Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

29 April 2010
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:39:00 WinXP 68.151.185.186 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
EDMONTON, ALBERTA, CA. (100Mbps) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 40 of 41 e1a12931a5
NEW none[none] none:none
none|none none none

T:01:01:00 Win2K-f 122.196.17.176 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
OSAKA, OSAKA, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball 40 of 41
40 of 41 71e6f60517
NEW
ab4e3226c4
NEW 1ef1781501 [0]
c2d0313e73[0] ASM:Graph
none:none
Armadillo|
tElock| lines=91
none trace
trace

T:01:15:00 WinXP 155.239.108.162 (TELKOM-IPNET.CO.ZA):
AFRINIC,
ROODEPOORT, GAUTENG, ZA. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
78 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:02:03:00 Win2K-f 173.28.194.177 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CHANHASSEN, MINNESOTA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 40
38 of 40 474acf88e5
NEW
68f0c14692
NEW 1f53944b24 [0]
ccc1b24d53[0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=64
embedded dns
lines=91 trace
trace

T:02:09:00 WinXP 4.245.42.67 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
KANSAS CITY, MISSOURI, US. (DIAL) n/a EE:www.starman.ee
FI:194.215.38.3:80
EE:195.50.195.10:443
EE:62.65.192.24:80 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:03:06:00 Win2K-f 122.146.252.192 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:04:02:00 Win2K-f 222.15.178.233 (DION.NE.JP):
DION (KDDI CORPORATION),
TOKYO, TOKYO, JP. (DSL) n/a
US:204.152.184.139:80
FR:91.121.103.122:6532 445 pcap raw alerts
ruleset http
2 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:04:43:00 Win2K-f 125.4.242.130 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
TOKYO, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
89 lines Yeah : 1.3
profile none summary
tarball 37 of 41
33 of 33 2b9840a764
NEW
53bfe15e91
NEW a7dbe16bd8 [0]
1473091351[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=75
embedded dns trace
trace

T:05:11:00 WinXP 81.84.40.44 (CPE.NETCABO.PT):
TVCABO-PORTUGAL CABLE MODEM NETWORK,
LISBON, LISBOA, PT. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 39 of 41 912a073945
NEW 7874c7f21e [0] ASM:Graph
PolyEnE| lines=68 trace

T:05:37:00 Win2K-f 117.104.5.241 (THN.NE.JP):
TOKAI CORPORATION,
SHIZUOKA, SHIZUOKA, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
39 of 41 6b315f5dbc
NEW
7938865f8c
NEW 7604b94520 [0]
a9b9e4904b[0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=64
embedded dns
lines=91 trace
trace

T:05:59:00 Win2K-f 96.46.208.172 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 1b86a4a19b
NEW
903af4fb74
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:06:18:00 WinXP 125.4.21.22 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
OSAKA, OSAKA, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 32
33 of 33 07fabc79ef
NEW
53bfe15e91
NEW none[0]
1473091351[0] none:none
ASM:Graph
Armadillo|
tElock| lines=90
lines=75
embedded dns trace
trace

T:07:21:00 Win2K-f 219.251.116.178 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 60.190.222.139:65520 DE:proxima.ircgalaxy.pl
US:microsoft.com
CN:60.190.222.139:65520 135 pcap raw alerts
ruleset irc
118 lines Yeah : 1.8
profile none summary
tarball 31 of 33
39 of 41 168aab35a3
NEW
aa6d257461
NEW 60b730b97e [0]
6aca567868[0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=120
embedded dns
lines=91 trace
trace

T:07:28:00 WinXP 65.184.50.188 (RR.COM):
ROAD RUNNER HOLDCO LLC,
WILMINGTON, NORTH CAROLINA, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:07:48:00 WinXP 219.105.84.237 (ADACHI.NE.JP):
CABLE TELEVISION ADACHI CORP,
TOKYO, TOKYO, JP. (DSL) 83.133.119.206:65520 60.190.222.139:65520 CN:proxim.ircgalaxy.pl 445 pcap raw alerts
ruleset shell
ftp
irc
48 lines Yeah : 1.8
profile none summary
tarball 38 of 41 f984061476
NEW none[none] none:none
none|none none none

T:08:10:00 WinXP 114.48.45.82 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:08:13:00 WinXP 95.28.72.21 (CORBINA.RU):
INVESTELEKTROSVIAZ LTD,
MOSCOW, MOSCOW CITY, RU. (100Mbps) 83.133.119.206:65520 60.190.222.139:65520 CN:proxim.ircgalaxy.pl
CN:60.190.222.139:65520
DE:83.133.119.206:65520 445 pcap raw alerts
ruleset irc
24 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:09:07:00 Win2K-f 99.102.224.27 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
102 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 5d12be159b
NEW
ab02ae0121
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:09:41:00 Win2K-f 211.23.226.98 (-):
LIOU-TZUNG-YI-TC,
TAIPEI, T'AI-PEI, TW. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
37 of 40 5d445c59d8
NEW
8a54950abb
NEW 892e12db7b [0]
f6b9e43917[0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=64
embedded dns
lines=91 trace
trace

T:10:08:00 WinXP 75.56.18.241 (PACBELL.NET):
CHARLES,
PLANO, TEXAS, US. (100Mbps) n/a EE:www.starman.ee
FI:194.215.38.3:80
EE:195.50.195.10:443
EE:62.65.192.24:80 135 pcap raw alerts
ruleset http
9 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:10:11:00 Win2K-f 4.182.218.162 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
DOS PALOS, CALIFORNIA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
130 lines Yeah : 1.3
profile none summary
tarball 34 of 41 c91bf6b822
NEW 9e9043d11b [0] ASM:Graph
tElock| lines=42 trace

T:10:21:00 WinXP 24.115.173.134 (PTD.NET):
PENTELEDATA INC. - CABLE,
FLEETWOOD, PENNSYLVANIA, US. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.8
profile none summary
tarball 42 of 42 b809c9f32f
NEW 934b294ce4 [0] none:none
PolyEnE| none trace

T:10:54:00 Win2K-f 69.193.68.239 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:11:20:00 WinXP 70.182.94.31 (COX.NET):
COX COMMUNICATIONS,
OKLAHOMA CITY, OKLAHOMA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:11:35:00 WinXP 4.240.12.253 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
PHOENIX, ARIZONA, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
10 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:12:10:00 Win2K-f 24.79.87.133 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
WINNIPEG, MANITOBA, CA. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
123 lines Yeah : 1.3
profile none summary
tarball 36 of 41
38 of 41 34cbe7a593
NEW
3e83a2d4d7
NEW d38cb78003 [0]
b97fd63d29[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:13:28:00 Win2K-f 122.146.225.211 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:13:57:00 Win2K-f 75.49.7.113 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
COLUMBUS, OHIO, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:20:00 Win2K-f 70.183.2.6 (COX.NET):
COX COMMUNICATIONS,
FAIRFAX, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:22:00 WinXP 67.249.39.227 (RR.COM):
ROAD RUNNER HOLDCO LLC,
NEW ORLEANS, LOUISIANA, US. (DSL) n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:www.proxy-socks.net
:wpad 445 pcap raw alerts
ruleset http
http
http
29 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
NEW none[0] none:none
ASPack| lines=281
embedded dns trace

T:14:27:00 WinXP 211.135.59.29 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
OSAKA, OSAKA, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
88 lines Yeah : 1.3
profile none summary
tarball 33 of 33
37 of 41 53bfe15e91
NEW
89747f56b8
NEW 1473091351 [0]
bd6821b297[0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=75
embedded dns
lines=91 trace
trace

T:14:50:00 WinXP 219.234.80.181 (IAPCM.AC.CN):
BEIJING TELETRON TELECOM ENGINEERING CO. LTD,
BEIJING, BEIJING, CN. (DSL) n/a EE:www.starman.ee
FI:194.215.38.3:80
EE:195.50.195.10:443 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:16:36:00 WinXP 202.78.146.124 (TELSTRACLEAR.NET):
TELSTRACLEAR WELLINGTON CABLE CUSTOMERS,
WELLINGTON, WELLINGTON, NZ. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:16:51:00 Win2K-f 96.8.150.85 (GVTC.COM):
GUADALUPE VALLEY TELEPHONE COOPERATIVE INC,
NEW BRAUNFELS, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
39 of 40 9bdd2c95b1
NEW
cd456ac095
NEW d1bbd693ba [0]
d75caee680[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:17:42:00 Win2K-f 67.125.140.230 (PACBELL.NET):
AT&T INTERNET SERVICES,
FRESNO, CALIFORNIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:18:00 Win2K-f 113.253.237.217 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 32 of 40
33 of 33 27b17a2724
NEW
53bfe15e91
NEW a1d5ac965b [0]
1473091351[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=75
embedded dns trace
trace

T:20:01:00 WinXP 116.127.139.10 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a EE:www.starman.ee
US:microsoft.com
FI:194.215.38.3:80
EE:195.50.195.10:443
EE:62.65.192.24:80 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:20:10:00 Win2K-f 4.138.22.212 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MATTHEWS, NORTH CAROLINA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 40 of 41
40 of 41 577956a476
NEW
ec1bfe948b
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:20:12:00 WinXP 4.228.255.37 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
SALT LAKE CITY, UTAH, US. (DIAL) n/a EE:www.starman.ee
FI:194.215.38.3:80
EE:195.50.195.10:443
EE:62.65.192.24:80 135 pcap raw alerts
ruleset other
0 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:20:26:00 WinXP 72.128.22.28 (RR.COM):
ROAD RUNNER HOLDCO LLC,
KANSAS CITY, KANSAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:21:02:00 Win2K-f 198.182.77.8 (ACES.NET):
LOGIN INC,
PORTLAND, OREGON, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:21:04:00 Win2K-f 96.48.145.38 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
SURREY, BRITISH COLUMBIA, CA. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 1b86a4a19b
NEW
903af4fb74
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:22:05:00 WinXP 96.49.148.170 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
WINNIPEG, MANITOBA, CA. (DSL) n/a
FI:194.215.38.3:80
EE:195.50.195.10:443
EE:62.65.192.24:80 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:23:08:00 WinXP 67.253.48.54 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:23:15:00 WinXP 63.22.65.112 (UU.NET):
UUNET TECHNOLOGIES INC,
TOLLAND, CONNECTICUT, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
256 lines Yeah : 1.3
profile none summary
tarball 40 of 41
40 of 41 43931fa708
NEW
823a36df01
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none