Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

04 February 2010
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:11:00 WinXP 202.128.66.79 (NETPCI.COM):
STARTEC GLOBAL COMMUNCATIONS GUAM,
AGANA, GUAM, GU. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
187 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 39
38 of 40		 25d536bea8
NEW
38fe0764dc
NEW 		9cffc8f48e [none]
de343dc6d8[none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:04:23:00 WinXP 200.80.242.38 (TECHTELNET.NET):
TECHTEL LMDS COMUNICACIONES INTERACTIVAS S.A,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 01c4a6b3eb
NEW 		dd524b0259 [0] none:none
 PolyEnE| none trace
T:06:05:00 WinXP 95.106.34.217 (RYAZAN.RU):
RYAZAN BRANCH OF JSC CENTERTELECOM,
RU. (DSL) 		n/a RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 2c31e3c966
NEW 		dca1fa0c85 [0] none:none
 PolyEnE| none trace
T:06:21:00 WinXP 90.188.212.240 (OMSKNET.RU):
OJSC SIBIRTELECOM,
MOSCOW, MOSCOW CITY, RU. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 2b9bc1463d
NEW 		7978e0f6fb [0] none:none
 PolyEnE| none trace
T:06:37:00 Win2K-f 118.87.18.171 (ODWR.J-CNET.JP):
ODAWARA CABLETV INTERNET SERVICE,
ODAWARA, KANAGAWA, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
122 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 36
34 of 36		 0b951c2832
NEW
e4ed4df0f0
NEW 		5fe761661a [0]
de471fc380[0] 		none:none
none:none
 Armadillo|
tElock| 		none
none 		trace
trace
06:46:00 WinXP 90.188.212.240 (OMSKNET.RU):
OJSC SIBIRTELECOM,
MOSCOW, MOSCOW CITY, RU. (DSL) 		213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 2b9bc1463d
NEW 		7978e0f6fb [0] none:none
 PolyEnE| none trace
T:06:59:00 Win2K-f 173.20.140.66 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
ALBANY, GEORGIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
39 of 41		 5e3a9c2d9d
NEW
630308d06b
NEW 		dbc48b815a [0]
847d302e37[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:07:25:00 WinXP 188.192.49.180 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
DE. (DSL) 		n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
GB:welcome3.smile.co.uk
:wpad
:www.proxy-socks.net
GB:195.92.84.198:80
EU:78.47.200.154:80 		445 pcap raw alerts
ruleset 		http
http
http
27 lines 		Yeah : 0.8
profile 		none summary
tarball 		0 of 40
0 of 39
0 of 39
29 of 29		 7f46c337d0
NEW
a8cfc7b5bb
NEW
c5fa529aa6
NEW
df17a625ee
NEW 		none[none]
none [none]
none [none]
none [0] 		none:none
none:none
none:none
none:none
 none|none
none|none
none|none
ASPack| 		none
none
none
lines=298
embedded dns 		none
none
none
trace
T:07:25:00 Win2K-f 122.146.82.130 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
77 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:08:10:00 WinXP 98.134.250.68 (WINDSTREAM.NET):
ALLTEL MIP CUSTOMERS - LITTLE ROCK,
OZARK, ARKANSAS, US. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 07cd99a10b
NEW 		f8f0f72da6 [0] none:none
 PolyEnE| none trace
T:09:24:00 Win2K-f 98.141.30.67 (CAVTEL.NET):
CAVALIER TELEPHONE,
NORFOLK, VIRGINIA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:09:33:00 Win2K-f 207.5.161.171 (SUSCOM-MAINE.NET):
GREAT WORKS INTERNET,
BRUNSWICK, MAINE, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:09:44:00 Win2K-f 63.19.248.211 (UU.NET):
UUNET TECHNOLOGIES INC,
ROANOKE, VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
127 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:10:17:00 Win2K-f 113.253.100.200 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
99 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
38 of 41		 a5ceb6c29d
NEW
adadfc0e1c
NEW 		d64cd9d18b [0]
0f57439d82[0] 		none:none
ASM:Graph
 tElock|
tElock| 		none
lines=64
embedded dns 		trace
trace
T:11:27:00 Win2K-f 24.167.173.199 (RR.COM):
ROAD RUNNER HOLDCO LLC,
WINSTON SALEM, NORTH CAROLINA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:11:47:00 Win2K-f 61.99.41.156 (SONICANT.CO.KR):
THRUNET CO. LTD,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		218.93.201.51:65520 US:microsoft.com
CN:proxima.ircgalaxy.pl
EU:dhkgpylwrl.com
CN:down0129.iwillhavesexygirls.com
EU:pozeml.com
CN:file0129.iwillhavesexygirls.com
:pozemle.cn
US:bfkq.com
:jsactivity.com
US:mjjia.cn
:braverhotels.com
CN:hotelseas.com
:img.ub8.net
173.45.105.218:8392
US:64.191.44.8:80
98.126.9.219:80 		135 pcap raw alerts
ruleset 		irc
http
239 lines 		Yeah : 1.8
profile 		none summary
tarball 		18 of 40
12 of 38
12 of 39
9 of 40
0 of 40
15 of 39
31 of 33
39 of 41
11 of 41
12 of 39
19 of 40		 081b51ed7e
NEW
1cb8ccc934
NEW
3fdd4f3c45
NEW
50fedbbad0
NEW
59caf4d141
NEW
64e7cb22ad
NEW
6e2eaa0359
NEW
71ece09646
NEW
a2ce42b73d
NEW
b5be173b0a
NEW
d3806af4ed
NEW 		a057cbe22f [none]
3fb6dba4ec[none]
7490cd7fa2[none]
none [none]
none [none]
none [none]
none [4]
5e74a7c1aa[0]
none [none]
none [none]
none [none] 		none:none
none:none
none:none
none:none
none:none
none:none
none:none
none:none
none:none
none:none
none:none
 none|none
none|none
none|none
none|none
none|none
none|none
PolyEnE|
Armadillo|
none|none
none|none
none|none 		none
none
none
none
none
none
none
none
none
none
none 		none
none
none
none
none
none
trace
trace
none
none
none
T:12:04:00 Win2K-f 70.232.75.252 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
LITTLE ROCK, ARKANSAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:12:10:00 Win2K-f 186.10.23.142 (IMOVIL.ENTELPCS.CL):
ENTEL PCS TELECOMUNICACIONES S.A,
CL. (DSL) 		218.93.201.51:65520 US:microsoft.com
:pictureper.com
:braverhotels.com
CN:hotelseas.com
CN:proxima.ircgalaxy.pl
CN:stashonline.info
CN:av.lometr.pl
CN:down0129.iwillhavesexygirls.com
EU:pozeml.com
CN:file0129.iwillhavesexygirls.com
:pozemle.cn
US:mjjia.cn
:img.ub8.net
174.36.138.68:80
174.36.138.69:80
CN:218.93.201.51:65520
74.86.72.226:80
98.126.9.219:80 		445 pcap raw alerts
ruleset 		irc
http
21 lines 		Yeah : 1.3
profile 		none summary
tarball 		18 of 40
12 of 38
12 of 39
15 of 39
11 of 41
12 of 39
5 of 41
28 of 41		 081b51ed7e
NEW
1cb8ccc934
NEW
3fdd4f3c45
NEW
64e7cb22ad
NEW
a2ce42b73d
NEW
b5be173b0a
NEW
b6cd57d0d4
NEW
c125dd19c3
NEW 		a057cbe22f [none]
3fb6dba4ec[none]
7490cd7fa2[none]
none [none]
none [none]
none [none]
none [none]
none [none] 		none:none
none:none
none:none
none:none
none:none
none:none
none:none
none:none
 none|none
none|none
none|none
none|none
none|none
none|none
none|none
none|none 		none
none
none
none
none
none
none
none 		none
none
none
none
none
none
none
none
T:13:03:00 WinXP 75.12.151.107 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
WEST HARTFORD, CONNECTICUT, US. (DSL) 		n/a US:www.altavista.com
:jbeegvia.ru 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		32 of 32 bb7681eca8
NEW 		none[3] none:none
 tElock| none trace
T:13:19:00 WinXP 109.162.65.55 (STERLINGSTUDENTS.NET):
EU-ZZ,
UK. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 2b9bc1463d
NEW 		7978e0f6fb [0] none:none
 PolyEnE| none trace
T:13:43:00 Win2K-f 75.37.173.250 (SBCGLOBAL.NET):
JASON LEE,
PLANO, TEXAS, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
17:01:00 WinXP 190.209.121.76 (-):
TELMEX CHILE S.A HFC,
CL. (DSL) 		n/a RU:citi-bank.ru
RU:213.219.245.212:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 01c4a6b3eb
NEW 		dd524b0259 [0] none:none
 PolyEnE| none trace
T:17:09:00 Win2K-f 208.82.42.99 (ENERGIZE.NET):
PULASKI ELECTRIC SYSTEM,
PULASKI, TENNESSEE, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
17:50:00 Win2K-f 190.50.115.155 (COM.AR):
TELEFONICA DE ARGENTINA,
MAR DEL PLATA, BUENOS AIRES, AR. (DSL) 		n/a US:www.maxmind.com
US:www.getmyip.org
:checkip.dyndns.org
US:67.15.94.80:80
US:75.126.138.202:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		7 of 37 3862324588
NEW 		none[3] none:none
 UPX| none trace
T:19:19:00 Win2K-f 110.12.207.146 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		218.93.201.51:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:av.lometr.pl
CN:down0129.iwillhavesexygirls.com
EU:pozeml.com
CN:file0129.iwillhavesexygirls.com
US:bfkq.com
:jsactivity.com
:pozemle.cn
US:mjjia.cn
:braverhotels.com
CN:hotelseas.com
:img.ub8.net
:xz.ub9.net
:in.7cy.net
:in1.7cy.net
:taylorclassic.com
173.45.105.218:8392
69.64.155.79:80 		135 pcap raw alerts
ruleset 		irc
http
145 lines 		Yeah : 1.8
profile 		none summary
tarball 		7 of 40
12 of 38
12 of 39
29 of 32
28 of 32
11 of 41
28 of 41
11 of 39
26 of 41
13 of 40		 0b5b28162f
NEW
1cb8ccc934
NEW
3fdd4f3c45
NEW
8a75955033
NEW
9276c8b36b
NEW
a2ce42b73d
NEW
c125dd19c3
NEW
c29fdec720
NEW
dd96e88e03
NEW
e38b22bbb2
NEW 		4ef82ff329 [none]
3fb6dba4ec[none]
7490cd7fa2[none]
2bf3e548b9[0]
none [0]
none [none]
none [none]
none [none]
6f87541765[0]
none [none] 		none:none
none:none
none:none
ASM:Graph
ASM:Graph
none:none
none:none
none:none
none:none
none:none
 none|none
none|none
none|none
tElock|
Armadillo|
none|none
none|none
none|none
StarForce|
none|none 		none
none
none
lines=126
embedded dns
lines=81
none
none
none
none
none 		none
none
none
trace
trace
none
none
none
trace
none
T:19:28:00 Win2K-f 96.252.154.86 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
TAMPA, FLORIDA, US. (DSL) 		n/a :defaultdate.com
US:searchportal.information.com
US:spi.domainsponsor.com
US:ads1.revenue.net
:panther1.cpxinteractive.com
US:adserving.cpxinteractive.com
US:content.yieldmanager.com
:cookex.amp.yahoo.com
US:activex.microsoft.com
US:codecs.microsoft.com
US:caprimotel.net
US:luxuriousresort.net
US:64.120.176.66:8392
US:64.38.232.180:80
74.86.72.226:80 		135 pcap raw alerts
ruleset 		http
irc
72 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:22:24:00 Win2K-f 218.117.136.74 (BBTEC.NET):
JAPAN NATION-WIDE NETWORK OF SOFTBANK BB CORP,
KITAKYUSHU, FUKUOKA, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace