Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

02 December 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:09:24:00 WinXP 68.203.227.86 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ORANGE, TEXAS, US. (100Mbps) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 32 of 32 b502f83a7c
NEW 28f5be93b0 [0] none:none
PolyEnE| none trace

T:10:09:00 Win2K-f 24.234.68.126 (COX.NET):
COX COMMUNICATIONS INC,
LAS VEGAS, NEVADA, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:55:00 WinXP 64.188.216.108 (-):
WINDJAMMER COMMUNICATIONS LLC,
LIBERAL, KANSAS, US. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
13 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:10:55:00 WinXP 109.86.13.138 (JWS.COM):
EU-ZZ,
UK. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 41 81d48d18af
NEW 8b8f52fb93 [0] none:none
PolyEnE| none trace

T:11:10:00 WinXP 186.124.226.244 (-):
. 213.219.245.212:80 RU:citi-bank.ru
DE:kidos-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 c1918274c2
NEW none[none] none:none
none|none none none

T:12:21:00 WinXP 196.219.91.129 (TEDATA.NET):
PPPOE-DSL,
CAIRO, AL QAHIRAH, EG. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:12:45:00 WinXP 70.168.6.215 (COX.NET):
COX COMMUNICATIONS,
WEST WARWICK, RHODE ISLAND, US. (DSL) n/a :gg.arrancar.org 135 pcap raw alerts
ruleset other
357 lines Yeah : 1.3
profile none summary
tarball 39 of 41 74ca348885
NEW 8b0bf5ec45 [0] none:none
none|none none trace

T:15:30:00 WinXP 69.193.74.22 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:15:58:00 WinXP 114.48.165.245 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:17:43:00 WinXP 174.7.224.199 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CA. (DSL) n/a 135 pcap raw alerts
ruleset other
593 lines Yeah : 1.3
profile none summary
tarball 40 of 41 1f759e65c9
NEW none[none] none:none
none|none none none

T:17:46:00 WinXP 174.3.75.74 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
TORONTO, ONTARIO, CA. (100Mbps) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 39 of 41 d8040f84d4
NEW none[none] none:none
none|none none none

T:22:16:00 WinXP 69.85.123.4 (ELLIJAY.COM):
ELLIJAY COMMUNITY TELEVISION,
ELLIJAY, GEORGIA, US. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 35 of 35 9716d7995a
NEW c3a5354b6f [0] none:none
PolyEnE| none trace

T:22:37:00 Win2K-f 80.92.180.198 (-):
MIXED-CUSTOMERS,
GE. (DSL) 69.42.218.70:8585 :a11.je34ke5.net
US:130.107.239.200:26846 135 pcap raw alerts
ruleset irc
http
10 lines Yeah : 1.3
profile none summary
tarball 10 of 41 00efdf0ec6
NEW none[none] none:none
none|none none none

T:22:45:00 WinXP 203.91.184.97 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:22:45:00 WinXP 209.33.46.124 (CEBRIDGE.NET):
JASONVILLE IN CUSTOMERS,
JASONVILLE, INDIANA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
96 lines Yeah : 1.3
profile none summary
tarball 39 of 40
0 of 33 7d20fe8724
NEW
a08f3b74a4
NEW none[none]
none [0] none:none
none:none
none|none
Armadillo| none
lines=90 none
trace

T:23:05:00 Win2K-f 173.28.203.45 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CHANHASSEN, MINNESOTA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
39 of 41 10759405e0
NEW
d08e00dfaf
NEW 292d343248 [0]
854c49d8c4[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace