Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

21 November 2009
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:25:00 WinXP 83.92.147.214 (DSL.TELE.DK):
TDC-TELEDANMARK-BREDBAANDSADSL-NET,
COPENHAGEN, KOBENHAVN, DK. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 1fcc146d70
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:00:27:00 WinXP 63.246.122.215 (ALTUSCGI.NET):
PRIVATE CABLE ISP SUBSCRIBER (GEORGETOWN SC MARKET),
GEORGETOWN, SOUTH CAROLINA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:00:27:00 Win2K-f 211.120.156.219 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a EE:www.starman.ee
FI:194.215.38.3:80
EE:62.65.192.24:80 		135 pcap raw alerts
ruleset 		other
0 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:00:33:00 WinXP 68.192.32.204 (OPTONLINE.NET):
OPTIMUM ONLINE (CABLEVISION SYSTEMS),
BAYONNE, NEW JERSEY, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:01:52:00 WinXP 220.219.3.18 (INFOWEB.NE.JP):
INFOWEB(FUJITSU LTD.),
TOKYO, TOKYO, JP. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		ftp
13 lines 		Yeah : 0.8
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:02:12:00 WinXP 130.67.33.178 (ONLINE.NO):
NORTELE-H,
OSLO, OSLO, NO. (DIAL) 		212.54.2.171:3305 JP:cx10man.weedns.com
:fx010413.whyI.org
FI:gynoman.weedns.com
TH:g.0x20.biz
TH:c010x1.co.cc
AR:commgr.co.cc
FI:telephone.dd.blueline.be
RU:89.208.33.88:3305
92.240.234.164:3305 		445 pcap raw alerts
ruleset 		shell
ftp
irc
23 lines 		Yeah : 1.8
profile 		none summary
tarball 		22 of 41 75af48afe4
NEW 		7a25f9e3cf [0] none:none
 StarForce| none trace
T:02:44:00 Win2K-f 203.73.84.69 (SEED.NET.TW):
SEEDNET-KAOHSIUNGDP-S,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:02:51:00 WinXP 78.92.161.185 (T-ONLINE.HU):
T-ONLINE CATV CLIENT POOL,
BUDAPEST, BUDAPEST, HU. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 01c4a6b3eb
NEW 		dd524b0259 [0] none:none
 PolyEnE| none trace
T:02:59:00 WinXP 71.130.22.21 (PACBELL.NET):
WILLIAM MARTINEZ DBA,
PLANO, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:03:57:00 WinXP 77.23.71.48 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BAYREUTH, BAYERN, DE. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:04:22:00 WinXP 95.74.20.45 (-):
TELECOM ITALIA MOBILE,
LECCE, PUGLIA, IT. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:04:33:00 WinXP 83.29.204.81 (TPNET.PL):
NEOSTRADA PLUS,
LODZ, LODZKIE, PL. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 32 03f912899b
NEW 		none[0] none:none
 none|none lines=64 trace
T:04:52:00 Win2K-f 207.5.161.171 (SUSCOM-MAINE.NET):
GREAT WORKS INTERNET,
BRUNSWICK, MAINE, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:05:01:00 WinXP 121.121.13.44 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		38 of 40 cdbb312d0a
NEW 		8050e5ba3e [0] none:none
 PolyEnE| none trace
T:07:11:00 Win2K-f 173.28.209.195 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CHANHASSEN, MINNESOTA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 40
38 of 40		 474acf88e5
NEW
68f0c14692
NEW 		1f53944b24 [0]
ccc1b24d53[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:08:20:00 Win2K-f 203.90.78.131 (AKAMAITECHNOLOGIES.COM):
HCL INFINET LIMITED,
IN. (100Mbps) 		200.49.145.197:3305 TH:cx10man.weedns.com
RU:fx010413.whyI.org
JP:gynoman.weedns.com
AR:c010x1.co.cc
:commgr.co.cc
AR:g.0x20.biz
FI:telephone.dd.blueline.be
AR:phonewire.dd.blueline.be
FI:212.54.2.171:3305
RU:89.208.33.88:3305
92.240.234.164:3305 		135 pcap raw alerts
ruleset 		irc
574 lines 		Yeah : 1.8
profile 		none summary
tarball 		39 of 40 70ec5c4b3f
NEW 		f697adabdd [0] none:none
 StarForce| none trace
T:08:56:00 WinXP 125.58.94.139 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, TOKYO, JP. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
1017 lines 		Yeah : 1.3
profile 		none summary
tarball 		12 of 41 c4ea67cbf4
NEW 		none[none] none:none
 none|none none none
T:10:12:00 WinXP 219.70.60.149 (GIGA.NET.TW):
HOSHIN MULTIMEDIA CENTER INC,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:10:56:00 WinXP 96.234.78.203 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
LIVINGSTON, NEW JERSEY, US. (DSL) 		92.240.234.164:3305 AR:cx10man.weedns.com 135 pcap raw alerts
ruleset 		irc
700 lines 		Yeah : 1.8
profile 		none summary
tarball 		28 of 41 b8076e37ae
NEW 		52953fed05 [0] none:none
 StarForce| none trace
T:10:56:00 WinXP 71.196.219.143 (COMCAST.NET):
COMCAST CABLE COMMUNICATIONS IP SERVICES,
DENVER, COLORADO, US. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 32 5818023061
NEW 		none[0] ASM:Graph
 PolyEnE| lines=68 trace
T:11:52:00 WinXP 98.141.17.158 (CAVTEL.NET):
CAVALIER TELEPHONE,
HAMPTON, VIRGINIA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:12:06:00 Win2K-f 94.3.213.150 (SKY.COM):
SKY BROADBAND,
ELGIN, SCOTLAND, UK. (DSL) 		n/a EE:www.starman.ee
US:microsoft.com
FI:194.215.38.3:80
EE:62.65.192.24:80 		445 pcap raw alerts
ruleset 		other
0 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:12:42:00 WinXP 190.185.18.38 (NODE-BE0B9E0A.SCARLET.AN):
SCARLET B.V,
WILLEMSTAD, CURACAO, AN. (DSL) 		n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 912a073945
NEW 		7874c7f21e [0] none:none
 PolyEnE| none trace
T:13:02:00 WinXP 190.174.98.139 (COM.AR):
TELEFONICA DE ARGENTINA,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 1a2c0e6130
NEW 		none[0] none:none
 none|none lines=60 trace
T:13:39:00 WinXP 72.66.8.36 (VERIZON.NET):
GAIP INC,
VIENNA, VIRGINIA, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:13:49:00 WinXP 201.69.98.27 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		193.104.94.11:65520 FR:proxim.ircgalaxy.pl
CN:www.brans.pl
EU:colopin.cn
:komojoke.cn
CN:www.petdoso.com
CN:202.97.184.196:81 		445 pcap raw alerts
ruleset 		http
irc
16 lines 		Yeah : 1.3
profile 		none summary
tarball 		10 of 41
17 of 41
29 of 41
6 of 41
39 of 41		 10d7bf9665
NEW
1c5e79f5f4
NEW
785e86954f
NEW
e878f3306f
NEW
ef60e90596
NEW 		none[none]
none [4]
c6edee8e8b[0]
none [none]
none [none] 		none:none
none:none
none:none
none:none
none:none
 none|none
FSG|
PeStubOEP|
none|none
none|none 		none
none
none
none
none 		none
trace
trace
none
none
T:14:14:00 WinXP 64.33.132.6 (AIRSTREAMCOMM.NET):
TRI COUNTY TELEPHONE,
WISCONSIN, US. (DIAL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 0cfab99612
NEW 		none[0] ASM:Graph
 PolyEnE| lines=68 trace
T:14:35:00 WinXP 70.167.73.201 (COX.NET):
COX COMMUNICATIONS,
OCEANSIDE, CALIFORNIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:14:44:00 Win2K-f 67.125.140.230 (PACBELL.NET):
AT&T INTERNET SERVICES,
FRESNO, CALIFORNIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:15:15:00 WinXP 186.9.174.72 (IMOVIL.ENTELPCS.CL):
ENTEL PCS TELECOMUNICACIONES S.A,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) 		n/a :moscow-advokat.ru
:lia.zanet.net 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:15:24:00 WinXP 88.28.245.138 (RIMA-TDE.NET):
TELEFONICA MOVILES ESPANA (NCC#2007041930),
MADRID, MADRID, ES. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41 79636fd2b5
NEW 		none[none] none:none
 none|none none none
T:15:59:00 Win2K-f 4.177.18.134 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
SAN DIEGO, CALIFORNIA, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
141 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41 47d3548e36
NEW 		ab13346633 [0] none:none
 Armadillo| none trace
T:16:31:00 WinXP 72.225.235.143 (RR.COM):
ROAD RUNNER HOLDCO LLC,
NEW YORK, NEW YORK, US. (100Mbps) 		n/a :moscow-advokat.ru
SE:viking.dal.net
SE:coins.dal.net
SE:vancouver.dal.net
SE:ced.dal.net
:gaspode.zanet.org.za 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		25 of 25 7f60162c2c
NEW 		none[0] none:none
 PolyEnE| lines=93
embedded dns 		trace
T:16:46:00 WinXP 71.79.6.12 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CINCINNATI, OHIO, US. (DSL) 		n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
GB:new.egg.com
:wpad 		445 pcap raw alerts
ruleset 		http
http
http
http
42 lines 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 a12cab51ef
NEW 		none[0] none:none
 ASPack| lines=281
embedded dns 		trace
T:16:52:00 WinXP 63.17.2.234 (UU.NET):
UUNET TECHNOLOGIES INC,
CHEHALIS, WASHINGTON, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:17:06:00 WinXP 98.30.117.179 (RR.COM):
ROAD RUNNER HOLDCO LLC,
UPPER SANDUSKY, OHIO, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
79 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:17:39:00 Win2K-f 202.45.170.4 (CCNET-AI.NE.JP):
COMMUNITY NETWORK CENTER INC,
TOYOKAWA, AICHI, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32
33 of 33		 07fabc79ef
NEW
53bfe15e91
NEW 		none[0]
1473091351[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=81
lines=75
embedded dns 		trace
trace
T:18:08:00 WinXP 124.66.254.101 (FCH.NE.JP):
FUREAI CHANNEL INC,
HIROSHIMA, HIROSHIMA, JP. (DSL) 		n/a US:www.altavista.com
US:www.yahoo.com
:jbeegvia.ru 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		31 of 32 17028f1eda
NEW 		none[3] none:none
 tElock| none trace