|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:01:28:00 | WinXP | 61.58.106.96 (UBBN.NET): UNION BROADBAND NETWORK, TAIPEI, T'AI-PEI, TW. (DSL) |
92.240.234.164:3305 | :cx10man.weedns.com | 135 | pcap | raw alerts ruleset |
irc 611 lines |
Yeah : 1.8 profile |
none | summary tarball |
40 of 41 | f418f57faa NEW |
none[none] | none:none |
none|none | none | none |
| T:01:44:00 | Win2K-f | 63.246.122.61 (ALTUSCGI.NET): PRIVATE CABLE ISP SUBSCRIBER (GEORGETOWN SC MARKET), GEORGETOWN, SOUTH CAROLINA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 19 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:04:42:00 | Win2K-f | 114.203.149.246 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
83.133.119.206:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com CN:file0129.iwillhavesexygirls.com EU:pozeml.com US:bfkq.com :jsactivity.com :pozemle.cn EU:img.ub8.net :xz.ub9.net :in.7cy.net 173.45.70.226:80 174.133.57.141:80 DE:83.133.119.206:65520 |
135 | pcap | raw alerts ruleset |
irc http 167 lines |
Yeah : 1.8 profile |
none | summary tarball |
11 of 41 0 of 41 29 of 39 30 of 33 14 of 41 16 of 40 2 of 35 7 of 41 |
3664ce2ec2 NEW 42eee319ea NEW 4691ac4856 NEW 6ec2a8994b NEW 74afc61c67 NEW 941e12f4ee NEW bcf66a38c8 NEW dd3a45a19c NEW |
none[none] none [none] none [none] 398aab9636[0] none [none] none [none] 570133b348[0] none [none] |
none:none none:none none:none none:none none:none none:none none:none none:none |
none|none none|none none|none tElock| none|none none|none Armadillo| none|none |
none none none none none none none none |
none none none trace none none trace none |
| T:04:51:00 | Win2K-f | 130.67.89.70 (ONLINE.NO): NORTELE-H, HøNEFOSS, BUSKERUD, NO. (DIAL) |
n/a | US:capecodluxury.net :www.google-analytics.com US:www.capecodluxury.net NL:streamic.com NL:capecodluxury.net.streamic.com :pagead2.googlesyndication.com US:microsoft.com 174.133.57.141:80 NL:85.17.35.48:80 |
445 | pcap | raw alerts ruleset |
http 72 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 06:37:00 | Win2K-f | 194.225.115.82 (-): IRAN POLYMER INSTITUTE, TEHRAN, ESFAHAN, IR. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 12 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| 06:50:00 | Win2K-f | 201.250.249.87 (COM.AR): TELEFONICA DE ARGENTINA, BUENOS AIRES, BUENOS AIRES, AR. (DSL) |
n/a | US:www.maxmind.com EU:getmyip.co.uk :checkip.dyndns.org US:67.15.94.80:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:07:00:00 | Win2K-f | 201.250.249.87 (COM.AR): TELEFONICA DE ARGENTINA, BUENOS AIRES, BUENOS AIRES, AR. (DSL) |
n/a | US:www.maxmind.com EU:getmyip.co.uk GB:www.vouchercodez.com US:www.getmyip.org :checkip.dyndns.org DE:131.220.6.26:80 US:67.15.94.80:80 |
445 | pcap | raw alerts ruleset |
http 6 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:07:47:00 | Win2K-f | 216.152.2.100 (-): CITY OF WILSON, PEA RIDGE, ARKANSAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 89 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 39 of 41 |
53bfe15e91 NEW 75e7677265 NEW |
1473091351 [0] 6edbee1ea9[none] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns none |
trace trace |
| 08:00:00 | WinXP | 190.185.14.212 (NODE-BE0B9E0A.SCARLET.AN): SCARLET B.V, PHILIPSBURG, SAINT MAARTEN, AN. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | 912a073945 NEW |
7874c7f21e [0] | none:none |
PolyEnE| | none | trace |
| T:10:48:00 | WinXP | 99.148.197.193 (PACBELL.NET): AT&T INTERNET SERVICES, DAYTON, OHIO, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:15:31:00 | Win2K-f | 122.196.10.57 (ZAQ.NE.JP): J:COM WEST CO. LTD, OSAKA, OSAKA, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 111 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 40 of 41 |
71e6f60517 NEW ab4e3226c4 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| 17:22:00 | WinXP | 24.65.35.176 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, LACOMBE, ALBERTA, CA. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 0393e25f86 NEW |
51aaf10e18 [0] | none:none |
PolyEnE| | none | trace |
| 17:51:00 | WinXP | 186.9.206.227 (IMOVIL.ENTELPCS.CL): ENTEL PCS TELECOMUNICACIONES S.A, SANTIAGO, REGION METROPOLITANA, CL. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 2b9bc1463d NEW |
7978e0f6fb [0] | none:none |
PolyEnE| | none | trace |
| T:18:31:00 | WinXP | 67.244.136.81 (RR.COM): ROAD RUNNER HOLDCO LLC, ROCHESTER, NEW YORK, US. (DSL) |
n/a | EU:siliconfireware.ru US:searchportal.information.com US:spi.domainsponsor.com :www.proxy-socks.net :wpad |
445 | pcap | raw alerts ruleset |
http http http 29 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | a12cab51ef NEW |
none[0] | none:none |
ASPack| | lines=281 embedded dns |
trace |
| T:18:53:00 | WinXP | 203.118.238.245 (-): GRAND TAINAN TECHNOLOGY CO.LTD, TAINAN, T'AI-WAN, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:19:39:00 | Win2K-f | 60.249.37.247 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
34 of 38 35 of 38 |
38ed850a0e NEW b9297745a1 NEW |
46990f37cd [0] 4294884d84[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
| T:21:27:00 | WinXP | 70.184.208.123 (COX.NET): COX COMMUNICATIONS, COUNCIL BLUFFS, IOWA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 40 of 41 |
3b3a6d7615 NEW b7a694b220 NEW |
ed7beb96f5 [0] 9f0354af30[0] |
none:none none:none |
Armadillo| tElock| |
none none |
trace trace |
| T:23:16:00 | Win2K-f | 70.184.108.205 (COX.NET): COX COMMUNICATIONS, MESA, ARIZONA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 18 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:23:53:00 | Win2K-f | 59.120.228.224 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 52 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 33 | 57ce4acac2 NEW |
none[0] | none:none |
Armadillo| | lines=90 | trace |