Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

26 October 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:01:41:00 WinXP 173.23.56.33 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CRESTWOOD, KENTUCKY, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
83 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:03:05:00 WinXP 95.74.169.237 (-):
TELECOM ITALIA MOBILE,
ROME, LAZIO, IT. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
NEW none[0] ASM:Graph
none|none lines=61 trace

T:03:41:00 WinXP 114.48.245.250 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:05:04:00 WinXP 219.110.147.39 (CATV02.ITSCOM.JP):
ITS COMMUNICATIONS INC,
KAWASAKI, KANAGAWA, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
NEW none[0] none:none
none|none lines=61 trace

T:05:55:00 Win2K-f 24.234.71.160 (COX.NET):
COX COMMUNICATIONS INC,
LAS VEGAS, NEVADA, US. (100Mbps) n/a 135 pcap raw alerts
ruleset other
52 lines Yeah : 1.3
profile none summary
tarball 0 of 33 a08f3b74a4
NEW none[0] none:none
Armadillo| lines=90 trace

T:06:30:00 WinXP 187.65.38.247 (VELOXZONE.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
NEW none[0] none:none
PolyEnE| lines=93
embedded dns trace

T:09:42:00 WinXP 213.99.72.87 (-):
TELEFONICA MOVILES ESPANA (NCC#2006042768),
MADRID, MADRID, ES. (DSL) n/a 445 pcap raw alerts
ruleset http
6 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

09:49:00 Win2K-f 219.91.111.47 (APOL.COM.TW):
ASIA PACIFIC ONLINE SERVICE INC,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:www.maxmind.com
:checkip.dyndns.org
US:67.15.94.80:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:09:57:00 Win2K-f 219.91.111.47 (APOL.COM.TW):
ASIA PACIFIC ONLINE SERVICE INC,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:www.maxmind.com
US:getmyip.co.uk
US:www.getmyip.org
:checkip.dyndns.org
DE:131.220.6.26:80
US:67.15.94.80:80 445 pcap raw alerts
ruleset http
6 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:11:17:00 WinXP 70.184.219.55 (COX.NET):
COX COMMUNICATIONS,
OMAHA, NEBRASKA, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
40 of 41 3b3a6d7615
NEW
b7a694b220
NEW ed7beb96f5 [0]
9f0354af30[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:13:02:00 WinXP 84.224.38.27 (PGSM.HU):
PANNON GSM TELECOMMUNICATIONS INC,
BUDAPEST, BUDAPEST, HU. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 29 of 29 1a2c0e6130
NEW none[0] none:none
none|none lines=60 trace

T:13:18:00 Win2K-f 216.152.5.146 (-):
CITY OF WILSON,
PEA RIDGE, ARKANSAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:13:35:00 WinXP 70.241.89.123 (SWBELL.NET):
AT&T INTERNET SERVICES,
HOUSTON, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:13:40:00 WinXP 87.116.207.121 (TNP.PL):
BROADBAND_SERVICES,
WARSAW, WARSZAWA, PL. (DSL) n/a 445 pcap raw alerts
ruleset http
3 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:15:30:00 WinXP 80.183.123.229 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
RIMINI, EMILIA-ROMAGNA, IT. (DSL) n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:wpad
US:204.13.161.51:80 445 pcap raw alerts
ruleset http
http
http
7 lines Yeah : 0.8
profile none summary
tarball 41 of 41 6152c54fc2
NEW ccc8b54f0a [0] none:none
ASPack| none trace

T:16:38:00 WinXP 65.45.141.30 (ALGX.NET):
XO COMMUNICATIONS,
ST. PAUL, MINNESOTA, US. (DSL) n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
RU:www.bbin.ru
RU:www.binbank.ru
:wpad 445 pcap raw alerts
ruleset http
http
http
http
37 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
NEW none[0] none:none
ASPack| lines=281
embedded dns trace

T:17:44:00 WinXP 65.6.132.38 (BELLSOUTH.NET):
BELLSOUTH.NET INC,
ATLANTA, GEORGIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:17:49:00 Win2K-f 63.23.62.59 (UU.NET):
UUNET TECHNOLOGIES INC,
MOUNDSVILLE, WEST VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:17:54:00 Win2K-f 70.168.11.126 (COX.NET):
COX COMMUNICATIONS,
PROVIDENCE, RHODE ISLAND, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:16:00 WinXP 60.250.190.187 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 135 pcap raw alerts
ruleset other
1002 lines Yeah : 1.3
profile none summary
tarball 8 of 41 e583aa258a
NEW none[3] none:none
none|none none trace

T:19:36:00 Win2K-f 211.211.72.169 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:218.93.205.30:65520 135 pcap raw alerts
ruleset other
113 lines Yeah : 1.3
profile none summary
tarball 30 of 33
28 of 33 533d15b5ce
NEW
58c343a8d8
NEW c67adf46e2 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=126
embedded dns
lines=91 trace
trace

T:21:09:00 Win2K-f 4.153.254.166 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
ROGERSVILLE, TENNESSEE, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
152 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:22:51:00 WinXP 219.110.195.82 (CATV02.ITSCOM.JP):
ITS COMMUNICATIONS INC,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
NEW none[0] none:none
none|none lines=61 trace

T:23:02:00 WinXP 207.5.155.42 (SUSCOM-MAINE.NET):
GREAT WORKS INTERNET,
BRUNSWICK, MAINE, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:23:21:00 WinXP 110.12.67.88 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 218.93.205.30:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:www.brans.pl
EU:sleepatnight.cn
CN:www.petdoso.com
EU:streq.cn
:horobl.cn
CN:202.97.184.196:81 135 pcap raw alerts
ruleset irc
http
145 lines Yeah : 1.8
profile none summary
tarball 17 of 41
37 of 41
38 of 41
14 of 41
13 of 41 1c5e79f5f4
NEW
598636aa73
NEW
a57ddcdef0
NEW
b715292e04
NEW
f725e57065
NEW none[4]
613af3f9a2[0]
none [4]
569c05a15f[0]
3f11911aa9[0] none:none
none:none
none:none
none:none
none:none
FSG|
Armadillo|
PolyEnE|
PE-PACK|
tElock| none
none
none
none
none trace
trace
trace
trace
trace

T:23:50:00 Win2K-f 4.227.249.146 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
LOVELAND, COLORADO, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
118 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace