Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

29 January 2010
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:01:38:00 Win2K-f 175.113.129.130 (-):
. 88.198.228.238:65520 US:microsoft.com
DE:proxima.ircgalaxy.pl
DE:88.198.228.238:65520 135 pcap raw alerts
ruleset irc
142 lines Yeah : 1.8
profile none summary
tarball 39 of 41
31 of 33 ab9c4b5f21
NEW
d789c8d157
NEW 5fe48b2dcc [none]
5f6572479f[0] none:none
none:none
Armadillo|
PolyEnE| none
none trace
trace

T:02:36:00 Win2K-f 220.216.32.106 (TNC.NE.JP):
TOKAI CORPORATION,
TOKYO, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] none:none
none:none
tElock|
tElock| none
none trace
trace

T:02:53:00 Win2K-f 173.20.140.222 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
ALBANY, GEORGIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 37 of 41
38 of 41 692f9bb8df
NEW
d482a2bec3
NEW 2bf6f4e9f0 [0]
50a83c6b54[0] none:none
none:none
Armadillo|
tElock| none
none trace
trace

T:02:57:00 Win2K-f 4.191.51.49 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
PORTLAND, OREGON, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
118 lines Yeah : 1.3
profile none summary
tarball 38 of 41
37 of 41 5c39773b13
NEW
a1acc403a2
NEW c64405f2e9 [0]
54ef26c2f9[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:03:56:00 Win2K-f 60.249.37.247 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 34 of 38
35 of 38 38ed850a0e
NEW
b9297745a1
NEW 46990f37cd [0]
4294884d84[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:07:46:00 WinXP 95.220.41.177 (-):
FAIRLIE HOLDING & FINANCE LIMITED,
MOSCOW, MOSCOW CITY, RU. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
NEW none[0] ASM:Graph
none|none lines=61 trace

T:08:25:00 WinXP 173.27.245.182 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
STREAMWOOD, ILLINOIS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 40
38 of 40 474acf88e5
NEW
68f0c14692
NEW 1f53944b24 [0]
ccc1b24d53[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:09:05:00 Win2K-f 113.252.29.144 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HK. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:09:29:00 WinXP 69.193.74.22 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:18:00 WinXP 216.168.109.0 (NEXICOM.NET):
NEXICOM INC,
PETERBOROUGH, ONTARIO, CA. (DIAL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
3 lines Yeah : 0.8
profile none summary
tarball 40 of 41 2b9bc1463d
NEW 7978e0f6fb [none] none:none
PolyEnE| none trace

T:11:16:00 WinXP 81.198.38.197 (-):
ADDRESS POOL FOR LTC-HOME CUSTOMERS,
RIGA, RIGA, LV. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 aab1b56620
NEW 3b2e1c5b9d [0] none:none
PolyEnE| none trace

T:11:35:00 WinXP 114.48.25.0 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 07cd99a10b
NEW f8f0f72da6 [0] none:none
PolyEnE| none trace

T:11:45:00 Win2K-f 220.216.41.93 (TNC.NE.JP):
TOKAI CORPORATION,
TOKYO, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] none:none
none:none
tElock|
tElock| none
none trace
trace

T:12:48:00 Win2K-f 61.221.237.252 (-):
HUNG REN SHIN IE CO. LTD. PINGTUNG BRANCH COMPANY,
TAIPEI, T'AI-PEI, TW. (100Mbps) n/a 135 pcap raw alerts
ruleset other
1002 lines Yeah : 1.3
profile none summary
tarball 17 of 41 e1693609f9
NEW none[3] none:none
none|none none trace

T:13:31:00 Win2K-f 122.146.81.28 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:19:00 Win2K-f 125.4.248.242 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
TOKYO, TOKYO, JP. (DSL) n/a 135 pcap raw alerts
ruleset other
1009 lines Yeah : 1.3
profile none summary
tarball 39 of 41
14 of 40 15953b80a1
NEW
def7923243
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:14:36:00 WinXP 72.0.176.121 (BENDBROADBAND.COM):
BEND CABLE COMMUNICATIONS LLC,
REDMOND, OREGON, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 42a5385ed4
NEW
f287d03196
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:14:51:00 Win2K-f 71.115.83.147 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
ELKHART, INDIANA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

17:10:00 Win2K-f 173.45.80.133 (XLHOST.COM):
XLHOST.COM INC,
COLUMBUS, OHIO, US. (100Mbps) n/a US:www.maxmind.com
:checkip.dyndns.org
EU:getmyip.co.uk
US:www.getmyip.org
208.78.70.70:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 dc331fb791
NEW none[3] none:none
UPX| none trace

T:17:16:00 Win2K-f 173.45.80.133 (XLHOST.COM):
XLHOST.COM INC,
COLUMBUS, OHIO, US. (100Mbps) n/a US:www.maxmind.com
:checkip.dyndns.org
US:www.getmyip.org
EU:getmyip.co.uk
208.78.70.70:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 dc331fb791
NEW none[3] none:none
UPX| none trace

17:26:00 Win2K-f 203.111.28.4 (ATWWW.COM):
SYNCHROMEDIA,
SYDNEY, NEW SOUTH WALES, AU. (100Mbps) n/a US:www.maxmind.com
US:www.getmyip.org
:checkip.dyndns.org
EU:getmyip.co.uk
208.78.70.70:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:17:36:00 Win2K-f 203.111.28.4 (ATWWW.COM):
SYNCHROMEDIA,
SYDNEY, NEW SOUTH WALES, AU. (100Mbps) n/a US:www.maxmind.com
:checkip.dyndns.org
US:www.getmyip.org
EU:getmyip.co.uk
208.78.70.70:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:18:21:00 Win2K-f 116.127.164.246 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 193.104.94.11:65520 DE:proxima.ircgalaxy.pl
US:microsoft.com
CN:down1130.iwillhavesexygirls.com
EU:pozeml.com
:pozemle.cn
CN:config1130.iwillhavesexygirls.com
:bfkq.com
:jsactivity.com
US:mjjia.cn
:braverhotels.com
CN:hotelseas.com
US:search.toptravellingtips.com
CN:210.51.36.215:88
US:66.96.221.101:80
93.174.92.220:80 135 pcap raw alerts
ruleset irc
http
192 lines Yeah : 1.8
profile none summary
tarball 15 of 40
13 of 41
6 of 40
0 of 41
34 of 36
14 of 41
29 of 32
11 of 41 1c134cba22
NEW
3e6e748549
NEW
4a17b6831b
NEW
82a6b21cae
NEW
99b248336f
NEW
9a14c5c8d8
NEW
9d677c3f70
NEW
a2ce42b73d
NEW none[none]
none [none]
none [none]
none [none]
c64bd1a776[0]
none [none]
77e75ff10f[0]
none [none] none:none
none:none
none:none
none:none
none:none
none:none
none:none
none:none
none|none
none|none
none|none
none|none
Armadillo|
none|none
tElock|
none|none none
none
none
none
none
none
none
none none
none
none
none
trace
none
trace
none

T:19:31:00 WinXP 98.141.9.117 (CAVTEL.NET):
CAVALIER TELEPHONE,
VIRGINIA BEACH, VIRGINIA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
19 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:20:12:00 Win2K-f 72.64.30.16 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
CHARLESTON, WEST VIRGINIA, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

20:57:00 Win2K-f 218.22.106.14 (CNDATA.COM):
CHINANET ANHUI PROVINCE NETWORK,
HEFEI, ANHUI, CN. (DSL) n/a US:www.maxmind.com
:checkip.dyndns.org
US:www.getmyip.org
EU:getmyip.co.uk
208.78.70.70:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:21:07:00 Win2K-f 218.22.106.14 (CNDATA.COM):
CHINANET ANHUI PROVINCE NETWORK,
HEFEI, ANHUI, CN. (DSL) n/a US:www.maxmind.com
:checkip.dyndns.org
EU:getmyip.co.uk
US:www.getmyip.org
208.78.70.70:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:22:08:00 Win2K-f 60.249.37.106 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 34 of 38
35 of 38 38ed850a0e
NEW
b9297745a1
NEW 46990f37cd [0]
4294884d84[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

23:09:00 Win2K-f 173.18.91.110 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CORALVILLE, IOWA, US. (DSL) n/a US:www.maxmind.com
:checkip.dyndns.org
US:www.getmyip.org
EU:getmyip.co.uk
208.78.70.70:80
US:67.15.94.80:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace