|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:11:00 | Win2K-f | 71.49.239.84 (EMBARQHSD.NET): EMBARQ CORPORATION, COLUMBUS, GEORGIA, US. (DSL) |
n/a | US:microsoft.com US:204.152.184.139:80 |
135 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:00:57:00 | WinXP | 61.20.142.173 (FETNET.NET): FAR EASTONE TELECOMMUNICATION CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 2b9bc1463d NEW |
7978e0f6fb [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:02:11:00 | Win2K-f | 118.83.14.251 (HTOJ.J-CNET.JP): JCN-HTMNET, HACHIOJI, TOKYO, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 122 lines |
Yeah : 1.3 profile |
none | summary tarball |
32 of 36 34 of 36 |
0b951c2832 NEW e4ed4df0f0 NEW |
5fe761661a [0] de471fc380[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
| T:03:13:00 | WinXP | 95.69.208.85 (-): LLC AB UKRAINE, LVIV, L'VIVS'KA OBLAST', UA. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 40 | dcf8f48abe NEW |
none[none] | none:none |
none|none | none | none |
| T:05:12:00 | WinXP | 24.58.224.244 (RR.COM): ROAD RUNNER HOLDCO LLC, MASSENA, NEW YORK, US. (DSL) |
n/a | DE:siliconfireware.ru US:searchportal.information.com US:spi.domainsponsor.com :wpad RU:ebookfinaltrash.ru |
445 | pcap | raw alerts ruleset |
http http http http 23 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | df17a625ee NEW |
none[0] | none:none |
ASPack| | lines=298 embedded dns |
trace |
| T:06:32:00 | Win2K-f | 173.31.95.14 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, MIDDLETOWN, NEW YORK, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 40 38 of 40 |
474acf88e5 NEW 68f0c14692 NEW |
1f53944b24 [0] ccc1b24d53[0] |
ASM:Graph ASM:Graph |
tElock| Armadillo| |
lines=64 embedded dns lines=91 |
trace trace |
| T:06:33:00 | Win2K-f | 174.6.42.151 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, WINNIPEG, MANITOBA, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 40 39 of 40 |
d38db295c3 NEW f8f3b0b737 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:07:50:00 | WinXP | 186.141.56.198 (-): . |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:11:12:00 | WinXP | 24.48.130.29 (USA2NET.NET): FLORIDA CABLE INC, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 19 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:13:18:00 | WinXP | 98.134.202.82 (WINDSTREAM.NET): ALLTEL MIP CUSTOMERS - LITTLE ROCK, WEST MONROE, LOUISIANA, US. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 07cd99a10b NEW |
f8f0f72da6 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| 15:31:00 | Win2K-f | 78.39.40.26 (-): DANESHGAH PAYAM NOOR JAHROM, SHIRAZ, FARS, IR. (DSL) |
n/a | US:www.maxmind.com :checkip.dyndns.org US:www.getmyip.org EU:getmyip.co.uk GB:www.vouchercodez.com 208.78.70.70:80 US:67.15.94.80:80 US:75.126.138.202:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 0.8 profile |
none | summary tarball |
2 of 37 | 223d8089f8 NEW |
none[3] | none:none |
StarForce| | none | trace |
| 16:16:00 | Win2K-f | 190.220.77.52 (NET.AR): TECHTEL LMDS COMUNICACIONES INTERACTIVAS S.A, LA PLATA, BUENOS AIRES, AR. (DSL) |
n/a | US:www.maxmind.com US:www.getmyip.org EU:getmyip.co.uk GB:www.vouchercodez.com :checkip.dyndns.org 208.78.70.70:80 US:67.15.94.80:80 US:75.126.138.202:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:16:59:00 | Win2K-f | 175.114.34.171 (-): . |
83.133.119.206:65520 | DE:proxim.ircgalaxy.pl US:microsoft.com CN:ku.installstorm.com US:sendinvest.com US:findhobbits.com :img.ub8.net US:search.toptravellingtips.com US:8.5.1.45:8392 |
135 | pcap | raw alerts ruleset |
irc http 389 lines |
Yeah : 1.8 profile |
none | summary tarball |
14 of 40 39 of 40 19 of 40 15 of 40 0 of 40 34 of 36 6 of 40 18 of 40 16 of 40 |
0471add6a2 NEW 5548da4eba NEW 59cf8da8e5 NEW 6201ce74ce NEW 8787e54f55 NEW 8de905030e NEW 9d2d01fcb9 NEW de2a9fdf78 NEW f88028c0ed NEW |
9147e6be39 [none] a917f4b1fb[none] a9657cb1b5[none] e2b9ebd853[none] none [none] f601bdf68b[0] none [none] none [none] none [none] |
none:none none:none none:none none:none none:none ASM:Graph none:none none:none none:none |
none|none none|none none|none none|none none|none tElock| none|none none|none none|none |
none none none none none lines=125 embedded dns none none none |
none none none none none trace none none none |
| T:17:15:00 | WinXP | 96.8.242.42 (GVTC.COM): GUADALUPE VALLEY TELEPHONE COOPERATIVE INC, NEW BRAUNFELS, TEXAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:17:27:00 | Win2K-f | 64.130.145.23 (SCRTC.COM): SOUTH CENTRAL RURAL TELEPHONE CO, SAN JOSE, CALIFORNIA, US. (DSL) |
60.190.222.139:65520 | :www.hophealth.com DE:proxim.ircgalaxy.pl CN:av.lometr.pl CN:ku.installstorm.com CA:img.ub8.net CN:test.installstorm.com US:microsoft.com 173.212.249.218:80 CA:74.117.63.90:80 US:8.5.1.45:8392 |
445 | pcap | raw alerts ruleset |
http irc 180 lines |
Yeah : 1.3 profile |
none | summary tarball |
19 of 40 15 of 40 33 of 40 18 of 40 |
59cf8da8e5 NEW 6201ce74ce NEW a4d3ff3ac9 NEW de2a9fdf78 NEW |
a9657cb1b5 [none] e2b9ebd853[none] none [none] none [none] |
none:none none:none none:none none:none |
none|none none|none none|none none|none |
none none none none |
none none none none |
| 17:28:00 | Win2K-f | 85.21.30.238 (MSECURITY.RU): CORBINA-MORBEZ, MOSCOW, MOSCOW CITY, RU. (100Mbps) |
n/a | US:www.maxmind.com EU:getmyip.co.uk GB:www.vouchercodez.com :checkip.dyndns.org US:www.getmyip.org 208.78.70.70:80 US:67.15.94.80:80 US:75.126.138.202:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:18:28:00 | Win2K-f | 70.184.102.222 (COX.NET): COX COMMUNICATIONS, PHOENIX, ARIZONA, US. (100Mbps) |
n/a | EE:www.starman.ee FI:www.if.ee US:microsoft.com FI:194.215.38.3:80 EE:62.65.192.24:80 EE:62.65.192.25:80 |
135 | pcap | raw alerts ruleset |
irc 11 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:20:34:00 | Win2K-f | 24.79.175.157 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, SELKIRK, MANITOBA, CA. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1002 lines |
Yeah : 1.3 profile |
none | summary tarball |
16 of 41 | b639738911 NEW |
none[3] | none:none |
none|none | none | trace | |
| T:21:03:00 | Win2K-f | 24.213.224.238 (RR.COM): ROAD RUNNER HOLDCO LLC, AMSTERDAM, NOORD-HOLLAND, NL. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:21:09:00 | Win2K-f | 113.255.19.188 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
34 of 41 33 of 33 |
1cc5b253e9 NEW 53bfe15e91 NEW |
a87d3afae8 [0] 1473091351[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=42 lines=75 embedded dns |
trace trace |
|
| 21:34:00 | Win2K-f | 94.76.204.79 (AS29550.NET): BLUECONNEX-INFRA, UK. (100Mbps) |
n/a | US:www.maxmind.com US:www.getmyip.org :checkip.dyndns.org EU:getmyip.co.uk GB:www.vouchercodez.com 208.78.70.70:80 US:67.15.94.80:80 US:75.126.138.202:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:22:37:00 | Win2K-f | 59.120.228.224 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 52 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 33 | 57ce4acac2 NEW |
none[0] | none:none |
Armadillo| | lines=90 | trace | |
| T:23:04:00 | Win2K-f | 94.76.204.79 (AS29550.NET): BLUECONNEX-INFRA, UK. (100Mbps) |
n/a | US:www.maxmind.com US:www.getmyip.org EU:getmyip.co.uk GB:www.vouchercodez.com :checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 8 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:23:56:00 | Win2K-f | 69.112.116.104 (OPTONLINE.NET): OPTIMUM ONLINE (CABLEVISION SYSTEMS), BROOKLYN, NEW YORK, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
18 of 35 0 of 32 |
218ce30f5c NEW 73f1082158 NEW |
none[3] none [0] |
none:none none:none |
none|none Armadillo| |
none lines=90 |
trace trace |