|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:41:00 | WinXP | 60.238.151.151 (MESH.AD.JP): NEC CORPORATION, KASHIWA, CHIBA, JP. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 | b62de46f7d NEW |
1d4ab3c709 [0] | none:none |
none|none | none | trace | |
| T:01:28:00 | WinXP | 78.62.170.13 (ZEBRA.LT): LIETUVOS, KAUNAS, KAUNO APSKRITIS, LT. (DSL) |
92.243.19.221:16667 | :flash.flassicensingservice.net DE:members.lycos.co.uk DE:members.multimania.co.uk DE:www.multimania.co.uk US:ia341313.us.archive.org |
135 | pcap | raw alerts ruleset |
lanman shell shell shell irc http 668 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:02:55:00 | Win2K-f | 70.167.84.157 (COX.NET): COX COMMUNICATIONS, MACON, GEORGIA, US. (DSL) |
193.104.94.11:65520 | US:microsoft.com CN:proxim.ircgalaxy.pl EU:pozeml.com CN:down1130.iwillhavesexygirls.com :pozemle.cn CN:www.petdoso.com CN:1130.kfgrtjer.cn :bfkq.com :jsactivity.com US:search.toptravellingtips.com CN:202.97.184.196:81 US:208.43.250.167:80 |
135 | pcap | raw alerts ruleset |
irc http 206 lines |
Yeah : 1.8 profile |
none | summary tarball |
16 of 41 15 of 41 14 of 40 32 of 33 4 of 41 11 of 41 29 of 33 2 of 41 6 of 41 0 of 41 |
371ffb2c8b NEW 68971d761c NEW 7453896856 NEW 87e1117f2a NEW 8e7cffa818 NEW a2ce42b73d NEW b4fe4581c3 NEW c6a1b4a433 NEW d214bd51e4 NEW f8df525f32 NEW |
none[none] none [none] none [none] 3ff643aae6[0] none [none] none [none] 599b835896[0] none [none] none [none] none [none] |
none:none none:none none:none none:none none:none none:none none:none none:none none:none none:none |
none|none none|none none|none tElock| none|none none|none Armadillo| none|none none|none none|none |
none none none none none none none none none none |
none none none trace none none trace none none none |
| T:03:23:00 | Win2K-f | 78.106.178.198 (CORBINA.RU): BROADBAND CUSTOMERS IN MOSCOW, MOSCOW, MOSCOW CITY, RU. (DSL) |
88.198.228.238:65520 | :seekbbs.com CN:proxim.ircgalaxy.pl CN:av.lometr.pl :pozemle.cn EU:pozeml.com CN:down1130.iwillhavesexygirls.com CN:www.petdoso.com :commerceclick.co.uk RU:ya.ru CN:202.97.184.196:81 |
445 | pcap | raw alerts ruleset |
http irc http http http 36 lines |
Yeah : 1.3 profile |
none | summary tarball |
23 of 41 16 of 41 24 of 41 4 of 41 11 of 41 |
357486dae7 NEW 371ffb2c8b NEW 5fd727d3c1 NEW 8e7cffa818 NEW a2ce42b73d NEW |
none[none] none [none] none [none] none [none] none [none] |
none:none none:none none:none none:none none:none |
StarForce| none|none none|none none|none none|none |
none none none none none |
trace none none none none |
| T:04:30:00 | Win2K-f | 70.184.102.222 (COX.NET): COX COMMUNICATIONS, PHOENIX, ARIZONA, US. (100Mbps) |
88.198.228.238:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com EU:pozeml.com :pozemle.cn CN:down1130.iwillhavesexygirls.com CN:www.petdoso.com CN:1130.kfgrtjer.cn :bfkq.com :jsactivity.com :wws.mobiec.net US:search.toptravellingtips.com 173.45.105.218:8392 US:208.43.250.167:80 98.126.9.218:80 |
135 | pcap | raw alerts ruleset |
irc http 211 lines |
Yeah : 1.8 profile |
none | summary tarball |
16 of 41 22 of 41 15 of 41 14 of 40 4 of 41 11 of 41 32 of 36 0 of 41 6 of 41 4 of 41 21 of 41 35 of 36 |
371ffb2c8b NEW 3b7db74080 NEW 68971d761c NEW 7453896856 NEW 8e7cffa818 NEW a2ce42b73d NEW bea8cb1865 NEW bf44b3bd31 NEW d214bd51e4 NEW e0a5795920 NEW eaadfe3615 NEW fac78fde16 NEW |
none[none] none [none] none [none] none [none] none [none] none [none] 154de51a66[0] none [none] none [none] none [none] none [none] 882896ab05[0] |
none:none none:none none:none none:none none:none none:none ASM:Graph none:none none:none none:none none:none none:none |
none|none none|none none|none none|none none|none none|none Armadillo| none|none none|none none|none none|none tElock| |
none none none none none none lines=91 none none none none none |
none none none none none none trace none none none none trace |
| T:04:55:00 | Win2K-f | 78.106.112.176 (CORBINA.RU): BROADBAND CUSTOMERS IN MOSCOW, MOSCOW, MOSCOW CITY, RU. (DSL) |
n/a | US:doterroom.com US:as.casalemedia.com :s7.addthis.com :a.collective-media.net US:ad.yieldmanager.com US:209.107.213.25:80 US:64.210.61.7:80 67.228.101.130:80 67.228.101.131:80 |
445 | pcap | raw alerts ruleset |
http irc 73 lines |
Argh : 0.3 profile |
none | summary tarball |
0 of 41 | 8dda87ee7a NEW |
none[none] | none:none |
none|none | none | none |
| T:05:03:00 | Win2K-f | 86.157.118.41 (BTCENTRALPLUS.COM): BT BROADBAND, LONDON, ENGLAND, UK. (DSL) |
218.93.201.51:65520 | GB:www.businesstomb.com CN:proxim.ircgalaxy.pl EU:pozeml.com CN:www.petdoso.com :pozemle.cn CN:down1130.iwillhavesexygirls.com CN:1130.kfgrtjer.cn :wws.mobiec.net GB:212.117.177.140:80 CN:218.93.201.51:65520 98.126.9.218:80 |
445 | pcap | raw alerts ruleset |
http irc 19 lines |
Yeah : 1.3 profile |
none | summary tarball |
16 of 41 22 of 41 15 of 41 14 of 40 4 of 41 11 of 41 6 of 41 |
371ffb2c8b NEW 3b7db74080 NEW 68971d761c NEW 7453896856 NEW 8e7cffa818 NEW a2ce42b73d NEW d214bd51e4 NEW |
none[none] none [none] none [none] none [none] none [none] none [none] none [none] |
none:none none:none none:none none:none none:none none:none none:none |
none|none none|none none|none none|none none|none none|none none|none |
none none none none none none none |
none none none none none none none |
| T:06:00:00 | WinXP | 173.200.73.19 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:06:28:00 | Win2K-f | 24.108.79.203 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, VICTORIA, BRITISH COLUMBIA, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 226 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 40 |
1d4664020a NEW 57c9e1ed90 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:08:19:00 | Win2K-f | 211.23.226.98 (-): LIOU-TZUNG-YI-TC, TAIPEI, T'AI-PEI, TW. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 37 of 40 |
5d445c59d8 NEW 8a54950abb NEW |
892e12db7b [0] f6b9e43917[0] |
none:none none:none |
tElock| Armadillo| |
none none |
trace trace |
| 09:37:00 | WinXP | 196.219.191.229 (TEDATA.NET): GIZA-ZONE-DSL, CAIRO, AL QAHIRAH, EG. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:11:57:00 | WinXP | 83.29.215.128 (TPNET.PL): NEOSTRADA PLUS, LODZ, LODZKIE, PL. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
32 of 32 | 03f912899b NEW |
none[0] | none:none |
none|none | lines=64 | trace | |
| T:12:57:00 | Win2K-f | 173.29.252.229 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, CHANHASSEN, MINNESOTA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 111 lines |
Yeah : 1.3 profile |
none | summary tarball |
36 of 41 38 of 40 |
067917e07b NEW d764c1dcb2 NEW |
dae35b319c [0] 3d2bc60c5d[0] |
none:none none:none |
Armadillo| tElock| |
none none |
trace trace |
| T:14:48:00 | Win2K-f | 70.184.208.123 (COX.NET): COX COMMUNICATIONS, COUNCIL BLUFFS, IOWA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 40 of 41 |
3b3a6d7615 NEW b7a694b220 NEW |
ed7beb96f5 [0] 9f0354af30[0] |
none:none none:none |
Armadillo| tElock| |
none none |
trace trace |
| T:15:19:00 | Win2K-f | 70.183.227.133 (COX.NET): COX COMMUNICATIONS, FT. WALTON BEACH, FLORIDA, US. (DSL) |
88.198.228.238:65520 218.93.201.51:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com |
135 | pcap | raw alerts ruleset |
irc 128 lines |
Yeah : 1.8 profile |
none | summary tarball |
32 of 36 35 of 36 |
bea8cb1865 NEW fac78fde16 NEW |
154de51a66 [0] 882896ab05[0] |
ASM:Graph none:none |
Armadillo| tElock| |
lines=91 none |
trace trace |
| T:17:33:00 | WinXP | 72.64.30.16 (VERIZON.NET): VERIZON INTERNET SERVICES INC, CHARLESTON, WEST VIRGINIA, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:17:45:00 | Win2K-f | 4.191.209.229 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, RUTHERFORDTON, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 137 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 39 of 41 |
244046c1e4 NEW 2541334f84 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:18:18:00 | Win2K-f | 180.65.207.137 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
218.93.201.51:65520 | DE:proxima.ircgalaxy.pl US:microsoft.com |
135 | pcap | raw alerts ruleset |
irc 168 lines |
Yeah : 1.8 profile |
none | summary tarball |
39 of 41 31 of 33 |
ab9c4b5f21 NEW d789c8d157 NEW |
5fe48b2dcc [none] 5f6572479f[0] |
none:none none:none |
Armadillo| PolyEnE| |
none none |
trace trace |
| T:18:18:00 | Win2K-f | 174.5.180.78 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 112 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 39 of 41 |
15b89b9fda NEW 631bd3e5f4 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| 18:31:00 | Win2K-f | 82.219.224.154 (EXA.NET.UK): EXA NETWORKS LIMITED, UK. (DSL) |
n/a | US:www.maxmind.com US:www.getmyip.org :checkip.dyndns.org EU:getmyip.co.uk DE:131.220.6.26:80 208.78.70.70:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 38 | c645a73bd2 NEW |
none[3] | none:none |
tElock| | none | trace |
| T:18:32:00 | Win2K-f | 173.168.162.214 (RR.COM): ROAD RUNNER HOLDCO LLC, CLEARWATER, FLORIDA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:18:40:00 | Win2K-f | 82.219.224.154 (EXA.NET.UK): EXA NETWORKS LIMITED, UK. (DSL) |
n/a | US:www.maxmind.com US:www.getmyip.org EU:getmyip.co.uk GB:www.vouchercodez.com :checkip.dyndns.org DE:131.220.6.26:80 US:67.15.94.80:80 |
445 | pcap | raw alerts ruleset |
http 6 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 38 | c645a73bd2 NEW |
none[3] | none:none |
tElock| | none | trace |
| T:18:52:00 | WinXP | 208.126.85.219 (NETINS.NET): NETINS INC, WATERLOO, IOWA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 127 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 38 of 41 |
29d6cb5bd5 NEW b66131ca73 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:19:19:00 | WinXP | 68.203.231.189 (RR.COM): ROAD RUNNER HOLDCO LLC, ORANGE, TEXAS, US. (100Mbps) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
32 of 32 | b502f83a7c NEW |
28f5be93b0 [0] | none:none |
PolyEnE| | none | trace |
| T:19:27:00 | WinXP | 76.89.180.13 (RR.COM): ROAD RUNNER HOLDCO LLC, UPLAND, CALIFORNIA, US. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
29 of 29 | 3ae357d17b NEW |
none[0] | ASM:Graph |
PolyEnE| | lines=73 | trace |
| 19:33:00 | WinXP | 76.89.180.13 (RR.COM): ROAD RUNNER HOLDCO LLC, UPLAND, CALIFORNIA, US. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 3ae357d17b NEW |
none[0] | ASM:Graph |
PolyEnE| | lines=73 | trace |
| T:20:35:00 | Win2K-f | 24.213.224.238 (RR.COM): ROAD RUNNER HOLDCO LLC, AMSTERDAM, NOORD-HOLLAND, NL. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:20:56:00 | Win2K-f | 4.141.62.151 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, WARRENSBURG, NEW YORK, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 100 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:21:49:00 | WinXP | 75.60.240.245 (SBCGLOBAL.NET): AT&T INTERNET SERVICES, COLUMBUS, OHIO, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:23:55:00 | Win2K-f | 174.116.82.38 (ROGERS.COM): ROGERS CABLE COMMUNICATIONS INC, ST. JOHN'S, NEWFOUNDLAND AND LABRADOR, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
18 of 35 0 of 33 |
218ce30f5c NEW a08f3b74a4 NEW |
none[3] none [0] |
none:none none:none |
none|none Armadillo| |
none lines=90 |
trace trace |