|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:18:00 | Win2K-f | 211.245.103.182 (SONICANT.CO.KR): THRUNET CO. LTD, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
193.104.94.11:65520 | US:microsoft.com CN:proxim.ircgalaxy.pl CN:dl.guarddog2009.com EU:colopin.cn FR:193.104.94.11:65520 |
135 | pcap | raw alerts ruleset |
irc http 140 lines |
Yeah : 1.8 profile |
none | summary tarball |
29 of 41 15 of 41 29 of 32 28 of 32 |
785e86954f NEW 83192a6119 NEW 8a75955033 NEW 9276c8b36b NEW |
c6edee8e8b [0] fdc95e1fab[0] 2bf3e548b9[0] none [0] |
none:none none:none ASM:Graph ASM:Graph |
PeStubOEP| none|none tElock| Armadillo| |
none none lines=126 embedded dns lines=81 |
trace trace trace trace |
| T:02:10:00 | Win2K-f | 172.164.211.123 (AOL.COM): AMERICA ONLINE, US. (DIAL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 90 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:03:30:00 | WinXP | 110.9.234.154 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 113 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 5 of 41 |
14f47ffd1e NEW 50437008d9 NEW |
90bf4b99ff [0] c1b09ac5d7[0] |
none:none none:none |
tElock| Armadillo| |
none none |
trace trace |
| T:03:41:00 | Win2K-f | 70.60.117.169 (RR.COM): ROAD RUNNER HOLDCO LLC, CHARLOTTE, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:03:46:00 | WinXP | 91.67.10.238 (SUPERKABEL.DE): KABEL-DEUTSCHLAND-CUSTOMER-SERVICES, BERLIN, BERLIN, DE. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
29 of 29 | 1a2c0e6130 NEW |
none[0] | none:none |
none|none | lines=60 | trace | |
| T:05:07:00 | Win2K-f | 207.5.161.171 (SUSCOM-MAINE.NET): GREAT WORKS INTERNET, BRUNSWICK, MAINE, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:05:36:00 | WinXP | 78.251.245.90 (PROXAD.NET): PROXAD INTERNET SERVICE PROVIDER IN FRANCE, FR. (DSL) |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | 912a073945 NEW |
7874c7f21e [0] | none:none |
PolyEnE| | none | trace |
| T:05:50:00 | WinXP | 83.97.246.3 (CM-93-156-61-10.TELECABLE.ES): TELECABLE, BARCELONA, CATALONIA, ES. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
32 of 32 | b502f83a7c NEW |
28f5be93b0 [0] | none:none |
PolyEnE| | none | trace |
| T:06:36:00 | Win2K-f | 125.4.6.206 (ZAQ.NE.JP): J:COM WEST CO. LTD, OSAKA, OSAKA, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 33 of 33 |
07fabc79ef NEW 53bfe15e91 NEW |
none[0] 1473091351[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=81 lines=75 embedded dns |
trace trace |
| T:06:57:00 | WinXP | 121.121.204.94 (MAXIS.NET.MY): MAXIS BROADBAND SDN BHD, KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) |
n/a | :moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
38 of 41 | 4d429bb27b NEW |
none[none] | none:none |
none|none | none | none |
| T:07:48:00 | WinXP | 96.10.90.82 (RR.COM): ROAD RUNNER HOLDCO LLC, RALEIGH, NORTH CAROLINA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 605 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | b2c6d4a8bb NEW |
none[none] | none:none |
none|none | none | none | |
| T:07:54:00 | WinXP | 117.254.246.228 (STERLINGSTUDENTS.NET): NIB (NATIONAL INTERNET BACKBONE), NEW DELHI, DELHI, IN. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 1.3 profile |
none | summary tarball |
35 of 35 | 9716d7995a NEW |
c3a5354b6f [0] | none:none |
PolyEnE| | none | trace |
| T:08:16:00 | WinXP | 69.193.74.22 (RR.COM): ROAD RUNNER HOLDCO LLC, HERNDON, VIRGINIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:08:39:00 | Win2K-f | 65.191.118.171 (RR.COM): ROAD RUNNER HOLDCO LLC, FAYETTEVILLE, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 33 33 of 33 |
4c3df24b32 NEW 53bfe15e91 NEW |
none[0] 1473091351[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=81 lines=75 embedded dns |
trace trace |
| T:09:19:00 | WinXP | 4.161.167.247 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, LEWISVILLE, TEXAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 116 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 38 of 41 |
02674c9a56 NEW 25eae40389 NEW |
0da2cae967 [0] 1e0aae0aeb[0] |
none:none none:none |
tElock| Armadillo| |
none none |
trace trace |
| T:09:23:00 | WinXP | 83.29.217.138 (TPNET.PL): NEOSTRADA PLUS, LODZ, LODZKIE, PL. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
32 of 32 | 03f912899b NEW |
none[0] | none:none |
none|none | lines=64 | trace | |
| T:09:52:00 | Win2K-f | 173.19.214.222 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, IOWA CITY, IOWA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 39 of 41 |
5e3a9c2d9d NEW 630308d06b NEW |
dbc48b815a [0] 847d302e37[0] |
none:none none:none |
tElock| Armadillo| |
none none |
trace trace |
| T:10:06:00 | WinXP | 114.48.43.91 (E-MOBILE.NE.JP): EMOBILE LTD, YOKOHAMA, KANAGAWA, JP. (DSL) |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 07cd99a10b NEW |
none[none] | none:none |
none|none | none | none |
| T:10:29:00 | WinXP | 88.161.40.7 (PROXAD.NET): PROXAD / FREE SAS, PARIS, ILE-DE-FRANCE, FR. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | 61ab3a71eb NEW |
none[none] | none:none |
none|none | none | none |
| T:11:15:00 | WinXP | 190.156.223.78 (CABLE.NET.CO): TV CABLE S.A, SANTAFé DE BOGOTá, DISTRITO ESPECIAL, CO. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | d53d2baf56 NEW |
none[none] | none:none |
none|none | none | none |
| T:11:40:00 | Win2K-f | 4.183.140.55 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, WINTER HAVEN, FLORIDA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 150 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 40 | 555fe42b9d NEW |
none[none] | none:none |
none|none | none | none | |
| T:11:54:00 | WinXP | 188.192.47.113 (SUPERKABEL.DE): KABEL-DEUTSCHLAND-CUSTOMER-SERVICES, DE. (DSL) |
n/a | DE:siliconfireware.ru US:searchportal.information.com US:spi.domainsponsor.com :wpad RU:www.bbin.ru RU:195.200.213.54:80 |
445 | pcap | raw alerts ruleset |
http http http http 20 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | df17a625ee NEW |
none[0] | none:none |
ASPack| | lines=298 embedded dns |
trace |
| T:12:37:00 | WinXP | 4.138.35.31 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 111 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 39 of 41 |
a37cd9a568 NEW e3e0aa4c3c NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:13:13:00 | Win2K-f | 24.234.68.126 (COX.NET): COX COMMUNICATIONS INC, LAS VEGAS, NEVADA, US. (100Mbps) |
n/a | FI:194.215.38.3:80 EE:62.65.192.24:80 |
135 | pcap | raw alerts ruleset |
other 5 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:13:26:00 | Win2K-f | 4.227.254.141 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, BROOMFIELD, COLORADO, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 109 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:17:05:00 | WinXP | 74.65.164.131 (RR.COM): ROAD RUNNER HOLDCO LLC, SOUTH PORTLAND, MAINE, US. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:17:10:00 | WinXP | 89.204.230.186 (O2.IE): O2 IRELAND MOBILE PHONE OPERATOR, DUBLIN, DUBLIN, IE. (DSL) |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:17:19:00 | WinXP | 24.209.253.99 (RR.COM): ROAD RUNNER HOLDCO LLC, CINCINNATI, OHIO, US. (100Mbps) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 3ae357d17b NEW |
none[0] | ASM:Graph |
PolyEnE| | lines=73 | trace |
| T:18:16:00 | Win2K-f | 203.91.160.116 (STARCAT.NE.JP): KMN CORPORATION, NAGOYA, TOKYO, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 59 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 8 of 33 |
53bfe15e91 NEW b7082104e4 NEW |
1473091351 [0] c5b49e7b82[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=75 embedded dns lines=41 |
trace trace |
| T:18:21:00 | WinXP | 114.32.140.186 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
193.104.94.11:65520 218.93.205.30:65520 | CN:proxim.ircgalaxy.pl CN:dl.guarddog2009.com :komojoke.cn CN:config1007.iwillhavesexygirls.com CN:maillist.iwillhavesexygirls.com EU:colopin.cn CN:russia.2288.org CN:www.petdoso.com CN:www.brans.pl :bfkq.com :jsactivity.com CN:202.97.184.196:81 CN:218.93.205.19:80 CN:222.73.204.229:88 EU:91.206.201.39:80 |
445 | pcap | raw alerts ruleset |
shell ftp irc http 58 lines |
Yeah : 1.8 profile |
none | summary tarball |
17 of 41 6 of 41 29 of 41 38 of 40 11 of 41 15 of 41 12 of 41 14 of 41 |
1c5e79f5f4 NEW 37795a29d0 NEW 785e86954f NEW 7bc8d57d8c NEW 821accf421 NEW 83192a6119 NEW b950c2f278 NEW f91ada07e0 NEW |
none[4] none [none] c6edee8e8b[0] be025ab204[0] none [none] fdc95e1fab[0] none [none] none [none] |
none:none none:none none:none none:none none:none none:none none:none none:none |
FSG| none|none PeStubOEP| none|none none|none none|none none|none none|none |
none none none none none none none none |
trace none trace trace none trace none none |
| 18:30:00 | WinXP | 74.65.164.131 (RR.COM): ROAD RUNNER HOLDCO LLC, SOUTH PORTLAND, MAINE, US. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:19:05:00 | WinXP | 114.48.200.56 (E-MOBILE.NE.JP): EMOBILE LTD, TOKYO, TOKYO, JP. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 16 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 40 | 5285741560 NEW |
60590b8b67 [0] | ASM:Graph |
none|none | lines=59 | trace | |
| T:19:15:00 | WinXP | 66.216.199.118 (NEWNANUTILITIES.ORG): NEWNAN UTILITIES, NEWNAN, GEORGIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
329832e822 NEW 33acd5f772 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:20:10:00 | Win2K-f | 70.167.81.191 (COX.NET): COX COMMUNICATIONS, WARNER ROBINS, GEORGIA, US. (DSL) |
218.93.205.30:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com CN:dl.guarddog2009.com EU:colopin.cn CN:www.petdoso.com CN:202.97.184.196:81 |
135 | pcap | raw alerts ruleset |
irc http 141 lines |
Yeah : 1.8 profile |
none | summary tarball |
17 of 41 29 of 41 15 of 41 32 of 33 29 of 33 |
1c5e79f5f4 NEW 785e86954f NEW 83192a6119 NEW 87e1117f2a NEW b4fe4581c3 NEW |
none[4] c6edee8e8b[0] fdc95e1fab[0] 3ff643aae6[0] 599b835896[0] |
none:none none:none none:none none:none none:none |
FSG| PeStubOEP| none|none tElock| Armadillo| |
none none none none none |
trace trace trace trace trace |
| T:20:54:00 | WinXP | 60.56.72.118 (EONET.NE.JP): K-OPTICOM CORPORATION, ASHIYA, HYOGO, JP. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 40 | 8ab0fb88b8 NEW |
968cc91789 [0] | none:none |
none|none | none | trace | |
| T:22:31:00 | Win2K-f | 202.212.240.101 (-): PHILLIPS MURRAY, TOKYO, TOKYO, JP. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 79 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |