Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

01 December 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:01:06:00 WinXP 74.214.47.11 (METROCAST.NET):
METROCAST COMMUNICATIONS,
KING GEORGE, VIRGINIA, US. (100Mbps) 194.109.11.65:6556 :0x80.my-secure.name
NL:0x80.my1x1.com
NL:0x80.martiansong.com
NL:0x80.goingformars.com 135 pcap raw alerts
ruleset other
117 lines Yeah : 1.8
profile none summary
tarball 33 of 33 e30fb27bda
NEW 90ee26f451 [0] ASM:Graph
MEW| lines=185
embedded dns trace

T:02:02:00 WinXP 203.193.142.243 (SOFT.NET):
SOFTWARE TECHNOLOGY PARKS OF INDIA,
RAURKELA, ORISSA, IN. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
39 of 41 2b47f2f06e
NEW
d02ed5d41f
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:02:06:00 Win2K-f 60.249.37.247 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 34 of 38
35 of 38 38ed850a0e
NEW
b9297745a1
NEW 46990f37cd [0]
4294884d84[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:02:24:00 Win2K-f 24.109.47.235 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
SIDNEY, BRITISH COLUMBIA, CA. (DSL) 69.42.218.70:4545 :l33.ko0ppol.biz
US:130.107.190.174:42351 135 pcap raw alerts
ruleset irc
200 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:02:24:00 Win2K-f 87.121.157.128 (TELECABLENET.COM):
/21 ASSIGNED FOR TELECABLE,
SOFIA, GRAD SOFIYA, BG. (DSL) 69.42.218.70:8585 :a11.je34ke5.net
US:130.107.248.161:23454 135 pcap raw alerts
ruleset irc
337 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:02:44:00 WinXP 158.195.31.46 (UNIBA.SK):
COMENIUS UNIVERSITY BRATISLAVA,
BRATISLAVA, BRATISLAVA, SK. (DSL) 69.42.218.70:4545 :l33.ko0ppol.biz
US:130.107.182.250:50945 135 pcap raw alerts
ruleset irc
57 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:02:45:00 WinXP 41.250.112.173 (IAM.NET.MA):
AFRINIC,
CASABLANCA, CASABLANCA, MA. (DSL) 69.42.218.70:8585 :a11.je34ke5.net
US:130.107.128.200:37267 135 pcap raw alerts
ruleset irc
307 lines Yeah : 1.8
profile none summary
tarball none none none none none none none

T:02:46:00 Win2K-f 189.102.3.115 (VIRTUA.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
SãO PAULO, SAO PAULO, BR. (DSL) 69.42.218.70:4545 :l33.ko0ppol.biz
US:130.107.129.194:33115 135 pcap raw alerts
ruleset irc
81 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:02:56:00 WinXP 24.109.59.172 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
SIDNEY, BRITISH COLUMBIA, CA. (DSL) 69.42.218.70:8585 :a11.je34ke5.net
:l33.ko0ppol.biz
US:130.107.128.200:2040 135 pcap raw alerts
ruleset irc
153 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:02:57:00 Win2K-f 89.139.102.184 (NETVISION.NET.IL):
BROADBAND FOR PT,
TEL AVIV, TEL AVIV, IL. (DSL) 69.42.218.70:8585 :a11.je34ke5.net
US:130.107.189.159:41486 135 pcap raw alerts
ruleset irc
272 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:03:23:00 WinXP 96.48.158.252 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
SURREY, BRITISH COLUMBIA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
19 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:03:37:00 Win2K-f 77.35.136.92 (SAKHALIN.RU):
OPEN JOINT STOCK COMPANY FAR EAST TELECOMMUNICATIONS COMPANY,
MOSCOW, MOSCOW CITY, RU. (DSL) n/a 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:04:06:00 Win2K-f 87.205.80.142 (INETIA.PL):
INTERNETIA,
WARSAW, WARSZAWA, PL. (DSL) 69.42.218.70:8585 :a11.je34ke5.net
US:130.107.189.159:13468 135 pcap raw alerts
ruleset irc
244 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:04:13:00 Win2K-f 219.96.17.231 (T-COM.NE.JP):
TOKAI CORPORATION,
HADANO, KANAGAWA, JP. (DSL) 69.42.218.70:8585 :a11.je34ke5.net
US:130.107.248.161:53188 135 pcap raw alerts
ruleset irc
155 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:04:19:00 Win2K-f 88.174.29.38 (PROXAD.NET):
PROXAD / FREE SAS,
PARIS, ILE-DE-FRANCE, FR. (DSL) 69.42.218.70:4545 :l33.ko0ppol.biz
:a11.je34ke5.net
US:130.107.190.174:3643 135 pcap raw alerts
ruleset irc
435 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:04:38:00 WinXP 201.236.92.83 (STATIC.TIE.CL):
TELEFONICA EMPRESAS,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) n/a 135 pcap raw alerts
ruleset other
166 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:04:41:00 WinXP 109.86.155.213 (JWS.COM):
EU-ZZ,
UK. (DSL) n/a :a11.je34ke5.net
:l33.ko0ppol.biz
69.42.218.70:4545
69.42.218.70:8585 135 pcap raw alerts
ruleset other
146 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:04:52:00 Win2K-f 95.131.212.196 (-):
COMPUTERS AND PERIPHERALS LTD,
RU. (DSL) 69.42.218.70:4545 :l33.ko0ppol.biz
US:130.107.190.174:42050 135 pcap raw alerts
ruleset irc
195 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:04:59:00 WinXP 82.235.32.160 (PROXAD.NET):
PROXAD / FREE SAS,
LYON, RHONE-ALPES, FR. (DSL) 69.42.218.70:8585 :a11.je34ke5.net
:l33.ko0ppol.biz
US:130.107.148.147:36216
69.42.218.70:8585 135 pcap raw alerts
ruleset irc
203 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:05:10:00 Win2K-f 190.182.49.85 (METROTEL.NET.CO):
METROTEL REDES S.A,
BARRANQUILLA, ATLANTICO, CO. (DSL) n/a :l33.ko0ppol.biz
:a11.je34ke5.net
69.42.218.70:4545 135 pcap raw alerts
ruleset other
178 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:05:11:00 Win2K-f 77.253.106.206 (INETIA.PL):
INTERNETIA,
WARSAW, WARSZAWA, PL. (DSL) n/a 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:05:14:00 WinXP 114.37.31.169 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a :l33.ko0ppol.biz
:a11.je34ke5.net
69.42.218.70:4545
69.42.218.70:8585 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:05:53:00 WinXP 8.15.172.216 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
BURTONSVILLE, MARYLAND, US. (DSL) 69.42.218.70:8585 :a11.je34ke5.net
US:130.107.153.147:20978 135 pcap raw alerts
ruleset irc
186 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:05:54:00 Win2K-f 115.184.48.130 (PHOTONINFOTECH.COM):
RELIANCE COMMUNICATIONS LTD,
MUMBAI, MAHARASHTRA, IN. (DSL) n/a :l33.ko0ppol.biz
:a11.je34ke5.net
69.42.218.70:4545
69.42.218.70:8585 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:06:00:00 WinXP 189.97.234.95 (VIVOZAP.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
SãO PAULO, SAO PAULO, BR. (DSL) n/a 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:06:24:00 Win2K-f 88.184.238.231 (PROXAD.NET):
PROXAD / FREE SAS,
FR. (DSL) n/a 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:06:52:00 Win2K-f 92.85.159.174 (-):
SMALL CUSTOMERS,
BUCHAREST, BUCURESTI, RO. (DSL) n/a 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:06:55:00 Win2K-f 87.121.30.112 (TELECABLENET.COM):
NETERRA-TELECABLENET2-NET,
SOFIA, GRAD SOFIYA, BG. (DSL) 69.42.218.70:4545 :l33.ko0ppol.biz
US:130.107.199.222:11207
69.42.218.70:4545 135 pcap raw alerts
ruleset irc
10 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:07:08:00 WinXP 121.246.232.181 (VSNL.NET.IN):
INTERNET SERVICE PROVIDER,
HYDERABAD, ANDHRA PRADESH, IN. (DSL) 69.42.218.70:4545 :a11.je34ke5.net
:l33.ko0ppol.biz
US:130.107.218.150:21920
69.42.218.70:4545
69.42.218.70:8585 135 pcap raw alerts
ruleset irc
27 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:07:26:00 WinXP 77.106.114.46 (-):
ANO INFORMATION NETWORKS,
MOSCOW, MOSCOW CITY, RU. (DSL) n/a 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:07:29:00 Win2K-f 86.38.48.145 (ERDVES.LT):
POINT TO POINT CLIENT NETWORKS,
VILNIUS, VILNIAUS APSKRITIS, LT. (DSL) n/a :a11.je34ke5.net
:l33.ko0ppol.biz
69.42.218.70:4545
69.42.218.70:8585 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:07:30:00 Win2K-f 92.84.242.48 (-):
SMALL CUSTOMERS,
BUCHAREST, BUCURESTI, RO. (DSL) n/a 135 pcap raw alerts
ruleset other
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:08:05:00 WinXP 124.123.156.135 (BEAMCABLESYSTEM.IN):
INTERNET TELEPHONY SERVICE PROVIDER,
HYDERABAD, ANDHRA PRADESH, IN. (DSL) 69.42.218.70:4545 :l33.ko0ppol.biz
:a11.je34ke5.net
US:130.107.176.220:25129
69.42.218.70:4545 135 pcap raw alerts
ruleset irc
216 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:08:10:00 Win2K-f 188.16.214.226 (PERMONLINE.RU):
OJSC URALSVYAZINFORM,
MOSCOW, MOSCOW CITY, RU. (DSL) n/a 135 pcap raw alerts
ruleset other
2 lines Yeah : 0.8
profile none summary
tarball none none none none none none none