|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:02:08:00 | WinXP | 24.163.45.209 (RR.COM): ROAD RUNNER HOLDCO LLC, NORLINA, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 89 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 33 of 33 |
0732e77441 NEW 53bfe15e91 NEW |
bcdb9d19f0 [0] 1473091351[0] |
none:none ASM:Graph |
Armadillo| tElock| |
none lines=75 embedded dns |
trace trace |
| T:04:19:00 | WinXP | 115.83.104.83 (TAIWANMOBILE.NET): TAIWAN MOBILE CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | EU:citi-bank.ru EU:91.207.7.82:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 40 | 5e8ccc4190 NEW |
8d5f86583f [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| 04:44:00 | WinXP | 115.83.104.83 (TAIWANMOBILE.NET): TAIWAN MOBILE CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | EU:citi-bank.ru EU:91.207.7.82:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 40 | 5e8ccc4190 NEW |
8d5f86583f [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:07:32:00 | Win2K-f | 24.100.2.52 (NEWWAVECOMM.NET): NEW WAVE COMMUNICATIONS, CORBIN, KENTUCKY, US. (DSL) |
n/a | US:microsoft.com US:204.152.184.139:80 |
139 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
41 of 42 | 4717b8d9b7 NEW |
none[none] | none:none |
none|none | none | none |
| T:07:44:00 | Win2K-f | 24.227.244.5 (RR.COM): ROAD RUNNER HOLDCO LLC, AUSTIN, TEXAS, US. (DSL) |
n/a | US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:08:50:00 | Win2K-f | 98.102.236.6 (RR.COM): ROAD RUNNER HOLDCO LLC, HERNDON, VIRGINIA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 11 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:09:59:00 | Win2K-f | 98.141.163.84 (CAVTEL.NET): CAVALIER TELEPHONE, PHILADELPHIA, PENNSYLVANIA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 18 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:10:56:00 | WinXP | 193.219.117.147 (-): S.C. GLIN SERVICE TURISM SRL, BUCHAREST, BUCURESTI, RO. (DSL) |
n/a | EU:citi-bank.ru EU:91.207.7.82:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:11:46:00 | Win2K-f | 41.136.220.100 (-): . |
n/a | US:www.maxmind.com DE:131.220.6.26:80 US:204.152.184.139:80 US:67.15.94.80:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:12:38:00 | WinXP | 151.82.74.90 (51-151.NET24.IT): IUNET-BNET, IT. (DSL) |
n/a | EU:citi-bank.ru EU:91.207.7.82:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
42 of 42 | f867780714 NEW |
none[none] | none:none |
none|none | none | none |
| T:14:01:00 | WinXP | 186.10.35.223 (IMOVIL.ENTELPCS.CL): ENTEL PCS TELECOMUNICACIONES S.A, CL. (DSL) |
n/a | EU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:15:11:00 | Win2K-f | 95.26.0.212 (CORBINA.NET): INVESTELEKTROSVIAZ LTD, RU. (DSL) |
n/a | US:www.maxmind.com EU:getmyip.co.uk DE:131.220.6.26:80 US:204.152.184.139:80 US:67.15.94.80:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:17:40:00 | WinXP | 121.121.222.160 (MAXIS.NET.MY): MAXIS BROADBAND SDN BHD, KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) |
n/a | EU:citi-bank.ru EU:91.207.7.82:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 3ae357d17b NEW |
none[0] | none:none |
PolyEnE| | lines=73 | trace |
| T:17:45:00 | WinXP | 115.80.108.97 (TAIWANMOBILE.NET): TAIWAN MOBILE CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | EU:citi-bank.ru EU:91.207.7.82:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| 18:30:00 | Win2K-f | 173.45.113.190 (XLHOST.COM): ENET INC, COLUMBUS, OHIO, US. (DSL) |
n/a | US:www.maxmind.com EU:getmyip.co.uk GB:www.vouchercodez.com US:www.getmyip.org :checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 8 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:20:46:00 | Win2K-f | 138.88.63.246 (VERIZON.NET): VERIZON INTERNET SERVICES, WASHINGTON, DISTRICT OF COLUMBIA, US. (DSL) |
n/a | US:www.maxmind.com DE:131.220.6.26:80 US:204.152.184.139:80 US:67.15.94.80:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:21:46:00 | WinXP | 71.108.153.52 (VERIZON.NET): VERIZON INTERNET SERVICES INC, LONG BEACH, CALIFORNIA, US. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | 320195e2d3 NEW |
ce4cf37946 [0] | ASM:Graph |
none|none | lines=59 | trace | |
| T:23:22:00 | WinXP | 99.164.87.46 (SBCGLOBAL.NET): AT&T INTERNET SERVICES, WATERBURY, CONNECTICUT, US. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
29 of 29 | 1a2c0e6130 NEW |
none[0] | none:none |
none|none | lines=60 | trace |