Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

30 April 2010
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:08:00 WinXP 124.45.54.152 (WAKWAK.NE.JP):
NTT-ME CORPORATION,
TOKYO, TOKYO, JP. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
NEW none[0] none:none
none|none lines=61 trace

T:00:52:00 WinXP 75.77.70.210 (NUVOX.NET):
NUVOX COMMUNICATIONS INC,
SUMMERVILLE, SOUTH CAROLINA, US. (DSL) n/a EE:www.starman.ee
FI:194.215.38.3:80
EE:195.50.195.10:443 135 pcap raw alerts
ruleset other
0 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:01:07:00 WinXP 75.37.173.250 (SBCGLOBAL.NET):
JASON LEE,
PLANO, TEXAS, US. (100Mbps) n/a 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:03:02:00 Win2K-f 114.203.224.149 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 83.133.119.206:65520 DE:proxim.ircgalaxy.pl
US:microsoft.com
CN:ku1.installstorm.com
MD:ad.ghura.pl
CN:down.installstorm.com
JP:g105.secure.ne.jp
UA:isu2.tup.km.ua
JP:m-repo.lib.meiji.ac.jp
US:www.iknow.co.jp
BR:www.billboxrecords.com.br
JP:sv37.wadax.ne.jp
JP:ex2.broadserver.jp
JP:133.26.200.10:443
JP:164.46.227.120:443
UA:193.110.163.66:443
JP:202.164.228.11:443
JP:202.214.40.79:443
JP:203.79.51.228:443
JP:211.125.95.245:443
JP:211.133.134.87:443
US:69.57.128.35:443
74.86.76.194:443 135 pcap raw alerts
ruleset irc
http
268 lines Yeah : 1.8
profile none summary
tarball 25 of 40
29 of 32
28 of 32
29 of 41
19 of 41 867e541f7a
NEW
8a75955033
NEW
9276c8b36b
NEW
b934aead39
NEW
d1627e0de8
NEW none[none]
2bf3e548b9[0]
none [0]
none [none]
none [none] none:none
ASM:Graph
none:none
none:none
none:none
none|none
tElock|
Armadillo|
none|none
none|none none
lines=126
embedded dns
lines=90
none
none none
trace
trace
none
none

T:03:54:00 Win2K-f 115.133.198.196 (115.IN-ADDR.ARPA):
CORE IP NETWORK DEVELOPMENT,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) n/a :search.homecinemasoftware.com
BR:loja.tray.com.br
JP:www.irtvnet.jp
CN:down.installstorm.com
DE:proxim.ircgalaxy.pl
JP:130.69.92.68:443
191.132.154.190:443
GB:193.169.188.64:443
UA:195.182.192.2:443
US:207.44.220.4:443
US:64.79.197.143:443
US:67.15.97.220:443
US:69.57.128.35:443
UA:77.120.99.240:443
94.75.239.213:9333 445 pcap raw alerts
ruleset http
15 lines Yeah : 0.8
profile none summary
tarball 18 of 41 21a46d6783
NEW none[none] none:none
none|none none none

T:04:24:00 Win2K-f 4.177.217.26 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
LA MESA, CALIFORNIA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
126 lines Yeah : 1.3
profile none summary
tarball 37 of 41
36 of 40 47d3548e36
NEW
d8722af110
NEW ab13346633 [0]
ab30a55931[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:05:40:00 WinXP 113.255.97.192 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 40 of 41 330a5d96da
NEW none[none] none:none
none|none none none

T:06:36:00 Win2K-f 110.12.71.184 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 83.133.119.206:65520 US:microsoft.com
DE:proxim.ircgalaxy.pl
CN:ku1.installstorm.com
US:sendinvest.com
:findhobbits.com
MD:ad.ghura.pl
CN:sky.installstorm.com
US:search.toptravellingtips.com
:in.7cy.net
:in1.7cy.net
:fjloan.com
US:glassdoor.ws
:bihep.com
US:documentexpo.com
:icrontic.net
US:search.articleswave.co.uk
UA:www.epravda.com.ua
JP:www.aandd.jp
JP:www.nrw.co.jp
JP:ir.kagoshima-u.ac.jp
EU:accounts.comodo.od.ua
PL:ssl.aukro.ua
:apply.reedexpo.co.jp
BR:loja.tray.com.br
JP:v.rentalserver.jp
:www.searchour.com
BR:www.guiaseshop.com.br
GB:forum.gryada.org.ua
JP:bookweb.kinokuniya.co.jp
UA:isu2.tup.km.ua
JP:m-repo.lib.meiji.ac.jp
US:voyagecharge.com
BR:www.digimer.com.br
:www.imagemfolheados.com.br
JP:www.jaif.or.jp
EU:wow.merlin.org.ua 135 pcap raw alerts
ruleset irc
http
364 lines Yeah : 1.8
profile none summary
tarball 18 of 41
24 of 41
25 of 41
30 of 33
28 of 33
0 of 40
29 of 41
19 of 41
11 of 41
15 of 41 21a46d6783
NEW
245bef199a
NEW
2d1ab85f2b
NEW
533d15b5ce
NEW
58c343a8d8
NEW
5f495d60da
NEW
b934aead39
NEW
ba3d3d9961
NEW
c9e89abb7b
NEW
e8aa8b4282
NEW none[none]
none [none]
none [none]
c67adf46e2[0]
none [0]
none [none]
none [none]
none [none]
none [none]
none [none] none:none
none:none
none:none
ASM:Graph
none:none
none:none
none:none
none:none
none:none
none:none
none|none
none|none
none|none
tElock|
Armadillo|
none|none
none|none
none|none
none|none
none|none none
none
none
lines=126
embedded dns
lines=91
none
none
none
none
none none
none
none
trace
trace
none
none
none
none
none

T:07:06:00 WinXP 125.58.66.27 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:07:18:00 Win2K-f 95.28.151.90 (CORBINA.RU):
INVESTELEKTROSVIAZ LTD,
MOSCOW, MOSCOW CITY, RU. (100Mbps) n/a BR:loja.tray.com.br
:search.homecinemasoftware.com
UA:spooky.cartoons.org.ua
:in.7cy.net
DE:proxim.ircgalaxy.pl
JP:125.53.25.30:443
JP:133.26.200.10:443
174.36.62.66:443
UA:195.214.214.53:443
BR:200.143.10.165:443
BR:201.20.35.20:443
BR:201.76.50.168:443
JP:202.191.113.9:443
JP:202.226.91.62:443
JP:210.165.4.71:443
UA:212.82.216.42:443
JP:61.120.56.37:443
US:69.57.128.35:443
74.86.76.194:443
UA:77.120.110.76:443
UA:82.193.122.190:443 445 pcap raw alerts
ruleset http
1 line Argh : 0.3
profile none summary
tarball none none none none none none none

T:07:31:00 WinXP 119.103.105.135 (163DATA.COM.CN):
CHINANET HUBEI PROVINCE NETWORK,
WUHAN, HUBEI, CN. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 32 of 32 d1377a8b90
NEW ad56da3672 [0] ASM:Graph
PolyEnE| lines=68 trace

T:07:40:00 Win2K-f 173.29.255.1 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CHANHASSEN, MINNESOTA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
39 of 41 10759405e0
NEW
d08e00dfaf
NEW 292d343248 [0]
854c49d8c4[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:09:39:00 WinXP 67.240.97.253 (RR.COM):
ROAD RUNNER HOLDCO LLC,
GLOVERSVILLE, NEW YORK, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:36:00 Win2K-f 175.114.27.232 (-):
. 83.133.119.206:65520 US:microsoft.com
DE:proxima.ircgalaxy.pl
CN:ku1.installstorm.com
MD:ad.ghura.pl
JP:sv37.wadax.ne.jp
JP:v.rentalserver.jp
UA:spooky.cartoons.org.ua
:www.mlh.co.jp
UA:masterkey.com.ua
JP:www.aandd.jp
UA:www.epravda.com.ua
US:mst.com.ua
UA:bunker.org.ua
EU:avdesk.net.ua
JP:ex2.broadserver.jp
:rastu.com.ua
BR:www.billboxrecords.com.br
UA:hosting.cnrg.com.ua
US:www.pirateparty.in.ua
US:forums.ubuntulinux.jp
BR:ssl876.locaweb.com.br
JP:cps-h3.ep.sci.hokudai.ac.jp
UA:global-host.com.ua
JP:www.ristex.jp
JP:www.myeclipseide.jp
:cheburash.com
UA:isu2.tup.km.ua
UA:shop.pozitiv.ks.ua
DE:www.miltenyibiotec.co.jp
UA:www.indev.kiev.ua
115.125.150.234:443
UA:195.214.214.53:443
JP:202.218.203.244:443
US:69.72.149.166:443
74.86.76.194:443
EU:79.171.122.236:443
DE:83.133.119.206:65520 135 pcap raw alerts
ruleset irc
http
225 lines Yeah : 1.8
profile none summary
tarball 16 of 40
none
29 of 41
19 of 41
38 of 40 1f6a957032
NEW
6a4845ca11
NEW
b934aead39
NEW
ba3d3d9961
NEW
ffafd341d9
NEW none[none]
c23d00870b[0]
none [none]
none [none]
294fb27545[0] none:none
ASM:Graph
none:none
none:none
ASM:Graph
none|none
tElock|
none|none
none|none
Armadillo| none
lines=120
embedded dns
none
none
lines=91 none
trace
none
none
trace

T:10:42:00 WinXP 118.83.7.27 (HTOJ.J-CNET.JP):
JCN-HTMNET,
HACHIOJI, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
122 lines Yeah : 1.3
profile none summary
tarball 32 of 36
34 of 36 0b951c2832
NEW
e4ed4df0f0
NEW 5fe761661a [0]
de471fc380[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:10:47:00 Win2K-f 12.150.255.153 (WATVC.COM):
WEST ALABAMA TV CABLE CO,
HAMILTON, ALABAMA, US. (DSL) n/a :apply.reedexpo.co.jp
JP:cps-h3.ep.sci.hokudai.ac.jp
:la2.meganet.org.ua
UA:shop.pozitiv.ks.ua
GB:forum.gryada.org.ua
JP:newsletter.gov-online.go.jp
:rastu.com.ua
JP:www.marantz.jp
US:www.wolfram.co.jp
BR:loja.tray.com.br
:www.mlh.co.jp
UA:souvenirs.auction.ua
RU:www.treasuryislandcasino.com.ua
JP:g105.secure.ne.jp
JP:bookweb.kinokuniya.co.jp
JP:creative-nagoya.sakura.ne.jp
UA:global-host.com.ua
JP:www.myeclipseide.jp
JP:www.jica.go.jp
JP:ss1.coressl.jp
EU:wow.merlin.org.ua
US:secure.foxvideo.com.br
UA:bunker.org.ua
PL:ssl.aukro.ua
CA:weather.co.ua
BR:ssl876.locaweb.com.br
JP:ssl.form-mailer.jp
US:www.iknow.co.jp
US:forums.ubuntulinux.jp
BR:www.saredrogarias.com.br
JP:ir.kagoshima-u.ac.jp
JP:www.science-forum.co.jp
BR:www.imusica.com.br
EU:accounts.comodo.od.ua
US:microsoft.com
JP:www.gsec.keio.ac.jp
109.72.122.165:443
115.125.150.227:443
JP:133.87.45.178:443
174.36.220.203:443
191.132.154.190:443
UA:195.182.192.2:443
BR:200.234.192.141:443
BR:201.20.45.207:443
JP:202.164.228.11:443
JP:202.214.40.87:443
JP:202.218.203.244:443
JP:202.226.91.62:443
UA:212.82.216.42:443
UA:213.186.115.36:443
US:69.57.128.35:443
UA:77.120.121.35:443
EU:79.171.122.236:443
EU:91.196.95.24:443 445 pcap raw alerts
ruleset other
2 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:11:04:00 Win2K-f 87.11.195.82 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
IT. (DSL) n/a UA:bunker.org.ua
BR:loja.tray.com.br
:www.mlh.co.jp
JP:www.myeclipseide.jp
DE:proxima.ircgalaxy.pl
115.125.150.234:443
JP:133.87.45.178:443
JP:133.87.45.189:443
191.132.154.190:443
BR:201.20.35.20:443
BR:201.76.50.168:443
JP:202.218.111.122:443
JP:202.218.13.230:443
JP:210.157.5.25:443
UA:213.133.164.203:443
JP:222.146.58.38:443
UA:62.149.23.110:443
US:64.41.142.74:443
US:69.57.128.35:443
74.86.76.194:443
EU:79.171.122.236:443
EU:91.196.95.24:443 445 pcap raw alerts
ruleset other
6 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:11:58:00 Win2K-f 4.176.246.228 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
TUCSON, ARIZONA, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
2 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:13:19:00 WinXP 173.28.218.164 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CHANHASSEN, MINNESOTA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 40
38 of 40 474acf88e5
NEW
68f0c14692
NEW 1f53944b24 [0]
ccc1b24d53[0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=64
embedded dns
lines=91 trace
trace

T:14:45:00 Win2K-f 184.80.69.109 (-):
. n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:16:28:00 WinXP 66.217.115.134 (MCLEODUSA.NET):
PAETEC COMMUNICATIONS INC,
BIRMINGHAM, ALABAMA, US. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 36 of 41 1b24596974
NEW none[none] none:none
none|none none none

T:18:16:00 WinXP 99.145.137.2 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
HOUSTON, TEXAS, US. (DSL) n/a EE:www.starman.ee
FI:194.215.38.3:80
EE:195.50.195.10:443
EE:62.65.192.24:80 135 pcap raw alerts
ruleset other
5 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:19:06:00 WinXP 121.121.62.68 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:19:16:00 Win2K-f 64.175.89.120 (PACBELL.NET):
MOONSTAR BUFFETT CORP,
PLANO, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
85 lines Yeah : 1.3
profile none summary
tarball 3 of 33
33 of 33 73ce2b74da
NEW
79c01ec060
NEW none[0]
1bfd34056c[0] none:none
ASM:Graph
Armadillo|
tElock| lines=90
lines=64
embedded dns trace
trace

T:19:48:00 WinXP 186.10.129.192 (-):
. 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:19:51:00 WinXP 190.108.155.11 (E-CORPNET.ORG):
TELEFONICA MOVIL DE CHILE S.A,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:20:01:00 WinXP 121.120.117.131 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

T:21:02:00 WinXP 115.80.53.146 (TAIWANMOBILE.NET):
TAIWAN MOBILE CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:21:12:00 WinXP 111.188.31.162 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
13 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:21:14:00 WinXP 124.8.54.59 (TFN.NET.TW):
TAIWAN FIXED NETWORK CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 445 pcap raw alerts
ruleset other
0 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:21:30:00 Win2K-f 4.176.241.197 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
TUCSON, ARIZONA, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
140 lines Yeah : 1.3
profile none summary
tarball 37 of 41 47d3548e36
NEW ab13346633 [0] ASM:Graph
Armadillo| lines=91 trace

T:22:26:00 Win2K-f 219.115.211.100 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
TOYONAKA, OSAKA, JP. (DSL) 194.109.11.65:6556 194.109.11.65:1023 NL:0x80.online-software.org 135 pcap raw alerts
ruleset other
194 lines Yeah : 1.8
profile none summary
tarball 36 of 36 0c01728b7e
NEW none[none] none:none
none|none none none

T:22:59:00 Win2K-f 110.93.97.189 (CABLENET.NE.JP):
CABLENET SAITAMA CO. LTD,
JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
39 of 41 5bbb57c115
NEW
75ac189d9e
NEW 03e5cb3c4a [0]
705dbaa801[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:23:13:00 Win2K-f 68.147.219.14 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
186 lines Yeah : 1.3
profile none summary
tarball 38 of 41 8ef3f9fd36
NEW 1c396012a3 [0] ASM:Graph
none|none lines=546 trace