Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

12 October 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:11:00 WinXP 115.165.83.150 (CATV02.ITSCOM.JP):
ITS COMMUNICATIONS INC,
KAWASAKI, KANAGAWA, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:00:16:00 WinXP 124.195.157.177 (CABLENET.NE.JP):
CABLENET SAITAMA CO. LTD,
JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:00:22:00 WinXP 61.221.250.18 (HINET.NET):
CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:01:44:00 WinXP 114.51.52.58 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 5da7cd2cd2
NEW 		6bbad49e2b [0] none:none
 PolyEnE| none trace
T:02:22:00 Win2K-f 123.215.35.113 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		218.93.205.30:65520 EU:proxima.ircgalaxy.pl
US:microsoft.com
EU:gidromash.cn
EU:ottopay.cn
CN:www.petdoso.com
174.36.176.242:81 		135 pcap raw alerts
ruleset 		irc
http
162 lines 		Yeah : 1.8
profile 		none summary
tarball 		17 of 41
7 of 41
40 of 41
31 of 33		 1c5e79f5f4
NEW
c7830331fc
NEW
d5f6c08845
NEW
d789c8d157
NEW 		none[4]
7953649664[0]
4c36611582[0]
5f6572479f[0] 		none:none
none:none
none:none
none:none
 FSG|
tElock|
Armadillo|
PolyEnE| 		none
none
none
none 		trace
trace
trace
trace
T:02:50:00 Win2K-f 41.206.137.62 (NILE-ONLINE.NET):
AFRINIC,
CAIRO, AL QAHIRAH, EG. (DSL) 		n/a CZ:qtas.net
CZ:mi.thelive-photo.com
US:immmsn.info 		445 pcap raw alerts
ruleset 		http
43 lines 		Yeah : 0.8
profile 		none summary
tarball 		18 of 41 516866dfd4
NEW 		7bc41eee73 [0] none:none
 FASM| none trace
T:04:25:00 WinXP 130.67.20.230 (ONLINE.NO):
NORTELE-H,
OSLO, OSLO, NO. (DIAL) 		92.240.234.164:3305   135 pcap raw alerts
ruleset 		shell
ftp
irc
23 lines 		Yeah : 1.8
profile 		none summary
tarball 		none none none none none none none
T:05:05:00 WinXP 219.109.114.204 (CATVNET.NE.JP):
CATV NETWORK SERVICES(STNET INCORPORATED),
TOKYO, TOKYO, JP. (DSL) 		n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:www.proxy-socks.net
:wpad
US:204.13.161.51:80
DE:217.11.54.126:80 		445 pcap raw alerts
ruleset 		http
http
http
7 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 41192f933f
NEW 		ec83ff8fb6 [0] none:none
 ASPack| none trace
T:05:24:00 WinXP 69.109.222.239 (PACBELL.NET):
PLTNCA INTERNAL,
HAYWARD, CALIFORNIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:07:48:00 WinXP 79.162.171.188 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WARSAW, WARSZAWA, PL. (DSL) 		213.219.245.212:80 218.93.205.30:65520 CN:proxim.ircgalaxy.pl
RU:citi-bank.ru 		445 pcap raw alerts
ruleset 		http
irc
4 lines 		Yeah : 1.3
profile 		none summary
tarball 		34 of 36 9bb68450cd
NEW 		c2d5ac2315 [0] ASM:Graph
 PolyEnE| lines=73
embedded dns 		trace
T:08:24:00 Win2K-f 124.241.178.182 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, TOKYO, JP. (DSL) 		92.240.234.164:3305 TH:cx10man.weedns.com
JP:fx010413.whyI.org
92.240.234.164:3305 		135 pcap raw alerts
ruleset 		irc
573 lines 		Yeah : 1.8
profile 		none summary
tarball 		39 of 40 70ec5c4b3f
NEW 		f697adabdd [0] none:none
 StarForce| none trace
T:08:32:00 WinXP 63.25.140.230 (UU.NET):
UUNET TECHNOLOGIES INC,
TULSA, OKLAHOMA, US. (DSL) 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:09:10:00 Win2K-f 211.187.180.91 (SONICANT.CO.KR):
THRUNET CO. LTD,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		218.93.205.30:65520 EU:proxima.ircgalaxy.pl
US:microsoft.com
EU:gidromash.cn
EU:ottopay.cn
CN:www.petdoso.com
GB:www.businesstomb.com 		135 pcap raw alerts
ruleset 		irc
http
111 lines 		Yeah : 1.8
profile 		none summary
tarball 		17 of 41
34 of 36
39 of 41
7 of 41
10 of 41
30 of 33		 1c5e79f5f4
NEW
24e59ab043
NEW
7d040c00c3
NEW
c7830331fc
NEW
cd1ecbc017
NEW
ff2150aa95
NEW 		none[4]
778da26bf3[0]
48830e2b12[0]
7953649664[0]
none [4]
6e55004755[0] 		none:none
none:none
none:none
none:none
none:none
none:none
 FSG|
Armadillo|
FSG|
tElock|
Neolite|
tElock| 		none
none
none
none
none
none 		trace
trace
trace
trace
trace
trace
T:09:22:00 WinXP 96.8.140.109 (GVTC.COM):
GUADALUPE VALLEY TELEPHONE COOPERATIVE INC,
NEW BRAUNFELS, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
09:52:00 WinXP 83.68.65.76 (TNP.PL):
TELENETCENTRUM-NET,
WARSAW, WARSZAWA, PL. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 32 5818023061
NEW 		none[0] ASM:Graph
 PolyEnE| lines=68 trace
T:10:00:00 Win2K-f 87.185.221.205 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
BERLIN, BERLIN, DE. (DIAL) 		218.93.205.30:65520 US:microsoft.com
GB:www.businesstomb.com
EU:proxima.ircgalaxy.pl
EU:gidromash.cn
EU:ottopay.cn
:nenastiya.cn
CN:www.petdoso.com
CN:202.97.184.196:81
GB:212.117.177.140:80
EU:91.212.220.75:65520 		445 pcap raw alerts
ruleset 		http
irc
12 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 41
7 of 41		 a62f6fc33b
NEW
c7830331fc
NEW 		020eee55f3 [0]
7953649664[0] 		none:none
none:none
 StarForce|
tElock| 		none
none 		trace
trace
T:10:11:00 WinXP 66.72.68.118 (AMERITECH.NET):
AT&T INTERNET SERVICES,
NASHVILLE, INDIANA, US. (DIAL) 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:10:13:00 Win2K-f 12.69.244.21 (-):
OSAGE CONNECT,
LINN, MISSOURI, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
104 lines 		Yeah : 1.3
profile 		none summary
tarball 		none 018b7b7e27
NEW 		018b7b7e27 [1] ASM:Graph
 Armadillo| lines=83 trace
T:11:00:00 WinXP 66.64.112.237 (EVERESTKC.NET):
EVEREST CONNECTIONS LLC,
LENEXA, KANSAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:12:49:00 WinXP 93.102.17.244 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
ERICEIRA, LISBOA, PT. (DSL) 		n/a US:www.yahoo.com
US:www.altavista.com
:jbeegvia.ru 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		31 of 32 17028f1eda
NEW 		none[3] none:none
 tElock| none trace
T:12:55:00 WinXP 170.211.224.31 (AR.US):
ARKANSAS PUBLIC SCHOOL COMPUTER NETWORK,
LITTLE ROCK, ARKANSAS, US. (DSL) 		n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:www.proxy-socks.net
:wpad
US:204.13.161.51:80 		445 pcap raw alerts
ruleset 		http
http
http
7 lines 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 a12cab51ef
NEW 		none[0] none:none
 ASPack| lines=281
embedded dns 		trace
T:13:27:00 WinXP 95.74.6.193 (-):
TELECOM ITALIA MOBILE,
LECCE, PUGLIA, IT. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 831f4ee0a7
NEW 		none[0] ASM:Graph
 none|none lines=61 trace
T:13:40:00 Win2K-f 75.191.197.128 (RR.COM):
ROAD RUNNER HOLDCO LLC,
JACKSONVILLE, NORTH CAROLINA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
387 lines 		Yeah : 1.3
profile 		none summary
tarball 		27 of 41 de2a8e3f8e
NEW 		032d753367 [0] none:none
 PENinja S| none trace
T:14:00:00 WinXP 62.120.84.68 (-):
ETTIHADETISALAT,
RIYADH, AR RIYAD, SA. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 36 06a5e31b47
NEW 		25e6e52787 [0] ASM:Graph
 PolyEnE| lines=68 trace
T:15:32:00 WinXP 74.65.164.131 (RR.COM):
ROAD RUNNER HOLDCO LLC,
SOUTH PORTLAND, MAINE, US. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:18:32:00 WinXP 76.172.51.180 (RR.COM):
ROAD RUNNER HOLDCO LLC,
TARZANA, CALIFORNIA, US. (DSL) 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:19:11:00 WinXP 4.88.87.28 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
NEW YORK, NEW YORK, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:20:00:00 WinXP 67.150.142.140 (MDSG-PACWEST.COM):
PAC-WEST MANAGED MODEM NAS POOL,
SACRAMENTO, CALIFORNIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
170 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
40 of 41		 0497685f41
NEW
dc8e7fa2cf
NEW 		374b98ab91 [0]
4494f5c1fe[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:20:16:00 WinXP 70.61.157.34 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CINCINNATI, OHIO, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
20:29:00 WinXP 117.254.124.238 (STERLINGSTUDENTS.NET):
NIB (NATIONAL INTERNET BACKBONE),
NEW DELHI, DELHI, IN. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 aab1b56620
NEW 		3b2e1c5b9d [0] none:none
 PolyEnE| none trace
T:20:31:00 WinXP 4.90.5.205 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MARSHALL, TEXAS, US. (DIAL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:20:41:00 WinXP 4.163.113.78 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
GRAND PRAIRIE, TEXAS, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
91 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:21:32:00 WinXP 4.231.155.234 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
HUMBLE, TEXAS, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
132 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:22:33:00 WinXP 203.54.167.32 (TMNS.NET.AU):
TELSTRAINTERNET5,
LITHGOW, NEW SOUTH WALES, AU. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
65 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:23:17:00 WinXP 64.33.132.109 (AIRSTREAMCOMM.NET):
TRI COUNTY TELEPHONE,
WISCONSIN, US. (DIAL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 0cfab99612
NEW 		none[0] ASM:Graph
 PolyEnE| lines=68 trace