Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

17 October 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:11:00 WinXP 219.122.221.126 (EONET.NE.JP):
K-OPTICOM CORPORATION,
NISHINOMIYA, HYOGO, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 2cb7fb5674
NEW 		4bf8dcd347 [0] none:none
 none|none none trace
T:00:37:00 WinXP 114.48.57.102 (E-MOBILE.NE.JP):
EMOBILE LTD,
YOKOHAMA, KANAGAWA, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
16 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 40 5285741560
NEW 		60590b8b67 [0] ASM:Graph
 none|none lines=59 trace
T:00:52:00 WinXP 90.137.149.123 (TELE2.HR):
TELE2 INTERNET PROVIDER,
HR. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
3 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 41 b26ed6eeac
NEW 		97c1157bf8 [0] none:none
 PolyEnE| none trace
T:01:57:00 WinXP 4.188.132.100 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
122 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:02:52:00 WinXP 87.123.179.152 (VERSANET.DE):
VERSATEL DEUTSCHLAND,
BOCHUM, NORDRHEIN-WESTFALEN, DE. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 40 00936f5cdf
NEW 		0e6320b85a [0] none:none
 none|none none trace
T:03:31:00 WinXP 121.84.192.46 (EONET.NE.JP):
K-OPTICOM CORPORATION,
OSAKA, OSAKA, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 2cb7fb5674
NEW 		4bf8dcd347 [0] none:none
 none|none none trace
T:08:07:00 Win2K-f 75.181.8.197 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CHARLOTTE, NORTH CAROLINA, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
37 of 41		 5c39773b13
NEW
a1acc403a2
NEW 		c64405f2e9 [0]
54ef26c2f9[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:08:29:00 WinXP 75.43.208.168 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
PASADENA, CALIFORNIA, US. (DSL) 		n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
GB:new.egg.com
:wpad
US:204.13.161.51:80 		445 pcap raw alerts
ruleset 		http
http
http
http
30 lines 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 a12cab51ef
NEW 		none[0] none:none
 ASPack| lines=281
embedded dns 		trace
T:08:50:00 WinXP 110.15.162.60 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		218.93.205.30:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
EU:gidromash.cn
:nenastiya.cn
CN:config1007.iwillhavesexygirls.com
:wws.mobiec.net
:xz.ub9.net
CN:maillist.iwillhavesexygirls.com
CN:russia.2288.org
CN:js.users.51.la
CN:icon.ajiang.net
CN:web.51.la
:in.7cy.net
:in1.7cy.net
:www.schooldesires.com
:www.loanablecapital.com
US:media.fastclick.net
US:rd.apmebf.com
:cncheck.com
74.220.220.81:80
EU:91.206.201.39:80 		135 pcap raw alerts
ruleset 		irc
http
189 lines 		Yeah : 1.8
profile 		none summary
tarball 		18 of 41
30 of 33
12 of 40
31 of 33
26 of 41		 405ce10c9b
NEW
87bd0a062f
NEW
b8aeb8dbdf
NEW
c7d6018f97
NEW
dd96e88e03
NEW 		9f1a7125b9 [0]
dc70d9623a[0]
443b0a882b[0]
5c1d8bbd5b[0]
6f87541765[0] 		none:none
none:none
none:none
none:none
none:none
 Armadillo|
Armadillo|
StarForce|
tElock|
StarForce| 		none
none
none
none
none 		trace
trace
trace
trace
trace
09:05:00 Win2K-f 201.28.32.160 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		n/a US:www.maxmind.com
:checkip.dyndns.org
US:getmyip.co.uk
US:www.getmyip.org
DE:131.220.6.26:80
208.78.70.70:80
US:65.254.39.170:80
US:75.126.138.202:80 		445 pcap raw alerts
ruleset 		http
4 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:09:43:00 WinXP 219.44.12.43 (BBTEC.NET):
SOFTBANK BB CORP,
YOKOHAMA, KANAGAWA, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
77 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:09:49:00 Win2K-f 201.28.32.160 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		n/a US:www.maxmind.com
US:getmyip.co.uk
US:www.getmyip.org
:checkip.dyndns.org
DE:131.220.6.26:80
US:75.126.138.202:80 		445 pcap raw alerts
ruleset 		http
6 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:09:52:00 WinXP 200.39.29.48 (TELEFONICA-DATA.COM.MX):
TELEFNICA MXICO,
MEXICO, DISTRITO FEDERAL, MX. (DSL) 		n/a US:www.yahoo.com
US:www.altavista.com
:jbeegvia.ru 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		32 of 32 bb7681eca8
NEW 		none[3] none:none
 tElock| none trace
T:10:37:00 WinXP 200.219.92.216 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		40 of 40 5a9531a716
NEW 		fa931579df [0] none:none
 PolyEnE| none trace
T:11:20:00 WinXP 190.1.157.195 (METROTEL.NET.CO):
METROTEL REDES S.A,
BARRANQUILLA, ATLANTICO, CO. (DSL) 		n/a US:ww5.vspcord.com 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		23 of 41 d4f6a8418f
NEW 		1c281beeea [0] none:none
 StarForce| none trace
T:11:22:00 Win2K-f 63.17.129.137 (UU.NET):
UUNET TECHNOLOGIES INC,
LAWRENCEVILLE, GEORGIA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
168 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41 aa52a1cad3
NEW 		822158a84f [0] none:none
 Armadillo| none trace
T:11:36:00 WinXP 173.28.223.139 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CHANHASSEN, MINNESOTA, US. (DSL) 		92.240.234.164:3305 FI:cx10man.weedns.com
FI:fx010413.whyI.org
92.240.234.164:3305 		135 pcap raw alerts
ruleset 		irc
612 lines 		Yeah : 1.8
profile 		none summary
tarball 		39 of 41 2159b61b3b
NEW 		cdd2e4c318 [0] none:none
 StarForce| none trace
T:12:43:00 Win2K-f 113.253.112.208 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HK. (DSL) 		89.149.227.51:2569 :jiets.soidudrf.com
DE:dirty.eiheihre3.com 		135 pcap raw alerts
ruleset 		irc
http
817 lines 		Yeah : 1.8
profile 		none summary
tarball 		40 of 41
28 of 40		 14c118316b
NEW
f28b31493e
NEW 		none[4]
e1e1d22148[0] 		none:none
none:none
 FSG|
PENinja S| 		none
none 		trace
trace
T:12:52:00 WinXP 4.253.116.19 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
KNOX, INDIANA, US. (DIAL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		36 of 38 5865b09945
NEW 		4d99f4784a [0] none:none
 PolyEnE| none trace
T:13:41:00 WinXP 95.75.14.96 (-):
TELECOM ITALIA MOBILE,
IT. (DSL) 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		other
0 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 4e3937b86b
NEW 		8ea2fdbfa2 [0] none:none
 PolyEnE| none trace
T:14:46:00 WinXP 216.210.223.9 (-):
ADVANCED TELCOM GROUP / DIAL-UP,
SALEM, OREGON, US. (100Mbps) 		n/a   135 pcap raw alerts
ruleset 		other
145 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 33 a08f3b74a4
NEW 		none[0] none:none
 Armadillo| lines=90 trace
16:04:00 Win2K-f 196.2.194.81 (NILE-ONLINE.NET):
AFRINIC,
EG. (DSL) 		n/a US:www.maxmind.com
US:getmyip.co.uk
:checkip.dyndns.org
DE:131.220.6.26:80
US:65.254.39.170:80 		445 pcap raw alerts
ruleset 		http
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:16:21:00 Win2K-f 172.190.208.162 (AOL.COM):
AMERICA ONLINE,
RESTON, VIRGINIA, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
180 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41
36 of 40		 47d3548e36
NEW
d8722af110
NEW 		ab13346633 [0]
ab30a55931[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:17:58:00 WinXP 174.1.103.110 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
WINNIPEG, MANITOBA, CA. (DSL) 		n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 f502585714
NEW 		none[0] none:none
 PolyEnE| lines=63 trace
T:19:50:00 WinXP 76.166.164.100 (RR.COM):
ROAD RUNNER HOLDCO LLC,
OXNARD, CALIFORNIA, US. (DSL) 		n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:20:33:00 Win2K-f 114.202.8.90 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		91.212.220.75:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
EU:gidromash.cn
:nenastiya.cn
:bfkq.com
:jsactivity.com
US:search.toptravellingtips.com
:www.toptravellingtips.com
173.45.105.218:8392
EU:91.206.201.39:80 		135 pcap raw alerts
ruleset 		irc
http
394 lines 		Yeah : 1.8
profile 		none summary
tarball 		10 of 41
0 of 41
29 of 32
28 of 32
6 of 41
7 of 41		 337b3480eb
NEW
4fd9dd4880
NEW
8a75955033
NEW
9276c8b36b
NEW
ae9b8cab06
NEW
db0b018d16
NEW 		1a253ee468 [0]
none [4]
2bf3e548b9[0]
none [0]
ae9b8cab06[1]
9d2b52b268[0] 		none:none
none:none
ASM:Graph
ASM:Graph
ASM:Graph
none:none
 UPX|
none|none
tElock|
Armadillo|
StarForce|
StarForce| 		none
none
lines=126
embedded dns
lines=81
lines=7
none 		trace
trace
trace
trace
trace
trace
T:21:00:00 WinXP 71.119.61.108 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
LONG BEACH, CALIFORNIA, US. (DSL) 		n/a :moscow-advokat.ru
:gaspode.zanet.org.za
AT:graz.at.eu.undernet.org
SE:ced.dal.net
:lulea.se.eu.undernet.org
NL:diemen.nl.eu.undernet.org 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:21:03:00 Win2K-f 84.217.143.45 (GLOCALNET.NET):
GLOCALNET-SE-NET,
GOTHENBURG, VASTRA GOTALAND, SE. (DSL) 		218.93.205.30:65520 US:dreamergroup.info
US:search.biduplinks.co.uk
CN:proxim.ircgalaxy.pl
EU:gidromash.cn
CN:dl.guarddog2009.com
:nenastiya.cn
CN:config1007.iwillhavesexygirls.com
:wws.mobiec.net
CN:maillist.iwillhavesexygirls.com
US:xz.ub9.net
CN:russia.2288.org
CN:js.users.51.la
CN:icon.ajiang.net
CN:web2.51.la
:in.7cy.net
EU:91.206.201.39:80 		445 pcap raw alerts
ruleset 		http
irc
50 lines 		Yeah : 1.3
profile 		none summary
tarball 		18 of 41
15 of 41
12 of 40
26 of 41		 405ce10c9b
NEW
83192a6119
NEW
b8aeb8dbdf
NEW
dd96e88e03
NEW 		9f1a7125b9 [0]
fdc95e1fab[0]
443b0a882b[0]
6f87541765[0] 		none:none
none:none
none:none
none:none
 Armadillo|
none|none
StarForce|
StarForce| 		none
none
none
none 		trace
trace
trace
trace
T:21:31:00 WinXP 121.121.192.67 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
T:23:29:00 Win2K-f 122.146.253.88 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
40 of 41		 639ad69965
NEW
78eadbd884
NEW 		84c2cecdaf [0]
480abf2e12[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:23:30:00 WinXP 114.48.49.28 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
13 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none