Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

28 April 2010
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:41:00 WinXP 67.86.28.154 (OPTONLINE.NET):
OPTIMUM ONLINE (CABLEVISION SYSTEMS),
NEW CANAAN, CONNECTICUT, US. (DSL) 		n/a  
FI:194.215.38.3:80
EE:195.50.195.10:443 		135 pcap raw alerts
ruleset 		other
0 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:01:21:00 Win2K-f 118.217.167.54 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		60.190.222.139:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
MD:ad.ghura.pl
CN:ku1.installstorm.com
CN:down.installstorm.com
CN:pic.iwillhavesexygirls.com
CN:sky.installstorm.com
:in.7cy.net
CN:js.users.51.la
:in1.7cy.net
NL:kitchencutlery.ws
CN:icon.ajiang.net
CN:web1.51.la
US:72.232.247.106:80
MD:89.187.34.4:80 		135 pcap raw alerts
ruleset 		irc
http
271 lines 		Yeah : 1.8
profile 		none summary
tarball 		18 of 41
16 of 41
26 of 41
39 of 41
38 of 40
11 of 41
20 of 41		 21a46d6783
NEW
3fd152d24a
NEW
572a54e12a
NEW
5f62cd8acb
NEW
c9d70eb4bf
NEW
c9e89abb7b
NEW
eec5415b10
NEW 		none[none]
none [none]
none [none]
030fba039a[0]
f56ef7d68d[0]
none [none]
none [none] 		none:none
none:none
none:none
ASM:Graph
ASM:Graph
none:none
none:none
 none|none
none|none
none|none
PolyEnE|
Armadillo|
none|none
none|none 		none
none
none
lines=117
embedded dns
lines=90
none
none 		none
none
none
trace
trace
none
none
T:01:30:00 Win2K-f 93.81.181.1 (CORBINA.RU):
INVESTELEKTROSVIAZ LTD,
MOSCOW, MOSCOW CITY, RU. (DSL) 		n/a US:office-suppliesonline.net
:pagead2.googlesyndication.com
US:images-pw.secureserver.net
:img5.wsimg.com
:img3.wsimg.com
US:images.secureserver.net
:imagesak.secureserver.net
US:microsoft.com
US:indoorwaterfall.info
:panther1.cpxinteractive.com
:imagesak.godaddy.com
CN:down.installstorm.com
CN:proxim.ircgalaxy.pl
:in.7cy.net
CN:58.221.42.4:88 		445 pcap raw alerts
ruleset 		http
irc
119 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:01:41:00 WinXP 208.125.168.66 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CLIFTON PARK, NEW YORK, US. (DSL) 		n/a US:microsoft.com
EE:www.starman.ee
EE:www.online.if.ee
FI:194.215.38.3:80
EE:195.50.195.10:443 		135 pcap raw alerts
ruleset 		other
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:02:12:00 WinXP 121.120.164.79 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:02:56:00 Win2K-f 24.213.224.238 (RR.COM):
ROAD RUNNER HOLDCO LLC,
AMSTERDAM, NOORD-HOLLAND, NL. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:03:42:00 WinXP 203.118.238.245 (-):
GRAND TAINAN TECHNOLOGY CO.LTD,
TAINAN, T'AI-WAN, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:04:45:00 Win2K-f 58.71.45.90 (PLDT.NET):
IPG,
MANILA, MANILA, PH. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
111 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
39 of 41		 5403724951
NEW
6494cbd582
NEW 		44ee5f83ba [0]
adcb56d0cb[0] 		ASM:Graph
ASM:Graph
 tElock|
Armadillo| 		lines=64
embedded dns
lines=91 		trace
trace
T:05:14:00 WinXP 99.174.145.179 (PACBELL.NET):
AT&T INTERNET SERVICES,
HOUSTON, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:05:42:00 WinXP 173.168.114.175 (RR.COM):
ROAD RUNNER HOLDCO LLC,
BRADENTON, FLORIDA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 40
37 of 39		 1da4193446
NEW
6278c9374a
NEW 		8a97c8536a [none]
cc7aaf6ea9[none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:06:12:00 WinXP 121.121.33.4 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 		n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:www.proxy-socks.net
:wpad
CA:www.bmo.com 		445 pcap raw alerts
ruleset 		http
http
http
29 lines 		Yeah : 0.8
profile 		none summary
tarball 		33 of 41 c7874026aa
NEW 		none[none] none:none
 none|none none none
T:06:16:00 WinXP 99.112.107.172 (-):
. 		n/a EE:www.starman.ee
FI:194.215.38.3:80
EE:195.50.195.10:443
EE:62.65.192.24:80 		135 pcap raw alerts
ruleset 		other
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:07:18:00 WinXP 70.60.198.57 (RR.COM):
ROAD RUNNER HOLDCO LLC,
MONROE, NORTH CAROLINA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:08:11:00 WinXP 125.197.238.94 (MESH.AD.JP):
NEC CORPORATION,
TOKYO, TOKYO, JP. (DSL) 		n/a EE:www.starman.ee
FI:194.215.38.3:80
EE:195.50.195.10:443 		445 pcap raw alerts
ruleset 		other
0 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:08:38:00 WinXP 110.4.24.4 (-):
CSL NEXT G,
HK. (DSL) 		n/a  
FI:194.215.38.3:80
EE:195.50.195.10:443
EE:62.65.192.24:80 		135 pcap raw alerts
ruleset 		other
0 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:09:10:00 WinXP 59.104.157.17 (SEED.NET.TW):
SEEDNET-KAOHSIUNGDP-S,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:09:36:00 Win2K-f 75.37.173.251 (SBCGLOBAL.NET):
JASON LEE,
PLANO, TEXAS, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:09:51:00 WinXP 81.246.10.203 (-):
EVA AIRWAYS CORPORATION,
LEUVEN, BRUSSELS HOOFDSTEDELIJK GEWEST, BE. (100Mbps) 		n/a EE:www.starman.ee
EE:www.online.if.ee
FI:194.215.38.3:80
EE:195.50.195.10:443 		139 pcap raw alerts
ruleset 		other
0 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:10:11:00 WinXP 89.144.168.229 (ASKIRAN.COM):
ANDISHE SABZ KHAZAR CO. P.J.S,
TEHRAN, ESFAHAN, IR. (DSL) 		83.133.119.206:65520 CN:proxim.ircgalaxy.pl
CN:ku1.installstorm.com
US:sendinvest.com
:findhobbits.com
CN:sky.installstorm.com
US:search.toptravellingtips.com
:in.7cy.net
:in1.7cy.net
US:familydvds.us
:idinvest.com
US:searchportal.information.com
US:spi.domainsponsor.com
US:www2.banks.com
US:nooll.com
US:search.articleswave.co.uk
:medicinehealth.us
:www.searchour.com
:throughfreight.com
:bomne.com
US:doctorfemale.com
:nl.travelzip.co.uk 		445 pcap raw alerts
ruleset 		http
irc
263 lines 		Yeah : 1.3
profile 		none summary
tarball 		23 of 41
18 of 41
22 of 40
17 of 41
0 of 41
0 of 40
18 of 41
11 of 41
37 of 39		 1a74882d3a
NEW
21a46d6783
NEW
45d0a76098
NEW
57c08c8b6b
NEW
5b3ce6b6de
NEW
7cf863097d
NEW
bbfde2a204
NEW
c9e89abb7b
NEW
dab4da4e21
NEW 		none[none]
none [none]
none [none]
none [none]
none [none]
none [none]
none [none]
none [none]
e63b813015[0] 		none:none
none:none
none:none
none:none
none:none
none:none
none:none
none:none
ASM:Graph
 none|none
none|none
none|none
none|none
none|none
none|none
none|none
none|none
PolyEnE| 		none
none
none
none
none
none
none
none
lines=134 		none
none
none
none
none
none
none
none
trace
T:12:34:00 Win2K-f 175.114.85.243 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
113 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
5 of 41		 14f47ffd1e
NEW
50437008d9
NEW 		90bf4b99ff [0]
c1b09ac5d7[0] 		ASM:Graph
ASM:Graph
 tElock|
Armadillo| 		lines=56
embedded dns
lines=90 		trace
trace
T:13:38:00 WinXP 186.9.168.233 (IMOVIL.ENTELPCS.CL):
ENTEL PCS TELECOMUNICACIONES S.A,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		38 of 40 523479717b
NEW 		836f422ed1 [0] ASM:Graph
 PolyEnE| lines=68 trace
T:13:45:00 WinXP 113.255.152.156 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HK. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
99 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41
37 of 41		 568b9e866c
NEW
5c20c3472e
NEW 		6dfc90ff94 [0]
9ca7a71763[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=42
lines=64
embedded dns 		trace
trace
T:14:22:00 Win2K-f 70.182.0.19 (COX.NET):
COX COMMUNICATIONS,
ANNANDALE, VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:14:30:00 WinXP 12.48.50.3 (-):
ADVIZOR SOLUTIONS INC,
DOWNERS GROVE, ILLINOIS, US. (100Mbps) 		n/a EE:www.starman.ee
FI:194.215.38.3:80
EE:195.50.195.10:443
EE:62.65.192.24:80 		135 pcap raw alerts
ruleset 		other
0 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:14:31:00 Win2K-f 174.116.49.56 (ROGERS.COM):
ROGERS CABLE COMMUNICATIONS INC,
ST. JOHN'S, NEWFOUNDLAND AND LABRADOR, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:15:06:00 WinXP 173.200.73.19 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:15:08:00 Win2K-f 24.25.253.145 (RR.COM):
ROAD RUNNER HOLDCO LLC,
WAIANAE, HAWAII, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:16:05:00 Win2K-f 58.85.252.227 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
111 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
40 of 41		 1b1db1c992
NEW
8a50345c2f
NEW 		a8036b5105 [0]
585123125f[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=91
lines=64
embedded dns 		trace
trace
T:16:08:00 WinXP 69.133.117.83 (RR.COM):
ROAD RUNNER HOLDCO LLC,
DAYTON, OHIO, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:17:44:00 Win2K-f 58.123.70.2 (HANANET.NET):
HANARO TELECOM INC,
KR. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
94 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
0 of 33		 14f47ffd1e
NEW
4c3df24b32
NEW 		90bf4b99ff [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=56
embedded dns
lines=90 		trace
trace
T:18:57:00 WinXP 99.102.205.61 (-):
. 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 d247aef0ff
NEW 		none[none] none:none
 none|none none none
T:19:15:00 Win2K-f 4.153.81.232 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
EASTMAN, GEORGIA, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
7 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:19:22:00 WinXP 74.77.196.106 (RR.COM):
ROAD RUNNER HOLDCO LLC,
BUFFALO, NEW YORK, US. (100Mbps) 		n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
RU:www.bbin.ru
RU:www.binbank.ru
:wpad
US:new.egg.com
US:199.67.205.200:80 		445 pcap raw alerts
ruleset 		http
http
http
http
http
50 lines 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 a12cab51ef
NEW 		none[0] none:none
 ASPack| lines=281
embedded dns 		trace
T:20:29:00 WinXP 121.120.141.73 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 d8040f84d4
NEW 		d683995e84 [0] ASM:Graph
 PolyEnE| lines=73 trace
T:21:58:00 Win2K-f 173.27.199.83 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
DAVENPORT, IOWA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
39 of 41		 10759405e0
NEW
d08e00dfaf
NEW 		292d343248 [0]
854c49d8c4[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=91
lines=64
embedded dns 		trace
trace
T:22:04:00 Win2K-f 173.27.240.132 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
STREAMWOOD, ILLINOIS, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
10 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:22:33:00 WinXP 92.41.241.35 (THREE.CO.UK):
MOBILE BROADBAND SERVICE,
UK. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 40 56c457f2a9
NEW 		none[none] none:none
 none|none none none
T:22:34:00 WinXP 114.201.133.169 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		60.190.222.139:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:ku1.installstorm.com
CN:down.installstorm.com
CN:pic.iwillhavesexygirls.com
CN:sky.installstorm.com
:in.7cy.net
:in1.7cy.net
:ab83be13.linkbucks.com
CN:js.users.51.la
CN:58.221.42.4:88
64.79.86.26:80 		135 pcap raw alerts
ruleset 		irc
http
153 lines 		Yeah : 1.8
profile 		none summary
tarball 		18 of 41
10 of 41
39 of 41
11 of 41
11 of 41
39 of 40		 21a46d6783
NEW
61b34ac57e
NEW
b3661f2399
NEW
c9e89abb7b
NEW
cb45c446a2
NEW
f9dce3c5c4
NEW 		none[none]
none [none]
e3e6d53141[0]
none [none]
none [none]
6612c57b09[0] 		none:none
none:none
none:none
none:none
none:none
ASM:Graph
 none|none
none|none
Armadillo|
none|none
none|none
tElock| 		none
none
none
none
none
lines=125
embedded dns 		none
none
trace
none
none
trace