Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

06 November 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:10:00 Win2K-f 99.164.23.178 (SBCGLOBAL.NET):
RANI PAL LLC,
PLANO, TEXAS, US. (DSL) n/a 135 pcap raw alerts
ruleset other
402 lines Yeah : 1.3
profile none summary
tarball 11 of 36 c4c5a56ffe
NEW 8bef2f9170 [0] none:none
StarForce| none trace

T:01:32:00 WinXP 98.191.202.103 (COX.NET):
COX COMMUNICATIONS,
ATLANTA, GEORGIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball 39 of 40
39 of 40 0f92676ee2
NEW
1fdb02eb48
NEW 0f92676ee2 [1]
43a22a20b7[0] ASM:Graph
none:none
Armadillo|
tElock| lines=82
none trace
trace

T:01:55:00 WinXP 119.230.95.12 (EONET.NE.JP):
K-OPTICOM CORPORATION,
OSAKA, OSAKA, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 1.3
profile none summary
tarball 38 of 41 7b313206a2
NEW 0c866c8cce [0] none:none
none|none none trace

T:02:39:00 Win2K-f 4.143.86.5 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
CLEVELAND, OHIO, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball 37 of 39
37 of 39 166484192b
NEW
2a1e547005
NEW 0c886fcb7b [0]
5c75fa020a[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:03:05:00 WinXP 95.74.20.87 (-):
TELECOM ITALIA MOBILE,
LECCE, PUGLIA, IT. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
4 lines Yeah : 1.3
profile none summary
tarball 39 of 41 912a073945
NEW 7874c7f21e [0] none:none
PolyEnE| none trace

T:03:20:00 WinXP 67.125.140.230 (PACBELL.NET):
AT&T INTERNET SERVICES,
FRESNO, CALIFORNIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:03:32:00 WinXP 41.189.33.233 (10.AVISO.CI):
AFRINIC,
CI. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 f502585714
NEW none[0] none:none
PolyEnE| lines=63 trace

T:05:36:00 WinXP 78.84.213.28 (-):
ADDRESS POOL FOR LTC-HOME CUSTOMERS,
RIGA, RIGA, LV. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 41 aab1b56620
NEW 3b2e1c5b9d [0] none:none
PolyEnE| none trace

T:06:18:00 WinXP 114.48.33.35 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:06:49:00 Win2K-f 4.161.141.201 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
CINCINNATI, OHIO, US. (DSL) n/a 135 pcap raw alerts
ruleset other
150 lines Yeah : 1.3
profile none summary
tarball 38 of 40 bc4da3f959
NEW 343e5dae12 [0] none:none
Armadillo| none trace

T:07:09:00 WinXP 88.130.197.85 (VERSANET.DE):
VERSATEL DEUTSCHLAND,
FLENSBURG, SCHLESWIG-HOLSTEIN, DE. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
NEW none[0] none:none
none|none lines=61 trace

T:07:38:00 Win2K-f 98.175.54.156 (COX.NET):
COX COMMUNICATIONS,
OMAHA, NEBRASKA, US. (DSL) n/a :gg.arrancar.org 135 pcap raw alerts
ruleset other
250 lines Yeah : 1.3
profile none summary
tarball 39 of 40 ff9a408451
NEW 259498584e [0] none:none
PolyEnE| none trace

T:08:10:00 WinXP 114.207.150.16 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 218.93.205.30:65520 FR:proxima.ircgalaxy.pl
US:microsoft.com
CN:www.brans.pl
:komojoke.cn
:bfkq.com
:jsactivity.com
EU:sleepatnight.cn
US:search.toptravellingtips.com
:sendfan.com
:www.sendfan.com
US:www.hophealth.com
US:208.43.250.167:80
EU:91.206.201.39:80 135 pcap raw alerts
ruleset irc
http
227 lines Yeah : 1.8
profile none summary
tarball 10 of 40
14 of 40
0 of 39
12 of 39
34 of 36
29 of 32 007aa1a2f9
NEW
5af8d7c1bb
NEW
65145fdd2e
NEW
6601ab80f5
NEW
99b248336f
NEW
9d677c3f70
NEW 396306e500 [0]
2295f54a34[0]
none [4]
ce297abb17[0]
c64bd1a776[0]
77e75ff10f[0] none:none
none:none
none:none
none:none
none:none
none:none
Neolite|
StarForce|
none|none
StarForce|
Armadillo|
tElock| none
none
none
none
none
none trace
trace
trace
trace
trace
trace

T:08:55:00 WinXP 59.120.228.224 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 135 pcap raw alerts
ruleset other
53 lines Yeah : 1.3
profile none summary
tarball 0 of 33 57ce4acac2
NEW none[0] none:none
Armadillo| lines=90 trace

T:09:18:00 WinXP 78.251.57.90 (PROXAD.NET):
PROXAD INTERNET SERVICE PROVIDER IN FRANCE,
FR. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 38 of 39 f382333425
NEW 6dd116cb89 [0] none:none
PolyEnE| none trace

T:09:59:00 WinXP 113.255.114.127 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 32 of 40
33 of 33 27b17a2724
NEW
53bfe15e91
NEW a1d5ac965b [0]
1473091351[0] none:none
ASM:Graph
tElock|
tElock| none
lines=75
embedded dns trace
trace

T:10:04:00 WinXP 79.162.178.193 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WARSAW, WARSZAWA, PL. (DSL) 213.219.245.212:80 218.93.205.30:65520 CN:proxim.ircgalaxy.pl
RU:citi-bank.ru 445 pcap raw alerts
ruleset http
irc
4 lines Yeah : 1.3
profile none summary
tarball 38 of 40 b0a6f20c4a
NEW 393787f8c2 [0] none:none
PolyEnE| none trace

T:11:16:00 WinXP 60.237.130.143 (MESH.AD.JP):
NEC CORPORATION,
KAWASAKI, KANAGAWA, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
NEW none[0] ASM:Graph
none|none lines=61 trace

T:12:48:00 WinXP 64.77.212.13 (MNCABLE.NET):
SJOBERG CABLE,
THIEF RIVER FALLS, MINNESOTA, US. (100Mbps) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball 37 of 39 a79d6619a4
NEW ee99188e6d [0] none:none
tElock| none trace

T:13:37:00 WinXP 85.152.136.116 (CM-85-152-138-10.TELECABLE.ES):
TELECABLE,
OVIEDO, ASTURIAS, ES. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 40 of 41 eda3b7766c
NEW 7556343561 [0] none:none
PolyEnE| none trace

T:13:43:00 WinXP 71.102.132.143 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
LOMPOC, CALIFORNIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball 34 of 39
35 of 39 4cbbc9cdc3
NEW
86d4950962
NEW 9b1bced683 [0]
c78e30261c[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:13:53:00 WinXP 58.71.45.90 (PLDT.NET):
IPG,
MANILA, MANILA, PH. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball 40 of 41
39 of 41 5403724951
NEW
6494cbd582
NEW 44ee5f83ba [0]
adcb56d0cb[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:14:25:00 WinXP 63.28.103.132 (UU.NET):
UUNET TECHNOLOGIES INC,
FREDERICKSBURG, VIRGINIA, US. (DSL) n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
GB:welcome3.smile.co.uk
:wpad
GB:195.92.84.198:80
US:204.13.161.51:80 445 pcap raw alerts
ruleset http
http
http
8 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
NEW none[0] none:none
ASPack| lines=281
embedded dns trace

T:15:15:00 WinXP 190.2.159.208 (NODE-BE02AD0A.SCARLET.AN):
SCARLET B.V,
PHILIPSBURG, SAINT MAARTEN, AN. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
3 lines Yeah : 0.8
profile none summary
tarball 39 of 41 912a073945
NEW 7874c7f21e [0] none:none
PolyEnE| none trace

15:31:00 WinXP 88.210.112.13 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
LISBON, LISBOA, PT. (DSL) n/a :www.google.com.au
:jbeegvia.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 31 of 32 17028f1eda
NEW none[3] none:none
tElock| none trace

T:17:16:00 Win2K-f 173.17.151.26 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
MILLSBORO, DELAWARE, US. (DSL) n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:18:12:00 WinXP 71.74.77.50 (RR.COM):
ROAD RUNNER HOLDCO LLC,
COLUMBUS, OHIO, US. (100Mbps) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
NEW none[0] none:none
PolyEnE| lines=93
embedded dns trace

T:19:06:00 WinXP 115.165.81.134 (CATV02.ITSCOM.JP):
ITS COMMUNICATIONS INC,
KAWASAKI, KANAGAWA, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
NEW none[0] none:none
none|none lines=61 trace

T:19:39:00 Win2K-f 24.48.129.139 (USA2NET.NET):
FLORIDA CABLE INC,
US. (DSL) n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:21:25:00 Win2K-f 4.163.114.121 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
GRAND PRAIRIE, TEXAS, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
147 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:21:26:00 WinXP 114.48.108.35 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset ftp
13 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:23:35:00 WinXP 95.69.48.26 (-):
GPRS COSTUMERS,
FARO, FARO, PT. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 41 50ec88befe
NEW 6654523fa4 [0] none:none
PolyEnE| none trace

T:23:47:00 WinXP 208.126.133.30 (NETINS.NET):
NETINS INC,
MOVILLE, IOWA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:23:49:00 Win2K-f 110.12.73.39 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 218.93.205.30:65520 US:microsoft.com
CN:proxim.ircgalaxy.pl
CN:www.brans.pl
:komojoke.cn
CN:config1007.iwillhavesexygirls.com
CN:maillist.iwillhavesexygirls.com
EU:sleepatnight.cn
FR:193.104.94.11:65520
EU:91.206.201.39:80 135 pcap raw alerts
ruleset irc
http
126 lines Yeah : 1.8
profile none summary
tarball 5 of 39
30 of 33
28 of 33
8 of 40
8 of 40 45f7b431e4
NEW
533d15b5ce
NEW
58c343a8d8
NEW
c1a01c30b7
NEW
ebe63379cf
NEW ca3edde9d5 [0]
c67adf46e2[0]
none [0]
2b31d4081f[0]
a1ce03d5db[0] none:none
ASM:Graph
none:none
none:none
none:none
StarForce|
tElock|
Armadillo|
StarForce|
Armadillo| none
lines=126
embedded dns
lines=91
none
none trace
trace
trace
trace
trace