Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

26 January 2010
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:36:00 Win2K-f 58.236.48.206 (-):
THRUNET-INFRA-INCHEON03,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
78 lines 		Yeah : 1.3
profile 		none summary
tarball 		3 of 41
33 of 33		 8b41cb7a41
NEW
97fef473b9
NEW 		ef18d720f3 [0]
ff4e7d6992[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:00:47:00 WinXP 4.244.84.211 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
OKLAHOMA CITY, OKLAHOMA, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
4 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:01:09:00 WinXP 71.111.233.113 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
DURHAM, NORTH CAROLINA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:01:32:00 Win2K-f 122.146.225.147 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:02:32:00 WinXP 114.48.84.247 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 40 5285741560
NEW 		60590b8b67 [0] ASM:Graph
 none|none lines=59 trace
T:02:44:00 Win2K-f 208.126.119.218 (NETINS.NET):
SENECA TELEPHONE COMPANY,
SPENCER, IOWA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
38 of 41		 894fd1afc2
NEW
b945587654
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:03:40:00 WinXP 174.116.42.11 (ROGERS.COM):
ROGERS CABLE COMMUNICATIONS INC,
ST. JOHN'S, NEWFOUNDLAND AND LABRADOR, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:05:29:00 Win2K-f 98.175.192.195 (COX.NET):
COX COMMUNICATIONS,
OMAHA, NEBRASKA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:06:18:00 Win2K-f 98.141.163.84 (CAVTEL.NET):
CAVALIER TELEPHONE,
PHILADELPHIA, PENNSYLVANIA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:06:27:00 Win2K-f 174.3.12.5 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
116 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41
38 of 41		 3655e31f7f
NEW
66806feda7
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:07:26:00 Win2K-f 61.221.237.252 (-):
HUNG REN SHIN IE CO. LTD. PINGTUNG BRANCH COMPANY,
TAIPEI, T'AI-PEI, TW. (100Mbps) 		n/a   135 pcap raw alerts
ruleset 		other
1002 lines 		Yeah : 1.3
profile 		none summary
tarball 		17 of 41 e1693609f9
NEW 		none[3] none:none
 none|none none trace
T:07:33:00 WinXP 95.246.171.210 (BUSINESS.TELECOMITALIA.IT):
TELECOM ITALIA WIRELINE SERVICES,
ROME, LAZIO, IT. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 831f4ee0a7
NEW 		none[0] ASM:Graph
 none|none lines=61 trace
T:08:21:00 Win2K-f 109.78.190.52 (JWS.COM):
EU-ZZ,
UK. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41
36 of 41		 5c5491c1f7
NEW
ace13b964a
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:08:30:00 Win2K-f 98.93.108.57 (BELLSOUTH.NET):
BELLSOUTH.NET INC,
ATLANTA, GEORGIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
09:03:00 Win2K-f 60.191.11.61 (-):
CHUN'AN QIANDAOHU JINSEN WOOD MACHINING FACTORY,
BEIJING, BEIJING, CN. (100Mbps) 		n/a US:www.maxmind.com
:checkip.dyndns.org
EU:getmyip.co.uk
US:www.getmyip.org
DE:131.220.6.26:80
208.78.70.70:80
US:75.126.138.202:80
EU:78.40.35.134:80 		445 pcap raw alerts
ruleset 		http
4 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:09:36:00 Win2K-f 174.1.81.145 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
VANCOUVER, BRITISH COLUMBIA, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41
38 of 41		 3655e31f7f
NEW
66806feda7
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:12:40:00 WinXP 207.5.221.252 (SUSCOM-MAINE.NET):
GREAT WORKS INTERNET,
BRUNSWICK, MAINE, US. (DSL) 		n/a US:gg.arrancar.org
US:72.20.40.25:555 		135 pcap raw alerts
ruleset 		other
186 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41 52329ed7a7
NEW 		none[none] none:none
 none|none none none
13:31:00 Win2K-f 116.6.14.242 (163DATA.COM.CN):
CHINANET GUANGDONG PROVINCE NETWORK,
GUANGZHOU, GUANGDONG, CN. (DSL) 		n/a US:www.maxmind.com
:checkip.dyndns.org
US:67.15.94.80:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:14:54:00 Win2K-f 174.116.110.246 (ROGERS.COM):
ROGERS CABLE COMMUNICATIONS INC,
ST. JOHN'S, NEWFOUNDLAND AND LABRADOR, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
39 of 41		 4a20cb6ed5
NEW
5847631037
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:15:14:00 Win2K-f 174.79.242.206 (COX.NET):
COX COMMUNICATIONS,
ATLANTA, GEORGIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
120 lines 		Yeah : 1.3
profile 		none summary
tarball 		36 of 39
39 of 41		 7d7ce6a41b
NEW
a6318e903b
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:15:18:00 Win2K-f 69.193.78.147 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:15:53:00 WinXP 96.15.230.16 (-):
ALLTEL SIP CUSTOMERS - LITTLE ROCK,
WEST MONROE, LOUISIANA, US. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 07cd99a10b
NEW 		f8f0f72da6 [0] none:none
 PolyEnE| none trace
T:16:17:00 Win2K-f 116.6.14.242 (163DATA.COM.CN):
CHINANET GUANGDONG PROVINCE NETWORK,
GUANGZHOU, GUANGDONG, CN. (DSL) 		n/a US:www.maxmind.com
:checkip.dyndns.org
DE:131.220.6.26:80 		445 pcap raw alerts
ruleset 		http
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:18:25:00 Win2K-f 99.147.65.80 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
HOUSTON, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:18:55:00 WinXP 4.177.18.62 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
SAN DIEGO, CALIFORNIA, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
245 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41
36 of 40		 47d3548e36
NEW
d8722af110
NEW 		ab13346633 [0]
ab30a55931[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:19:29:00 Win2K-f 24.106.128.202 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CUYAHOGA FALLS, OHIO, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
10 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:19:53:00 WinXP 98.124.93.145 (HOMESC.COM):
HOME TELEPHONE COMPANY INC,
MONCKS CORNER, SOUTH CAROLINA, US. (100Mbps) 		n/a US:www.yahoo.com
:www.google.com.au
:jbeegvia.ru 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		31 of 32 17028f1eda
NEW 		none[3] none:none
 tElock| none trace
20:27:00 Win2K-f 122.87.205.169 (JWS.COM):
CHINA TIETONG TELECOMMUNICATIONS CORPORATION,
BEIJING, BEIJING, CN. (DSL) 		n/a US:www.maxmind.com
:checkip.dyndns.org
US:www.getmyip.org
EU:getmyip.co.uk
GB:www.vouchercodez.com
DE:131.220.6.26:80
208.78.70.70:80
US:75.126.138.202:80
GB:80.82.121.239:80 		445 pcap raw alerts
ruleset 		http
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:20:49:00 WinXP 59.121.47.126 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 5cf77dd9c4
NEW 		none[none] none:none
 none|none none none
T:21:03:00 Win2K-f 61.215.130.117 (CABLENET.NE.JP):
CABLENET SAITAMA CO. LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
111 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
38 of 41		 10eebdc28e
NEW
761a66b891
NEW 		e2ca2da35d [none]
b469dac5dc[none] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:22:08:00 Win2K-f 71.111.237.193 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
DURHAM, NORTH CAROLINA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:22:22:00 WinXP 174.101.96.163 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
111 lines 		Yeah : 1.3
profile 		none summary
tarball 		30 of 33
28 of 32		 3cd7958258
NEW
41efedf70f
NEW 		none[4]
41efedf70f[1] 		none:none
ASM:Graph
 tElock|
Armadillo| 		none
lines=82 		trace
trace
T:22:28:00 Win2K-f 72.0.189.59 (BENDBROADBAND.COM):
BEND CABLE COMMUNICATIONS LLC,
BEND, OREGON, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
38 of 41		 42a5385ed4
NEW
f287d03196
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:22:49:00 Win2K-f 70.182.68.7 (COX.NET):
COX COMMUNICATIONS,
NORMAN, OKLAHOMA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
40 of 41		 3b3a6d7615
NEW
b7a694b220
NEW 		ed7beb96f5 [0]
9f0354af30[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:22:51:00 Win2K-f 216.152.2.100 (-):
CITY OF WILSON,
PEA RIDGE, ARKANSAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
89 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
39 of 41		 53bfe15e91
NEW
75e7677265
NEW 		1473091351 [0]
none [none] 		ASM:Graph
none:none
 tElock|
none|none 		lines=75
embedded dns
none 		trace
none