a0
NEW none[0] ASM:Graph
PolyEnE| lines=65 trace

T:15:28:00 Win2K-f 61.218.193.250 (HINET.NET):
CHUNGHWA TELECOM CO. LTD. DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
85 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:15:30:00 WinXP 122.212.195.144 (UCOM.NE.JP):
G-TK0086N,
TOKYO, TOKYO, JP. (100Mbps) n/a NL:proxim.ntkrnlpa.info
NL:83.68.16.30:80 445 pcap raw alerts
ruleset shell
ftp
irc
18 lines Yeah : 1.3
profile none summary
tarball 40 of 41 09245a76fe
NEW 4767a61119 [0] none:none
none|none none trace

T:16:21:00 Win2K-f 173.20.140.66 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
ALBANY, GEORGIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 40 of 41
39 of 41 5e3a9c2d9d
NEW
630308d06b
NEW dbc48b815a [0]
847d302e37[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:17:07:00 Win2K-f 67.8.56.42 (RR.COM):
ROAD RUNNER HOLDCO LLC,
APOPKA, FLORIDA, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:17:27:00 WinXP 114.48.54.90 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:17:39:00 WinXP 114.48.10.32 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:19:02:00 Win2K-f 4.177.18.193 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
SAN DIEGO, CALIFORNIA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 37 of 41
36 of 40 47d3548e36
NEW
d8722af110
NEW ab13346633 [0]
ab30a55931[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:19:27:00 WinXP 172.131.11.213 (AOL.COM):
AMERICA ONLINE,
RESTON, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

19:36:00 WinXP 123.165.39.140 (163DATA.COM.CN):
CHINANET HEILONGJIANG PROVINCE NETWORK,
HARBIN, HEILONGJIANG, CN. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 4d4b114a18
NEW 2414a15ebd [0] none:none
PolyEnE| none trace

T:20:26:00 Win2K-f 208.105.225.199 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CINCINNATI, OHIO, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
83 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

20:46:00 WinXP 68.203.225.144 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ORANGE, TEXAS, US. (100Mbps) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 32 of 32 b502f83a7c
NEW 28f5be93b0 [0] none:none
PolyEnE| none trace

T:20:47:00 WinXP 209.250.50.157 (WISPNET.NET):
WISPNET LLC,
WINCHESTER, KENTUCKY, US. (DSL) 213.219.245.212:80 RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
3 lines Yeah : 1.3
profile none summary
tarball 36 of 38 5865b09945
NEW 4d99f4784a [0] none:none
PolyEnE| none trace

T:21:07:00 Win2K-f 218.32.97.21 (SDTV.NET.TW):
SAN DA CATV CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 135 pcap raw alerts
ruleset other
4 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:22:03:00 WinXP 67.212.106.122 (CFU.NET):
CEDAR FALLS UTILITIES,
CEDAR FALLS, IOWA, US. (DSL) n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 40 824d6a706e
NEW a66fd13bcb [0] none:none
PolyEnE| none trace

T:22:23:00 WinXP 203.73.84.56 (SEED.NET.TW):
SEEDNET-KAOHSIUNGDP-S,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:22:49:00 WinXP 114.48.142.228 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:23:17:00 Win2K-f 173.23.56.33 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CRESTWOOD, KENTUCKY, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace