Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

16 December 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:21:00 WinXP 98.141.30.160 (CAVTEL.NET):
CAVALIER TELEPHONE,
NORFOLK, VIRGINIA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
19 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:00:34:00 Win2K-f 68.146.136.164 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
600 lines Yeah : 1.3
profile none summary
tarball 39 of 41 9ce56f9f19
NEW 261c9da48f [0] none:none
StarForce| none trace

T:00:36:00 Win2K-f 4.227.106.140 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
CLEVELAND, TEXAS, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:00:54:00 Win2K-f 110.93.96.231 (CABLENET.NE.JP):
CABLENET SAITAMA CO. LTD,
JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
39 of 41 5bbb57c115
NEW
75ac189d9e
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:01:23:00 Win2K-f 112.202.110.111 (PLDT.NET):
IPG,
CEBU, CEBU CITY, PH. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
39 of 41 c61051c222
NEW
ce01cf521a
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:01:32:00 Win2K-f 174.1.78.82 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
VANCOUVER, BRITISH COLUMBIA, CA. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
39 of 41 3c979c9a50
NEW
66dfbc4cc3
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:02:31:00 WinXP 218.113.72.54 (BBTEC.NET):
JAPAN NATION-WIDE NETWORK OF SOFTBANK BB CORP,
NAGASAKI, NAGASAKI, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:02:49:00 WinXP 12.64.54.28 (PRSERV.NET):
AT&T GLOBAL SERVICES,
CHICAGO, ILLINOIS, US. (DSL) n/a US:www.altavista.com
:jbeegvia.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 31 of 32 17028f1eda
NEW none[3] none:none
tElock| none trace

T:02:54:00 Win2K-f 110.9.234.154 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
113 lines Yeah : 1.3
profile none summary
tarball 40 of 41
5 of 41 14f47ffd1e
NEW
50437008d9
NEW 90bf4b99ff [0]
c1b09ac5d7[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:04:02:00 WinXP 98.175.167.93 (COX.NET):
COX COMMUNICATIONS,
FREDERICKSBURG, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:04:37:00 Win2K-f 67.221.102.156 (NTELOS.NET):
NTELOS SPRINGWOOD ADSL #,
CHARLOTTESVILLE, VIRGINIA, US. (100Mbps) 92.240.234.164:3305 AR:cx10man.weedns.com 135 pcap raw alerts
ruleset irc
967 lines Yeah : 1.8
profile none summary
tarball 31 of 41 cc88f4f016
NEW 3d17903825 [0] none:none
StarForce| none trace

T:04:40:00 Win2K-f 207.5.161.171 (SUSCOM-MAINE.NET):
GREAT WORKS INTERNET,
BRUNSWICK, MAINE, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:05:15:00 Win2K-f 72.190.123.99 (RR.COM):
ROAD RUNNER HOLDCO LLC,
DALLAS, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:08:45:00 Win2K-f 218.54.126.206 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 33
33 of 33 4c3df24b32
NEW
53bfe15e91
NEW none[0]
1473091351[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=81
lines=75
embedded dns trace
trace

08:51:00 Win2K-f 200.125.123.153 (200.IN-ADDR.ARPA):
TELECENTRO S.A. - CLIENTES RESIDENCIALES,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) n/a US:yahoo.com
DE:proxim.ircgalaxy.pl
US:204.152.184.139:80
DE:88.198.228.238:65520 445 pcap raw alerts
ruleset http
21 lines Argh : 0.3
profile none summary
tarball none none none none none none none

10:12:00 Win2K-f 94.50.101.157 (PERMONLINE.RU):
DYNAMIC DISTRIBUTION IP'S FOR BROADBAND SERVICES,
MOSCOW, MOSCOW CITY, RU. (DSL) 88.198.228.238:65520 US:msn.com
US:cnn.com
DE:proxim.ircgalaxy.pl
CN:webspot1.co.cc
FR:193.104.94.11:65520
US:204.152.184.139:80
CN:218.93.205.19:80 445 pcap raw alerts
ruleset irc
25 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:11:05:00 Win2K-f 208.126.133.196 (NETINS.NET):
NETINS INC,
MOVILLE, IOWA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:12:42:00 WinXP 190.137.125.105 (NET.AR):
APOLO -GOLD-TELECOM-PER,
AR. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 c1918274c2
NEW c71803882e [none] none:none
PolyEnE| none trace

T:12:58:00 WinXP 218.55.4.151 (-):
HANANET-LLINE-GNGNETWORKS2,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 0 of 33
33 of 33 4c3df24b32
NEW
53bfe15e91
NEW none[0]
1473091351[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=81
lines=75
embedded dns trace
trace

T:13:05:00 Win2K-f 173.19.210.242 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
IOWA CITY, IOWA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 37 of 41
38 of 41 692f9bb8df
NEW
d482a2bec3
NEW 2bf6f4e9f0 [0]
50a83c6b54[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:13:14:00 Win2K-f 76.192.154.236 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
COLUMBUS, OHIO, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:09:00 WinXP 72.64.30.16 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
CHARLESTON, WEST VIRGINIA, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:15:24:00 WinXP 12.64.228.112 (PRSERV.NET):
AT&T GLOBAL SERVICES,
DALLAS, TEXAS, US. (DSL) n/a 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

16:36:00 Win2K-f 59.93.73.248 (10/24.BSNL.IN):
NIB (NATIONAL INTERNET BACKBONE),
HYDERABAD, ANDHRA PRADESH, IN. (DSL) 218.93.205.30:65520 :google.com
DE:proxim.ircgalaxy.pl
CN:q.kfgrtjer.cn
FR:193.104.94.11:65520
US:204.152.184.139:80
CN:210.51.36.215:88 445 pcap raw alerts
ruleset irc
28 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:16:45:00 WinXP 208.126.203.153 (NETINS.NET):
NETINS INC,
DES MOINES, IOWA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 5445ad910a
NEW
b8b0605f6a
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

16:46:00 WinXP 71.72.179.59 (RR.COM):
ROAD RUNNER HOLDCO LLC,
SIDNEY, OHIO, US. (DSL) n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 29 of 29 986b59708d
NEW none[0] none:none
PolyEnE| lines=57 trace

T:17:06:00 WinXP 208.126.79.216 (NETINS.NET):
NETINS INC,
ORANGE CITY, IOWA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
170 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:17:52:00 Win2K-f 75.184.33.163 (RR.COM):
ROAD RUNNER HOLDCO LLC,
WATSONVILLE, CALIFORNIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 33
33 of 33 4c3df24b32
NEW
53bfe15e91
NEW none[0]
1473091351[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=81
lines=75
embedded dns trace
trace

T:18:27:00 Win2K-f 4.174.254.100 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
PHILADELPHIA, PENNSYLVANIA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
119 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:19:05:00 Win2K-f 71.113.168.178 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
BLOOMINGTON, ILLINOIS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:19:28:00 Win2K-f 207.5.194.120 (SUSCOM-MAINE.NET):
GREAT WORKS INTERNET,
BRUNSWICK, MAINE, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:20:23:00 Win2K-f 222.237.21.207 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 218.93.205.30:65520 DE:proxim.ircgalaxy.pl
CN:q.kfgrtjer.cn
CN:www.liagand.cn
EU:colopin.cn
CN:www.petdoso.com
:bfkq.com
:jsactivity.com
US:search.toptravellingtips.com
:www.toptravellingtips.com
US:search.articleswave.co.uk
:www.articleswave.co.uk
173.45.105.218:8392 139 pcap raw alerts
ruleset irc
http
275 lines Yeah : 1.3
profile none summary
tarball 1 of 41
19 of 41
15 of 40
38 of 41
6 of 41
0 of 41
18 of 41 0e7d0ef178
NEW
3a688c3ae6
NEW
9e16465986
NEW
e354dadffa
NEW
e5772d7d3f
NEW
ed5e672f3b
NEW
f22223e96e
NEW none[none]
none [none]
none [none]
none [none]
none [none]
none [none]
none [none] none:none
none:none
none:none
none:none
none:none
none:none
none:none
none|none
none|none
none|none
none|none
none|none
none|none
none|none none
none
none
none
none
none
none none
none
none
none
none
none
none

T:23:11:00 Win2K-f 60.249.37.106 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 34 of 38
35 of 38 38ed850a0e
NEW
b9297745a1
NEW 46990f37cd [0]
4294884d84[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

23:24:00 Win2K-f 211.232.98.39 (NEXG.NET):
KRNIC,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a US:microsoft.com
FI:194.215.38.3:80
EE:195.50.195.10:443
EE:62.65.192.24:80 445 pcap raw alerts
ruleset other
1 line Argh : 0.3
profile none summary
tarball none none none none none none none

T:23:25:00 Win2K-f 204.181.129.45 (UNINETS.NET):
OXFORD COUNTY TELEPHONE SERVICE / THE PHONE STORE/MEGALINK,
UNITY, MAINE, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 36 of 41
38 of 41 4d4b7efca2
NEW
539d61fc06
NEW ec83dac222 [0]
c3af874c93[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:23:34:00 Win2K-f 110.11.209.45 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 218.93.205.30:65520 CN:proxima.ircgalaxy.pl
US:microsoft.com
CN:q.kfgrtjer.cn
CN:www.liagand.cn
CA:maxdomzhit.com
EU:colopin.cn
CN:www.petdoso.com
CN:202.97.184.196:81
CA:209.172.57.51:80
CN:210.51.36.215:88
CN:61.235.117.71:80 135 pcap raw alerts
ruleset irc
http
110 lines Yeah : 1.8
profile none summary
tarball 31 of 33
0 of 33
19 of 40
6 of 41 168aab35a3
NEW
4c3df24b32
NEW
c4829f5171
NEW
e5772d7d3f
NEW 60b730b97e [0]
none [0]
none [none]
none [none] ASM:Graph
ASM:Graph
none:none
none:none
tElock|
Armadillo|
none|none
none|none lines=120
embedded dns
lines=81
none
none trace
trace
none
none