|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:02:18:00 | WinXP | 208.125.168.66 (RR.COM): ROAD RUNNER HOLDCO LLC, CLIFTON PARK, NEW YORK, US. (DSL) |
n/a | EE:www.starman.ee FI:194.215.38.3:80 EE:195.50.195.10:443 |
135 | pcap | raw alerts ruleset |
http 19 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:03:21:00 | WinXP | 174.6.152.4 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, VANCOUVER, BRITISH COLUMBIA, CA. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1008 lines |
Yeah : 1.3 profile |
none | summary tarball |
20 of 41 | c20138fa2a NEW |
none[3] | none:none |
none|none | none | trace | |
| T:04:22:00 | Win2K-f | 24.79.194.150 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, WINNIPEG, MANITOBA, CA. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 124 lines |
Yeah : 1.3 profile |
none | summary tarball |
36 of 41 38 of 41 |
34cbe7a593 NEW 3e83a2d4d7 NEW |
d38cb78003 [0] b97fd63d29[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
|
| T:04:25:00 | WinXP | 115.165.80.12 (CATV02.ITSCOM.JP): ITS COMMUNICATIONS INC, KAWASAKI, KANAGAWA, JP. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 32 | 741e3b03b3 NEW |
none[0] | none:none |
none|none | lines=61 | trace | |
| T:07:54:00 | WinXP | 149.149.122.129 (ASKNOW.COM): TENNESSEE TECHNOLOGICAL UNIVERSITY, COOKEVILLE, TENNESSEE, US. (DSL) |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
32 of 32 | d1377a8b90 NEW |
ad56da3672 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| 12:14:00 | Win2K-f | 113.253.214.133 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | US:www.maxmind.com EU:getmyip.co.uk GB:www.vouchercodez.com US:www.getmyip.org :checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 8 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:15:01:00 | Win2K-f | 113.253.214.133 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | US:www.maxmind.com EU:getmyip.co.uk GB:www.vouchercodez.com US:www.getmyip.org :checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 8 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:16:22:00 | WinXP | 122.124.57.163 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | EE:www.starman.ee EE:195.50.195.10:443 |
135 | pcap | raw alerts ruleset |
http 13 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:17:29:00 | WinXP | 71.109.210.27 (VERIZON.NET): VERIZON INTERNET SERVICES INC, LONG BEACH, CALIFORNIA, US. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 14 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | 320195e2d3 NEW |
ce4cf37946 [0] | ASM:Graph |
none|none | lines=59 | trace | |
| T:18:45:00 | WinXP | 96.14.60.236 (WINDSTREAM.NET): ALLTEL MIP CUSTOMERS - PHOENIX, MESA, ARIZONA, US. (DSL) |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
41 of 41 | 0029be99d7 NEW |
none[none] | none:none |
none|none | none | none |
| T:19:18:00 | WinXP | 96.14.60.236 (WINDSTREAM.NET): ALLTEL MIP CUSTOMERS - PHOENIX, MESA, ARIZONA, US. (DSL) |
213.219.245.212:80 | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 41 | 0029be99d7 NEW |
none[none] | none:none |
none|none | none | none |
| T:19:47:00 | WinXP | 4.152.246.6 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, ASHEVILLE, NORTH CAROLINA, US. (DIAL) |
n/a | DE:siliconfireware.ru US:searchportal.information.com US:spi.domainsponsor.com RU:www.bbin.ru RU:www.binbank.ru :wpad RU:ebookfinaltrash.ru US:www.bankofmadura.com |
445 | pcap | raw alerts ruleset |
http http http http 49 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | a12cab51ef NEW |
none[0] | none:none |
ASPack| | lines=281 embedded dns |
trace |
| T:21:57:00 | WinXP | 188.129.139.65 (DSL.ONLINE.GE): GOL GELINK NET, GE. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 41 | fb85113a6e NEW |
none[none] | none:none |
none|none | none | none |
| T:22:06:00 | Win2K-f | 122.146.252.192 (SPARQNET.NET): NEW CENTRY INFOCOM TECH. CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| 22:11:00 | WinXP | 188.129.139.65 (DSL.ONLINE.GE): GOL GELINK NET, GE. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
41 of 41 | fb85113a6e NEW |
none[none] | none:none |
none|none | none | none |
| 22:22:00 | Win2K-f | 203.70.219.150 (SEED.NET.TW): SEEDNET-TAINANDP-S, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:www.maxmind.com US:www.getmyip.org :checkip.dyndns.org US:67.15.94.80:80 US:75.126.138.202:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |