Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

20 April 2010
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:06:00 Win2K-f 68.150.216.210 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
SHERWOOD PARK, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
186 lines Yeah : 1.3
profile none summary
tarball 41 of 41 916752f248
NEW 4e604fc8cb [0] ASM:Graph
none|none lines=546 trace

T:00:39:00 WinXP 110.14.214.164 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 83.133.119.206:65520 DE:proxima.ircgalaxy.pl
US:microsoft.com
CN:ku1.installstorm.com
US:sendinvest.com
US:findhobbits.com
CN:sky.installstorm.com
CN:pic.iwillhavesexygirls.com
US:396d6f87.linkbucks.com
:static.linkbucks.com
:xz.ub9.net
US:rts.sparkstudios.com
:www.google-analytics.com
:vimby.com
US:edge.quantserve.com
:www.vimby.com
US:www.download.windowsupdate.com
US:caf18cd7.linkbucks.com
US:7e30432a.linkbucks.com
:in.7cy.net
US:9c200c62.linkbucks.com
US:30b877c3.linkbucks.com
US:8.5.1.45:8392 135 pcap raw alerts
ruleset irc
http
290 lines Yeah : 1.8
profile none summary
tarball 18 of 40
34 of 40
20 of 40
34 of 36
29 of 32
9 of 41
26 of 41 0ae3ecef22
NEW
72e3100fa7
NEW
8a6b475217
NEW
99b248336f
NEW
9d677c3f70
NEW
c0b0603892
NEW
f0bb9eebff
NEW none[none]
none [none]
none [none]
c64bd1a776[0]
77e75ff10f[0]
none [none]
none [none] none:none
none:none
none:none
ASM:Graph
ASM:Graph
none:none
none:none
none|none
none|none
none|none
Armadillo|
tElock|
none|none
none|none none
none
none
lines=91
lines=120
embedded dns
none
none none
none
none
trace
trace
none
none

T:02:21:00 Win2K-f 113.253.100.222 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) n/a 135 pcap raw alerts
ruleset other
1006 lines Yeah : 1.3
profile none summary
tarball 35 of 41 928338e1d9
NEW none[none] none:none
none|none none none

T:02:46:00 WinXP 114.48.37.21 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:03:41:00 Win2K-f 72.128.22.28 (RR.COM):
ROAD RUNNER HOLDCO LLC,
KANSAS CITY, KANSAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

04:08:00 Win2K-f 207.182.136.38 (XLHOST.COM):
XLHOST.COM INC,
COLUMBUS, OHIO, US. (100Mbps) n/a US:www.maxmind.com
:checkip.dyndns.org
EU:getmyip.co.uk
US:www.getmyip.org
208.78.70.70:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

04:10:00 Win2K-f 207.182.136.60 (XLHOST.COM):
XLHOST.COM INC,
COLUMBUS, OHIO, US. (100Mbps) n/a US:www.maxmind.com
:checkip.dyndns.org
EU:getmyip.co.uk
US:www.getmyip.org
208.78.70.70:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:04:17:00 Win2K-f 207.182.136.38 (XLHOST.COM):
XLHOST.COM INC,
COLUMBUS, OHIO, US. (100Mbps) n/a US:www.maxmind.com
US:www.getmyip.org
EU:getmyip.co.uk
GB:www.vouchercodez.com
:checkip.dyndns.org
DE:131.220.6.26:80
208.78.70.70:80
US:67.15.94.80:80 445 pcap raw alerts
ruleset http
5 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

04:20:00 WinXP 64.188.192.125 (-):
WINDJAMMER COMMUNICATIONS LLC,
BOSTON, MASSACHUSETTS, US. (DSL) n/a RU:citi-bank.ru
:parex-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 40 5e8ccc4190
NEW 8d5f86583f [0] ASM:Graph
PolyEnE| lines=68 trace

T:05:05:00 WinXP 122.229.111.58 (HZ.ZJ.CN):
CHINANET-ZJ ZHONGXIN NODE NETWORK,
BEIJING, BEIJING, CN. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 32 of 32 b502f83a7c
NEW 28f5be93b0 [0] ASM:Graph
PolyEnE| lines=73 trace

05:40:00 Win2K-f 113.253.200.246 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) n/a US:www.maxmind.com
US:www.getmyip.org
EU:getmyip.co.uk
:checkip.dyndns.org
US:67.15.94.80:80
US:75.126.138.202:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:05:41:00 WinXP 188.129.139.65 (DSL.ONLINE.GE):
GOL GELINK NET,
GE. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 41 fb85113a6e
NEW none[none] none:none
none|none none none

T:05:49:00 Win2K-f 113.253.200.246 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) n/a US:www.maxmind.com
US:www.getmyip.org
:checkip.dyndns.org
EU:getmyip.co.uk
GB:www.vouchercodez.com
208.78.70.70:80
US:67.15.94.80:80 445 pcap raw alerts
ruleset http
4 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

06:34:00 Win2K-f 196.218.254.51 (TEDATA.NET):
OPTION-PACK-DSL,
CAIRO, AL QAHIRAH, EG. (DSL) n/a US:www.maxmind.com
US:www.getmyip.org
:checkip.dyndns.org
US:67.15.94.80:80
US:75.126.138.202:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:06:43:00 Win2K-f 196.218.254.51 (TEDATA.NET):
OPTION-PACK-DSL,
CAIRO, AL QAHIRAH, EG. (DSL) n/a US:www.maxmind.com
EU:getmyip.co.uk
US:www.getmyip.org
:checkip.dyndns.org
208.78.70.70:80
US:67.15.94.80:80
US:75.126.138.202:80
EU:78.40.35.134:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:07:00:00 WinXP 59.120.228.224 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 135 pcap raw alerts
ruleset other
55 lines Yeah : 1.3
profile none summary
tarball 0 of 33 57ce4acac2
NEW none[0] none:none
Armadillo| lines=90 trace

T:09:25:00 WinXP 70.182.94.31 (COX.NET):
COX COMMUNICATIONS,
OKLAHOMA CITY, OKLAHOMA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:10:03:00 Win2K-f 58.71.45.90 (PLDT.NET):
IPG,
MANILA, MANILA, PH. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
115 lines Yeah : 1.3
profile none summary
tarball 40 of 41
39 of 41 5403724951
NEW
6494cbd582
NEW 44ee5f83ba [0]
adcb56d0cb[0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=64
embedded dns
lines=91 trace
trace

T:11:03:00 Win2K-f 122.146.83.24 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:12:17:00 Win2K-f 69.193.74.22 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:12:59:00 WinXP 84.94.33.150 (012.NET.IL):
GOLDENLINES-CABLE,
BAT YAM, TEL AVIV, IL. (DSL) n/a 445 pcap raw alerts
ruleset other
0 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:14:59:00 Win2K-f 24.76.5.147 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
SELKIRK, MANITOBA, CA. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball 39 of 42
39 of 42 a1fac31325
NEW
c018e17b5b
NEW 0fd057b5e2 [0]
8caee80d88[0] none:none
none:none
Armadillo|
StarForce| none
none trace
trace

20:32:00 Win2K-f 123.195.13.211 (KBRONET.COM.TW):
TUNG HO MULTIMEDIA CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:www.maxmind.com
US:www.getmyip.org
:checkip.dyndns.org
US:67.15.94.80:80
US:75.126.138.202:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:22:20:00 WinXP 99.8.224.63 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
SAN FRANCISCO, CALIFORNIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace