|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:37:00 | WinXP | 202.160.42.172 (ESPEED23-10.BRUNET.BN): JABATAN TELEKOM BRUNEI, BANDAR SERI BEGAWAN, BRUNEI AND MUARA, BN. (DSL) |
69.42.218.70:4545 | :l33.ko0ppol.biz US:130.107.181.133:8619 |
135 | pcap | raw alerts ruleset |
irc http 175 lines |
Yeah : 1.3 profile |
none | summary tarball |
10 of 41 | 00efdf0ec6 NEW |
none[none] | none:none |
none|none | none | none |
| T:01:34:00 | WinXP | 196.219.91.129 (TEDATA.NET): PPPOE-DSL, CAIRO, AL QAHIRAH, EG. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:02:19:00 | WinXP | 173.22.161.160 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, SPRINGFIELD, MISSOURI, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 113 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 39 of 41 |
3bff218b8f NEW 7eaf7b4470 NEW |
b570b734be [0] 8e0b194526[0] |
none:none none:none |
tElock| Armadillo| |
none none |
trace trace |
| T:02:22:00 | Win2K-f | 68.146.136.164 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, CALGARY, ALBERTA, CA. (DSL) |
92.240.234.164:3305 | :cx10man.weedns.com | 135 | pcap | raw alerts ruleset |
irc 608 lines |
Yeah : 1.8 profile |
none | summary tarball |
39 of 41 | 9ce56f9f19 NEW |
261c9da48f [0] | none:none |
StarForce| | none | trace |
| T:03:24:00 | Win2K-f | 113.253.10.32 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 99 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 39 of 41 |
05c067661e NEW c0ffed1019 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:03:37:00 | WinXP | 72.64.30.16 (VERIZON.NET): VERIZON INTERNET SERVICES INC, CHARLESTON, WEST VIRGINIA, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:04:05:00 | WinXP | 24.234.68.126 (COX.NET): COX COMMUNICATIONS INC, LAS VEGAS, NEVADA, US. (100Mbps) |
n/a | 135 | pcap | raw alerts ruleset |
other 69 lines |
Yeah : 1.3 profile |
none | summary tarball |
18 of 35 0 of 33 |
218ce30f5c NEW a08f3b74a4 NEW |
none[3] none [0] |
none:none none:none |
none|none Armadillo| |
none lines=90 |
trace trace |
|
| T:04:12:00 | Win2K-f | 219.71.189.33 (GIGA.NET.TW): HOSHIN MULTIMEDIA CENTER INC, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 69 lines |
Yeah : 1.3 profile |
none | summary tarball |
18 of 35 0 of 33 |
218ce30f5c NEW 57ce4acac2 NEW |
none[3] none [0] |
none:none none:none |
none|none Armadillo| |
none lines=90 |
trace trace |
|
| T:16:37:00 | Win2K-f | 4.138.200.92 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, CHICOPEE, MASSACHUSETTS, US. (DIAL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:19:18:00 | Win2K-f | 70.184.208.123 (COX.NET): COX COMMUNICATIONS, COUNCIL BLUFFS, IOWA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 117 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 40 of 41 |
3b3a6d7615 NEW b7a694b220 NEW |
ed7beb96f5 [0] 9f0354af30[0] |
none:none none:none |
Armadillo| tElock| |
none none |
trace trace |
| T:19:31:00 | WinXP | 211.20.211.136 (-): TAINAN LI JIN FU YI COMMUNITY, TAINAN, T'AI-WAN, TW. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 112 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 38 of 41 |
3f136c55b3 NEW ac394d7d5f NEW |
f4e18974f3 [0] c9a79e75f5[0] |
none:none none:none |
tElock| Armadillo| |
none none |
trace trace |
| T:19:36:00 | Win2K-f | 99.155.20.126 (SBCGLOBAL.NET): AT&T INTERNET SERVICES, PEORIA, ILLINOIS, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 42 lines |
Yeah : 1.3 profile |
none | summary tarball |
4 of 41 | bf6d8dad4f NEW |
none[none] | none:none |
none|none | none | none | |
| T:20:47:00 | Win2K-f | 70.167.81.191 (COX.NET): COX COMMUNICATIONS, WARNER ROBINS, GEORGIA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:22:21:00 | Win2K-f | 222.56.118.53 (HERBALQC.COM): CHINA RAILWAY TELECOMMUNICATIONS CENTER, BEIJING, BEIJING, CN. (DSL) |
69.42.218.70:4545 | :l33.ko0ppol.biz US:130.107.185.224:39417 |
135 | pcap | raw alerts ruleset |
irc 10 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:22:33:00 | Win2K-f | 66.216.199.118 (NEWNANUTILITIES.ORG): NEWNAN UTILITIES, NEWNAN, GEORGIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
329832e822 NEW 33acd5f772 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:22:40:00 | Win2K-f | 75.15.177.96 (PACBELL.NET): AT&T INTERNET SERVICES, BAKERSFIELD, CALIFORNIA, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 111 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 40 of 41 |
1e12f5145a NEW f208493e65 NEW |
617af909de [0] 5100adb4f9[0] |
none:none none:none |
Armadillo| tElock| |
none none |
trace trace |