Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

30 January 2010
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:38:00 WinXP 114.51.193.17 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		ftp
13 lines 		Yeah : 0.8
profile 		none summary
tarball 		37 of 40 5285741560
NEW 		60590b8b67 [0] ASM:Graph
 none|none lines=59 trace
T:00:53:00 WinXP 59.120.228.224 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
53 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 33 57ce4acac2
NEW 		none[0] none:none
 Armadillo| lines=90 trace
T:01:27:00 Win2K-f 173.22.144.199 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
SPRINGFIELD, MISSOURI, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
39 of 41		 5e3a9c2d9d
NEW
630308d06b
NEW 		dbc48b815a [0]
847d302e37[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:02:51:00 Win2K-f 24.213.224.238 (RR.COM):
ROAD RUNNER HOLDCO LLC,
AMSTERDAM, NOORD-HOLLAND, NL. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:04:04:00 WinXP 66.66.252.214 (RR.COM):
ROAD RUNNER HOLDCO LLC,
WATERLOO, NEW YORK, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
60 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:04:48:00 WinXP 212.171.210.170 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A,
ROME, LAZIO, IT. (DSL) 		n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:wpad
DE:217.11.54.126:80 		445 pcap raw alerts
ruleset 		http
http
14 lines 		Yeah : 0.8
profile 		none summary
tarball 		0 of 41
29 of 29
0 of 41		 47cc92497c
NEW
df17a625ee
NEW
ee0925aa13
NEW 		none[none]
none [0]
none [none] 		none:none
none:none
none:none
 none|none
ASPack|
none|none 		none
lines=298
embedded dns
none 		none
trace
none
T:05:16:00 WinXP 174.6.200.206 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
WINNIPEG, MANITOBA, CA. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
2 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:06:43:00 Win2K-f 204.181.140.250 (SPRINTLINK.NET):
SPRINT,
BETHEL, CONNECTICUT, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		36 of 41
38 of 41		 4d4b7efca2
NEW
539d61fc06
NEW 		ec83dac222 [0]
c3af874c93[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:07:23:00 Win2K-f 174.5.179.184 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CA. (DSL) 		92.240.234.164:3305 JP:cx10man.weedns.com
:fx010413.whyI.org
JP:gynoman.weedns.com
92.240.234.164:3305 		135 pcap raw alerts
ruleset 		irc
608 lines 		Yeah : 1.8
profile 		none summary
tarball 		38 of 41 6fc4870416
NEW 		none[none] none:none
 none|none none none
T:08:00:00 Win2K-f 4.240.75.11 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
ALBUQUERQUE, NEW MEXICO, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:08:10:00 Win2K-f 219.251.193.239 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		218.93.201.51:65520 US:microsoft.com
DE:proxima.ircgalaxy.pl
CN:down1130.iwillhavesexygirls.com
EU:pozeml.com
:pozemle.cn
CN:210.51.36.215:88
93.174.92.220:80 		135 pcap raw alerts
ruleset 		irc
http
110 lines 		Yeah : 1.8
profile 		none summary
tarball 		31 of 33
0 of 33
11 of 41		 1509c8d024
NEW
a08f3b74a4
NEW
a2ce42b73d
NEW 		3445f2ac2c [4]
none [0]
none [none] 		none:none
none:none
none:none
 tElock|
Armadillo|
none|none 		none
lines=90
none 		trace
trace
none
T:08:38:00 WinXP 71.117.12.122 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
MT. VERNON, WASHINGTON, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
1008 lines 		Yeah : 1.3
profile 		none summary
tarball 		20 of 41 c20138fa2a
NEW 		none[3] none:none
 none|none none trace
T:08:51:00 Win2K-f 125.4.230.254 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
1012 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
14 of 40		 15953b80a1
NEW
def7923243
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:08:57:00 WinXP 66.53.216.17 (MDSG-PACWEST.COM):
PAC-WEST MANAGED MODEM NAS POOL,
RIVERSIDE, CALIFORNIA, US. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:09:35:00 Win2K-f 123.213.64.150 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		218.93.201.51:65520 US:microsoft.com
CN:proxim.ircgalaxy.pl
EU:dhkgpylwrl.com
CN:down1130.iwillhavesexygirls.com
CN:config1130.iwillhavesexygirls.com
EU:pozeml.com
:bfkq.com
:jsactivity.com
:pozemle.cn
US:mjjia.cn
CN:218.93.201.51:65520
US:63.134.244.77:80
93.174.92.220:80 		135 pcap raw alerts
ruleset 		irc
http
180 lines 		Yeah : 1.8
profile 		none summary
tarball 		15 of 40
7 of 41
0 of 41
30 of 33
14 of 41
17 of 40
11 of 41
2 of 35		 1c134cba22
NEW
3c3178a810
NEW
4b758576ed
NEW
6ec2a8994b
NEW
9a14c5c8d8
NEW
9c8f000ca4
NEW
a2ce42b73d
NEW
bcf66a38c8
NEW 		none[none]
none [none]
none [none]
398aab9636[0]
none [none]
none [none]
none [none]
570133b348[0] 		none:none
none:none
none:none
none:none
none:none
none:none
none:none
none:none
 none|none
none|none
none|none
tElock|
none|none
none|none
none|none
Armadillo| 		none
none
none
none
none
none
none
none 		none
none
none
trace
none
none
none
trace
T:09:46:00 Win2K-f 79.47.111.52 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA NET,
ENNA, SICILIA, IT. (DSL) 		n/a :search.bestoffersdirectory.com
US:microsoft.com
:search.creativeblackandwhitephotography.com
:search.traveleuropesecrets.com
US:adultgameplayer.com
NL:as.casalemedia.com
:images.ddc.com
:s7.addthis.com
NL:cdn.optmd.com
NL:b.casalemedia.com
US:domdex.com
173.192.19.34:80
173.45.105.218:8392
174.36.138.74:80
204.27.57.154:8392
US:208.70.72.89:80
66.114.48.60:80
74.86.72.226:80 		445 pcap raw alerts
ruleset 		http
41 lines 		Argh : 0.3
profile 		none summary
tarball 		0 of 41 a784ba201a
NEW 		none[none] none:none
 none|none none none
T:11:29:00 Win2K-f 4.224.141.136 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
INDIANAPOLIS, INDIANA, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:13:51:00 WinXP 95.220.56.61 (-):
FAIRLIE HOLDING & FINANCE LIMITED,
MOSCOW, MOSCOW CITY, RU. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41 4e676e5c6e
NEW 		none[none] none:none
 none|none none none
T:14:45:00 Win2K-f 98.141.162.11 (CAVTEL.NET):
CAVALIER TELEPHONE,
PHILADELPHIA, PENNSYLVANIA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:15:20:00 Win2K-f 4.177.6.73 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
POWAY, CALIFORNIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
210 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41
36 of 40		 47d3548e36
NEW
d8722af110
NEW 		ab13346633 [0]
ab30a55931[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:15:45:00 Win2K-f 98.30.117.179 (RR.COM):
ROAD RUNNER HOLDCO LLC,
UPPER SANDUSKY, OHIO, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:16:37:00 WinXP 115.165.9.134 (CATV02.ITSCOM.JP):
ITS COMMUNICATIONS INC,
TOKYO, TOKYO, JP. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:19:28:00 WinXP 4.186.21.226 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
NORTH BERGEN, NEW JERSEY, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
19:52:00 Win2K-f 94.74.131.171 (-):
A GREAT ISP IN FARS-IRAN,
TEHRAN, ESFAHAN, IR. (100Mbps) 		n/a US:www.maxmind.com
:checkip.dyndns.org
EU:getmyip.co.uk
GB:www.vouchercodez.com
US:www.getmyip.org
DE:131.220.6.26:80
208.78.70.70:80
US:75.126.138.202:80 		445 pcap raw alerts
ruleset 		http
6 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:20:01:00 Win2K-f 94.74.131.171 (-):
A GREAT ISP IN FARS-IRAN,
TEHRAN, ESFAHAN, IR. (100Mbps) 		n/a US:www.maxmind.com
EU:getmyip.co.uk
GB:www.vouchercodez.com
US:www.getmyip.org
:checkip.dyndns.org
DE:131.220.6.26:80
US:67.15.94.80:80 		445 pcap raw alerts
ruleset 		http
7 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:21:06:00 Win2K-f 114.203.149.169 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		88.198.228.238:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:down1130.iwillhavesexygirls.com
DE:88.198.228.238:65520 		135 pcap raw alerts
ruleset 		irc
http
105 lines 		Yeah : 1.8
profile 		none summary
tarball 		15 of 40
30 of 33
2 of 35		 1c134cba22
NEW
6ec2a8994b
NEW
bcf66a38c8
NEW 		none[none]
398aab9636[0]
570133b348[0] 		none:none
none:none
none:none
 none|none
tElock|
Armadillo| 		none
none
none 		none
trace
trace
T:21:15:00 WinXP 59.104.31.106 (SEED.NET.TW):
SEEDNET-TAIPEIDP-S,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		39 of 40 bd81d71c06
NEW 		1993ba73cd [0] none:none
 PolyEnE| none trace
T:21:32:00 WinXP 59.87.48.78 (UCOM.NE.JP):
NTK0015B,
TOKYO, TOKYO, JP. (100Mbps) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41 8bdf693d7e
NEW 		none[none] none:none
 none|none none none
T:21:53:00 Win2K-f 4.179.167.23 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
SANTA ROSA, CALIFORNIA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
149 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41
24 of 41		 47d3548e36
NEW
723a579d32
NEW 		ab13346633 [0]
none [none] 		none:none
none:none
 Armadillo|
none|none 		none
none 		trace
none
23:01:00 WinXP 209.42.180.152 (WISPNET.NET):
WISPNET LLC,
LEXINGTON, KENTUCKY, US. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		35 of 36 b27d73bfcb
NEW 		473c6454ce [0] ASM:Graph
 PolyEnE| lines=68 trace
T:23:26:00 WinXP 118.83.14.251 (HTOJ.J-CNET.JP):
JCN-HTMNET,
HACHIOJI, TOKYO, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
123 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 36
34 of 36		 0b951c2832
NEW
e4ed4df0f0
NEW 		5fe761661a [0]
de471fc380[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
T:23:30:00 Win2K-f 116.81.73.249 (INFOWEB.NE.JP):
INFOWEB(FUJITSU LTD.),
YOKOHAMA, KANAGAWA, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
111 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
38 of 41		 59fe417cbe
NEW
99138cad4e
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none