Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

21 October 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:27:00 Win2K-f 98.190.176.19 (COX.NET):
COX COMMUNICATIONS,
OMAHA, NEBRASKA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
40 of 41		 3b3a6d7615
NEW
b7a694b220
NEW 		ed7beb96f5 [0]
9f0354af30[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:00:39:00 WinXP 173.28.195.180 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CHANHASSEN, MINNESOTA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
38 of 41		 b8f53b4800
NEW
e9ef6d378d
NEW 		4208eb65f3 [0]
72080f1764[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:02:00:00 WinXP 125.4.5.164 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
OSAKA, OSAKA, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32
33 of 33		 07fabc79ef
NEW
53bfe15e91
NEW 		none[0]
1473091351[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=81
lines=75
embedded dns 		trace
trace
T:02:18:00 WinXP 58.121.126.149 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
2 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:02:33:00 WinXP 89.50.40.211 (PPPOOL.DE):
FREENET CITYLINE GMBH,
BERLIN, BERLIN, DE. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
13 lines 		Yeah : 0.8
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:02:58:00 Win2K-f 174.3.187.130 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
77 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:03:12:00 Win2K-f 12.77.142.90 (ATT.NET):
AT&T WORLDNET SERVICES,
TAMPA, FLORIDA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
187 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 73f1082158
NEW 		none[0] none:none
 Armadillo| lines=90 trace
T:03:31:00 Win2K-f 222.233.5.50 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		91.212.220.75:65520 US:microsoft.com
EU:proxim.ircgalaxy.pl
EU:sleepatnight.cn
CN:www.petdoso.com
CN:202.97.184.196:81 		135 pcap raw alerts
ruleset 		irc
http
137 lines 		Yeah : 1.8
profile 		none summary
tarball 		30 of 33
28 of 33
13 of 41
18 of 41		 533d15b5ce
NEW
58c343a8d8
NEW
f725e57065
NEW
ff88da0c98
NEW 		c67adf46e2 [0]
none [0]
3f11911aa9[0]
3a4805c89d[0] 		ASM:Graph
none:none
none:none
none:none
 tElock|
Armadillo|
tElock|
FSG| 		lines=126
embedded dns
lines=91
none
none 		trace
trace
trace
trace
T:03:53:00 WinXP 60.250.145.103 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
10 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:04:05:00 Win2K-f 207.200.197.163 (QWEST.NET):
NETWORK INNOVATIONS INC,
CHICAGO, ILLINOIS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
79 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:04:25:00 WinXP 118.141.217.165 (LLOYD-EXCHANGE.LLOYDWISE.CN):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41 398caf7316
NEW 		6ac15bfbb3 [0] none:none
 PolyEnE| none trace
T:05:02:00 Win2K-f 67.8.56.42 (RR.COM):
ROAD RUNNER HOLDCO LLC,
APOPKA, FLORIDA, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:05:47:00 Win2K-f 203.73.84.36 (SEED.NET.TW):
SEEDNET-KAOHSIUNGDP-S,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:05:56:00 WinXP 87.57.135.211 (DSL.TELE.DK):
TDC-TELEDANMARK-BREDBAANDSADSL-NET,
ÅRHUS, ARHUS, DK. (DSL) 		n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		38 of 40 624d43be60
NEW 		3caff61b75 [0] ASM:Graph
 PolyEnE| lines=68 trace
T:06:20:00 WinXP 119.234.24.82 (-):
SINGTEL MOBILE,
SINGAPORE, SINGAPORE, SG. (DSL) 		91.212.220.75:65520 EU:proxim.ircgalaxy.pl
CN:www.brans.pl
:nenastiya.cn
EU:sleepatnight.cn
:bfkq.com
:jsactivity.com
CN:www.petdoso.com
US:search.toptravellingtips.com
:www.toptravellingtips.com
US:search.articleswave.co.uk
173.45.105.218:8392
CN:202.97.184.196:81
CN:218.93.205.30:65520 		445 pcap raw alerts
ruleset 		http
irc
228 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 41
7 of 41
17 of 41
37 of 39
7 of 41
10 of 41
13 of 41		 0107259495
NEW
18dfbbc85b
NEW
1c5e79f5f4
NEW
9c20944d61
NEW
9cb6b0c63b
NEW
ec42c1334f
NEW
f725e57065
NEW 		none[4]
4f6fcecea3[0]
none [4]
0bf3a9d27b[0]
7edfa9b0f8[0]
d6868cc552[0]
3f11911aa9[0] 		none:none
none:none
none:none
ASM:Graph
none:none
none:none
none:none
 none|none
UPX|
FSG|
PolyEnE|
StarForce|
StarForce|
tElock| 		none
none
none
lines=134
none
none
none 		trace
trace
trace
trace
trace
trace
trace
T:06:22:00 WinXP 76.87.55.181 (RR.COM):
ROAD RUNNER HOLDCO LLC,
LOS ANGELES, CALIFORNIA, US. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 a0139d7ad8
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:06:36:00 WinXP 98.141.30.211 (CAVTEL.NET):
CAVALIER TELEPHONE,
NORFOLK, VIRGINIA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:06:38:00 WinXP 79.162.177.12 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WARSAW, WARSZAWA, PL. (DSL) 		n/a EU:proxim.ircgalaxy.pl
RU:citi-bank.ru
RU:213.219.245.212:80
CN:218.93.205.30:65520 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		34 of 36 9bb68450cd
NEW 		c2d5ac2315 [0] ASM:Graph
 PolyEnE| lines=73
embedded dns 		trace
T:07:48:00 WinXP 114.49.7.184 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 40 5285741560
NEW 		60590b8b67 [0] ASM:Graph
 none|none lines=59 trace
T:08:17:00 Win2K-f 4.233.125.59 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
LOS ANGELES, CALIFORNIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:09:28:00 WinXP 113.255.113.22 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:09:47:00 WinXP 65.191.29.221 (RR.COM):
ROAD RUNNER HOLDCO LLC,
FAYETTEVILLE, NORTH CAROLINA, US. (100Mbps) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 d42c1cc7c0
NEW 		none[0] ASM:Graph
 PolyEnE| lines=54 trace
T:11:34:00 WinXP 88.176.231.209 (PROXAD.NET):
PROXAD / FREE SAS,
GRENOBLE, RHONE-ALPES, FR. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		41 of 41 72134e4b44
NEW 		28c60e99a7 [0] none:none
 PolyEnE| none trace
T:14:12:00 Win2K-f 196.208.48.201 (DIAL-UP.NET):
AFRINIC,
PIETERMARITZBURG, KWAZULU-NATAL, ZA. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
261 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
40 of 41		 471baae627
NEW
df9d3ed316
NEW 		ab1997f348 [0]
366478534d[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:15:25:00 Win2K-f 4.174.146.50 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
DARBY, PENNSYLVANIA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:15:35:00 WinXP 219.114.247.45 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
OSAKA, OSAKA, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
112 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
38 of 40		 024410ad21
NEW
b0cedd71bb
NEW 		96d0267b80 [0]
f6e156bdca[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:16:50:00 WinXP 62.169.110.232 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
LISBON, LISBOA, PT. (DSL) 		n/a US:www.yahoo.com
:www.google.com.au
:jbeegvia.ru 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		31 of 32 17028f1eda
NEW 		none[3] none:none
 tElock| none trace
T:17:04:00 Win2K-f 118.221.38.157 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		91.212.220.75:65520 EU:proxim.ircgalaxy.pl
US:microsoft.com
EU:sleepatnight.cn
CN:www.petdoso.com
CN:202.97.184.196:81
EU:91.212.220.75:65520 		135 pcap raw alerts
ruleset 		irc
http
http
http
245 lines 		Yeah : 1.8
profile 		none summary
tarball 		16 of 41
30 of 33
28 of 33
13 of 41		 3e6f5c2878
NEW
533d15b5ce
NEW
58c343a8d8
NEW
f725e57065
NEW 		a14706e352 [0]
c67adf46e2[0]
none [0]
3f11911aa9[0] 		none:none
ASM:Graph
none:none
none:none
 FSG|
tElock|
Armadillo|
tElock| 		none
lines=126
embedded dns
lines=91
none 		trace
trace
trace
trace
T:17:27:00 Win2K-f 58.71.45.90 (PLDT.NET):
IPG,
MANILA, MANILA, PH. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
114 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
39 of 41		 5403724951
NEW
6494cbd582
NEW 		44ee5f83ba [0]
adcb56d0cb[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:17:59:00 WinXP 68.203.231.28 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ORANGE, TEXAS, US. (100Mbps) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		32 of 32 b502f83a7c
NEW 		28f5be93b0 [0] none:none
 PolyEnE| none trace
T:18:35:00 WinXP 70.44.157.58 (PTD.NET):
PENTELEDATA INC. - CABLE,
FREELAND, PENNSYLVANIA, US. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 35 9716d7995a
NEW 		c3a5354b6f [0] none:none
 PolyEnE| none trace
T:19:51:00 Win2K-f 70.117.156.152 (RR.COM):
ROAD RUNNER HOLDCO LLC,
SILSBEE, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:21:31:00 WinXP 66.72.70.42 (AMERITECH.NET):
DIAL POOL - TNT2 BLOOMINGTON,
NASHVILLE, INDIANA, US. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 1a2c0e6130
NEW 		none[0] none:none
 none|none lines=60 trace
T:21:42:00 Win2K-f 70.184.253.14 (COX.NET):
COX COMMUNICATIONS,
TULSA, OKLAHOMA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:22:06:00 WinXP 72.64.30.16 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
CHARLESTON, WEST VIRGINIA, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:22:13:00 Win2K-f 4.188.128.208 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
DAVIS JUNCTION, ILLINOIS, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
3 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none