|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:51:00 | Win2K-f | 180.66.210.80 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
60.190.222.139:65520 | DE:proxima.ircgalaxy.pl US:microsoft.com CN:file0129.iwillhavesexygirls.com EU:pozeml.com CN:122.224.6.48:88 CN:60.190.222.139:65520 |
135 | pcap | raw alerts ruleset |
irc 100 lines |
Yeah : 1.8 profile |
none | summary tarball |
34 of 36 29 of 32 |
99b248336f NEW 9d677c3f70 NEW |
c64bd1a776 [0] 77e75ff10f[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=120 embedded dns |
trace trace |
| T:00:54:00 | WinXP | 64.175.160.91 (PACBELL.NET): AT&T INTERNET SERVICES, CARLSBAD, CALIFORNIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:01:17:00 | WinXP | 121.84.162.42 (EONET.NE.JP): K-OPTICOM CORPORATION, OSAKA, OSAKA, JP. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 32 | 741e3b03b3 NEW |
none[0] | none:none |
none|none | lines=61 | trace | |
| 03:18:00 | Win2K-f | 114.37.54.174 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:www.maxmind.com :checkip.dyndns.org US:www.getmyip.org EU:getmyip.co.uk 208.78.70.70:80 US:67.15.94.80:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:05:11:00 | Win2K-f | 125.4.213.212 (ZAQ.NE.JP): J:COM WEST CO. LTD, TOKYO, TOKYO, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 89 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 41 33 of 33 |
2b9840a764 NEW 53bfe15e91 NEW |
a7dbe16bd8 [0] 1473091351[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=75 embedded dns |
trace trace |
| T:06:14:00 | Win2K-f | 180.66.118.44 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
60.190.222.139:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com CN:60.190.222.139:65520 DE:83.133.119.206:65520 |
135 | pcap | raw alerts ruleset |
irc 62 lines |
Yeah : 1.8 profile |
none | summary tarball |
30 of 33 | 533d15b5ce NEW |
c67adf46e2 [0] | ASM:Graph |
tElock| | lines=126 embedded dns |
trace |
| T:06:34:00 | Win2K-f | 72.11.34.84 (NORTHSTATE.NET): NORTH STATE TELEPHONE CO, HIGH POINT, NORTH CAROLINA, US. (DSL) |
83.133.119.206:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com CN:60.190.222.139:65520 DE:83.133.119.206:65520 |
135 | pcap | raw alerts ruleset |
irc 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:08:53:00 | WinXP | 120.138.157.45 (STARCAT.NE.JP): KMN CORPORATION, TOKYO, TOKYO, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 40 of 41 |
6a1dc43309 NEW 94e49d5627 NEW |
522dace6c1 [0] 777259292a[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
| T:10:09:00 | Win2K-f | 207.5.121.144 (MICROLNK.COM): MICROLNK LLC, OMAHA, NEBRASKA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:10:43:00 | WinXP | 109.87.7.148 (JWS.COM): EU-ZZ, UK. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:15:47:00 | Win2K-f | 113.252.100.140 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 59 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 8 of 33 |
53bfe15e91 NEW b7082104e4 NEW |
1473091351 [0] c5b49e7b82[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=75 embedded dns lines=41 |
trace trace |
| T:17:40:00 | Win2K-f | 70.60.198.57 (RR.COM): ROAD RUNNER HOLDCO LLC, MONROE, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:18:35:00 | Win2K-f | 70.167.73.214 (COX.NET): COX COMMUNICATIONS, OCEANSIDE, CALIFORNIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:18:40:00 | WinXP | 173.29.137.135 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, CHANHASSEN, MINNESOTA, US. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | ea88964f78 NEW |
e07a1b38de [0] | ASM:Graph |
PolyEnE| | lines=76 | trace | |
| T:19:03:00 | WinXP | 4.138.67.184 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, ATLANTA, GEORGIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 262 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 42 41 of 42 |
ae3f96a182 NEW e5d99f07b7 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:19:32:00 | WinXP | 173.168.247.41 (RR.COM): ROAD RUNNER HOLDCO LLC, BRADENTON, FLORIDA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 111 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 41 of 42 |
2ee433d1ff NEW ded6d201af NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:19:52:00 | Win2K-f | 96.49.141.62 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, WINNIPEG, MANITOBA, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:20:16:00 | Win2K-f | 96.10.90.90 (RR.COM): ROAD RUNNER HOLDCO LLC, RALEIGH, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 39 of 41 |
53aa804019 NEW 95ddd4a823 NEW |
29c6cdbf45 [0] 9e78315a6d[0] |
ASM:Graph ASM:Graph |
tElock| Armadillo| |
lines=64 embedded dns lines=91 |
trace trace |
| T:20:41:00 | Win2K-f | 216.209.243.73 (BELL.CA): DRYDEN MUNICIPAL TELEPHONE, QUEBEC, QUEBEC, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 183 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 42 41 of 42 |
88bb6c64ff NEW 9a72e1c8a7 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:22:32:00 | Win2K-f | 211.74.204.254 (SEED.NET.TW): SEEDNET-KAOHSIUNGDP-S, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW 57ce4acac2 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |