|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:07:00 | WinXP | 83.97.246.3 (CM-93-156-61-10.TELECABLE.ES): TELECABLE, BARCELONA, CATALONIA, ES. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
32 of 32 | b502f83a7c NEW |
28f5be93b0 [0] | none:none |
PolyEnE| | none | trace |
| T:00:19:00 | Win2K-f | 110.14.205.41 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
218.93.205.30:65520 | US:microsoft.com CN:proxim.ircgalaxy.pl CN:dl.guarddog2009.com :komojoke.cn EU:colopin.cn CN:config1007.iwillhavesexygirls.com CN:maillist.iwillhavesexygirls.com CN:218.93.205.30:65520 EU:91.206.201.39:80 |
135 | pcap | raw alerts ruleset |
irc http 136 lines |
Yeah : 1.8 profile |
none | summary tarball |
23 of 41 5 of 41 37 of 41 15 of 41 38 of 41 |
3580d8b30c NEW 54fedc66c1 NEW 598636aa73 NEW 83192a6119 NEW a57ddcdef0 NEW |
9d6755a0ed [0] 09a641355b[0] 613af3f9a2[0] fdc95e1fab[0] none [4] |
none:none none:none none:none none:none none:none |
Armadillo| StarForce| Armadillo| none|none PolyEnE| |
none none none none none |
trace trace trace trace trace |
| T:00:35:00 | Win2K-f | 91.63.70.197 (T-IPCONNECT.DE): DEUTSCHE TELEKOM AG, BERLIN, BERLIN, DE. (DSL) |
193.104.94.11:65520 | CN:proxim.ircgalaxy.pl CN:www.brans.pl CN:dl.guarddog2009.com :komojoke.cn CN:config1007.iwillhavesexygirls.com CN:maillist.iwillhavesexygirls.com EU:colopin.cn EU:91.206.201.39:80 |
445 | pcap | raw alerts ruleset |
irc http 17 lines |
Yeah : 1.3 profile |
none | summary tarball |
23 of 41 5 of 41 15 of 41 10 of 41 |
3580d8b30c NEW 54fedc66c1 NEW 83192a6119 NEW b65cbfbc73 NEW |
9d6755a0ed [0] 09a641355b[0] fdc95e1fab[0] 25e284e2e5[0] |
none:none none:none none:none none:none |
Armadillo| StarForce| none|none StarForce| |
none none none none |
trace trace trace trace |
| T:03:25:00 | WinXP | 87.122.245.26 (VERSANET.DE): VERSATEL DEUTSCHLAND, BOCHUM, NORDRHEIN-WESTFALEN, DE. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 14 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | 360349d884 NEW |
2f06bfa2ce [0] | none:none |
none|none | none | trace | |
| T:04:23:00 | Win2K-f | 114.206.24.52 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
218.93.205.30:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com :komojoke.cn :bfkq.com :jsactivity.com CN:dl.guarddog2009.com US:search.toptravellingtips.com EU:colopin.cn CN:www.petdoso.com CN:202.97.184.196:81 |
135 | pcap | raw alerts ruleset |
irc http 213 lines |
Yeah : 1.8 profile |
none | summary tarball |
17 of 41 15 of 41 30 of 33 29 of 41 29 of 41 0 of 41 2 of 35 13 of 41 |
1c5e79f5f4 NEW 1fb2d22a72 NEW 6ec2a8994b NEW 785e86954f NEW 9354673997 NEW af694434d0 NEW bcf66a38c8 NEW bd9617b7ed NEW |
none[4] 5521dc25e0[0] 398aab9636[0] c6edee8e8b[0] 60e874b776[0] none [4] 570133b348[0] 084006c169[0] |
none:none none:none none:none none:none none:none none:none none:none none:none |
FSG| Neolite| tElock| PeStubOEP| none|none none|none Armadillo| StarForce| |
none none none none none none none none |
trace trace trace trace trace trace trace trace |
| T:04:24:00 | WinXP | 219.96.39.142 (THN.NE.JP): TOKAI CORPORATION, NUMAZU, SHIZUOKA, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 99 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 40 of 41 |
2f859b417d NEW f8b6f00e25 NEW |
6228335a99 [0] 61b9e19319[0] |
none:none none:none |
tElock| tElock| |
none none |
trace trace |
| T:04:34:00 | Win2K-f | 76.211.85.50 (SBCGLOBAL.NET): AT&T INTERNET SERVICES, ST. LOUIS, MISSOURI, US. (DSL) |
218.93.205.30:65520 | :seekadvance.com GB:www.businesstomb.com :parkingeducation.com GB:www.thefreewebsitedirectory.co.uk :parkems.com US:search.biduplinks.co.uk |
445 | pcap | raw alerts ruleset |
irc http 175 lines |
Yeah : 1.3 profile |
none | summary tarball |
17 of 41 15 of 41 18 of 41 29 of 41 15 of 41 40 of 41 |
1c5e79f5f4 NEW 1fb2d22a72 NEW 618ccd63ab NEW 785e86954f NEW a0e59e4658 NEW db8b1ad1b7 NEW |
none[4] 5521dc25e0[0] f9cc5adff4[0] c6edee8e8b[0] none [4] 00b341ed46[0] |
none:none none:none none:none none:none none:none none:none |
FSG| Neolite| FSG| PeStubOEP| Obsidium| ASProtect| |
none none none none none none |
trace trace trace trace trace trace |
| T:04:39:00 | WinXP | 92.247.208.92 (SPNET.NET): SPNET, BG. (DSL) |
193.104.94.11:65520 | CN:proxim.ircgalaxy.pl CN:www.brans.pl EU:colopin.cn CN:www.petdoso.com EU:streq.cn :horobl.cn |
445 | pcap | raw alerts ruleset |
http irc 27 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 17 of 41 29 of 41 3 of 41 15 of 41 40 of 41 |
0db52c5b7e NEW 1c5e79f5f4 NEW 785e86954f NEW 8ad7f49981 NEW a0e59e4658 NEW db8b1ad1b7 NEW |
abf142b6d2 [0] none [4] c6edee8e8b[0] eaacfaa7cc[0] none [4] 00b341ed46[0] |
none:none none:none none:none none:none none:none none:none |
PolyEnE| FSG| PeStubOEP| StarForce| Obsidium| ASProtect| |
none none none none none none |
trace trace trace trace trace trace |
| T:04:48:00 | Win2K-f | 64.231.45.200 (BELL.CA): BELL CANADA, TORONTO, ONTARIO, CA. (DSL) |
n/a | :pictureor.com :setprogram.com :searchdaybed.com US:microsoft.com :search.easyaupair.com GB:www.easyaupair.com 173.45.105.218:8392 204.27.57.154:8392 GB:217.174.250.217:80 |
135 | pcap | raw alerts ruleset |
http irc 272 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:04:59:00 | Win2K-f | 201.29.80.88 (STERLINGSTUDENTS.NET): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | :picturemin.com :jsactivity.com :www.setdisney.com US:asctivaste.info US:microsoft.com :www.google-analytics.com US:images.goldkey.com US:adserver.adtechus.com US:aka-cdn-ns.adtechus.com 173.45.105.218:8392 GB:212.117.177.140:80 |
135 | pcap | raw alerts ruleset |
http 161 lines |
Argh : 0.3 profile |
none | summary tarball |
0 of 41 | 3cda08154d NEW |
none[4] | none:none |
none|none | none | trace |
| T:05:10:00 | Win2K-f | 85.58.31.74 (DYNAMIC.ORANGE.ES): ADDRESSES IP FOR HOME CLIENTS, BARCELONA, CATALONIA, ES. (DSL) |
218.93.205.30:65520 | US:afflatus.info US:images.goldkey.com US:adserver.adtechus.com US:aka-cdn-ns.adtechus.com GB:www.businesstomb.com CN:proxim.ircgalaxy.pl CN:www.brans.pl CN:dl.guarddog2009.com :komojoke.cn CN:config1007.iwillhavesexygirls.com EU:colopin.cn CN:maillist.iwillhavesexygirls.com 204.27.57.154:8392 |
445 | pcap | raw alerts ruleset |
http irc 54 lines |
Yeah : 1.3 profile |
none | summary tarball |
23 of 41 5 of 41 29 of 41 3 of 41 29 of 41 |
3580d8b30c NEW 54fedc66c1 NEW 785e86954f NEW 8ad7f49981 NEW 9354673997 NEW |
9d6755a0ed [0] 09a641355b[0] c6edee8e8b[0] eaacfaa7cc[0] 60e874b776[0] |
none:none none:none none:none none:none none:none |
Armadillo| StarForce| PeStubOEP| StarForce| none|none |
none none none none none |
trace trace trace trace trace |
| T:05:49:00 | WinXP | 220.216.34.194 (TNC.NE.JP): TOKAI CORPORATION, TOKYO, TOKYO, JP. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 592 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | 0ace068c68 NEW |
0ace621749 [0] | none:none |
StarForce| | none | trace | |
| T:06:14:00 | WinXP | 85.152.138.232 (CM-85-152-138-10.TELECABLE.ES): TELECABLE, OVIEDO, ASTURIAS, ES. (DSL) |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | eda3b7766c NEW |
7556343561 [0] | none:none |
PolyEnE| | none | trace |
| T:06:29:00 | WinXP | 130.13.147.207 (QWEST.NET): QWEST BROADBAND SERVICES INC, PHOENIX, ARIZONA, US. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | 912a073945 NEW |
7874c7f21e [0] | none:none |
PolyEnE| | none | trace |
| T:06:30:00 | WinXP | 121.121.140.235 (MAXIS.NET.MY): MAXIS BROADBAND SDN BHD, KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | 912a073945 NEW |
7874c7f21e [0] | none:none |
PolyEnE| | none | trace |
| T:07:27:00 | WinXP | 70.184.216.231 (COX.NET): COX COMMUNICATIONS, OMAHA, NEBRASKA, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 40 of 41 |
3b3a6d7615 NEW b7a694b220 NEW |
ed7beb96f5 [0] 9f0354af30[0] |
none:none none:none |
Armadillo| tElock| |
none none |
trace trace |
| T:07:46:00 | WinXP | 98.101.106.156 (RR.COM): ROAD RUNNER HOLDCO LLC, HERNDON, VIRGINIA, US. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:08:58:00 | WinXP | 186.9.169.122 (IMOVIL.ENTELPCS.CL): ENTEL PCS TELECOMUNICACIONES S.A, SANTIAGO, REGION METROPOLITANA, CL. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 631d81b2cc NEW |
9732e5594a [0] | none:none |
PolyEnE| | none | trace |
| T:09:40:00 | Win2K-f | 4.188.135.35 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, BELVIDERE, ILLINOIS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 78 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 8 of 33 |
53bfe15e91 NEW b7082104e4 NEW |
1473091351 [0] c5b49e7b82[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=75 embedded dns lines=41 |
trace trace |
| T:11:26:00 | WinXP | 93.189.74.93 (-): JSC CELLULAR COMMUNICATIONS OF BASHKORTOSTAN, RU. (DSL) |
n/a | EU:siliconfireware.ru US:searchportal.information.com US:spi.domainsponsor.com :wpad US:204.13.161.51:80 |
445 | pcap | raw alerts ruleset |
http http http 7 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | df17a625ee NEW |
none[0] | none:none |
ASPack| | lines=298 embedded dns |
trace |
| T:12:32:00 | WinXP | 67.242.137.246 (RR.COM): ROAD RUNNER HOLDCO LLC, WELLSVILLE, NEW YORK, US. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 14 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 32 | 741e3b03b3 NEW |
none[0] | none:none |
none|none | lines=61 | trace | |
| T:13:05:00 | Win2K-f | 58.121.192.206 (HANANET.NET): HANARO TELECOM INC, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 113 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 41 6 of 41 |
5213395833 NEW 9fdf6de4a9 NEW |
515eacbc36 [0] 794f9a1087[0] |
none:none none:none |
tElock| Armadillo| |
none none |
trace trace |
| T:14:44:00 | Win2K-f | 61.218.193.250 (HINET.NET): CHUNGHWA TELECOM CO. LTD. DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW 57ce4acac2 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:15:32:00 | Win2K-f | 66.241.171.121 (HUNTEL.NET): HUNTEL.NET, BLAIR, NEBRASKA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 19 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:16:34:00 | WinXP | 98.141.163.84 (CAVTEL.NET): CAVALIER TELEPHONE, PHILADELPHIA, PENNSYLVANIA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 18 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:17:26:00 | WinXP | 98.149.207.56 (RR.COM): ROAD RUNNER HOLDCO LLC, BAKERSFIELD, CALIFORNIA, US. (DSL) |
n/a | :moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
25 of 25 | 7f60162c2c NEW |
none[0] | none:none |
PolyEnE| | lines=93 embedded dns |
trace |
| T:18:04:00 | WinXP | 76.177.110.99 (RR.COM): ROAD RUNNER HOLDCO LLC, WINCHESTER, KENTUCKY, US. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
29 of 29 | 1a2c0e6130 NEW |
none[0] | none:none |
none|none | lines=60 | trace | |
| T:20:33:00 | Win2K-f | 68.148.240.127 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, EDMONTON, ALBERTA, CA. (DSL) |
92.240.234.164:3305 | AR:cx10man.weedns.com | 135 | pcap | raw alerts ruleset |
irc 696 lines |
Yeah : 1.8 profile |
none | summary tarball |
34 of 41 | deffdf68e8 NEW |
2b011e15ba [0] | none:none |
StarForce| | none | trace |
| T:20:35:00 | WinXP | 71.116.212.170 (VERIZON.NET): VERIZON INTERNET SERVICES INC, LOS ANGELES, CALIFORNIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:21:47:00 | WinXP | 211.245.103.182 (SONICANT.CO.KR): THRUNET CO. LTD, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
193.104.94.11:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com CN:www.brans.pl :komojoke.cn CN:config1007.iwillhavesexygirls.com CN:maillist.iwillhavesexygirls.com |
135 | pcap | raw alerts ruleset |
irc http 144 lines |
Yeah : 1.8 profile |
none | summary tarball |
10 of 41 7 of 41 29 of 32 3 of 41 28 of 32 |
2fa130feec NEW 85c00cc118 NEW 8a75955033 NEW 8ad7f49981 NEW 9276c8b36b NEW |
8a06db2aef [0] none [3] 2bf3e548b9[0] eaacfaa7cc[0] none [0] |
none:none none:none ASM:Graph none:none ASM:Graph |
Armadillo| StarForce| tElock| StarForce| Armadillo| |
none none lines=126 embedded dns none lines=81 |
trace trace trace trace trace |
| T:21:53:00 | Win2K-f | 172.129.220.240 (AOL.COM): AMERICA ONLINE, RESTON, VIRGINIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 140 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:22:19:00 | Win2K-f | 211.208.192.210 (HANANET.NET): HANARO TELECOM INC, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 113 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 41 6 of 41 |
5213395833 NEW 9fdf6de4a9 NEW |
515eacbc36 [0] 794f9a1087[0] |
none:none none:none |
tElock| Armadillo| |
none none |
trace trace |
| T:22:36:00 | WinXP | 67.55.182.123 (NETINS.NET): SULLY TELEPHONE ASSOCIASTION, DES MOINES, IOWA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 18 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |