|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:01:42:00 | Win2K-f | 201.143.76.113 (TELNOR.NET): TELEFONOS DEL NOROESTE S.A. DE C.V, MEXICALI, BAJA CALIFORNIA, MX. (DSL) |
n/a | US:204.152.184.139:80 FR:91.121.78.121:6532 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:03:20:00 | WinXP | 4.161.171.94 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, MONTGOMERY, TEXAS, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:04:16:00 | Win2K-f | 61.105.154.166 (KRLINE.NET): KRNIC, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
3 of 41 33 of 33 |
8b41cb7a41 NEW 97fef473b9 NEW |
ef18d720f3 [0] ff4e7d6992[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=90 lines=64 embedded dns |
trace trace |
| T:04:17:00 | WinXP | 211.200.19.63 (HANANET.NET): HANARO TELECOM INC, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
83.133.119.206:65520 | DE:proxim.ircgalaxy.pl US:microsoft.com CN:ku1.installstorm.com MD:ad.ghura.pl CN:sky.installstorm.com :in.7cy.net :in1.7cy.net NL:myhome-biz.info 64.79.86.26:80 |
135 | pcap | raw alerts ruleset |
irc http 155 lines |
Yeah : 1.8 profile |
none | summary tarball |
18 of 40 29 of 32 28 of 32 19 of 41 11 of 41 |
6e40be3261 NEW 8a75955033 NEW 9276c8b36b NEW ba3d3d9961 NEW c9e89abb7b NEW |
none[none] 2bf3e548b9[0] none [0] none [none] none [none] |
none:none ASM:Graph none:none none:none none:none |
none|none tElock| Armadillo| none|none none|none |
none lines=126 embedded dns lines=90 none none |
none trace trace none none |
| T:04:29:00 | WinXP | 85.152.190.72 (CM-85-152-193-10.TELECABLE.ES): TELECABLE, BARCELONA, CATALONIA, ES. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 40 | 5e8ccc4190 NEW |
8d5f86583f [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:04:32:00 | WinXP | 68.198.133.54 (OPTONLINE.NET): OPTIMUM ONLINE (CABLEVISION SYSTEMS), DOBBS FERRY, NEW YORK, US. (100Mbps) |
n/a | EE:www.starman.ee FI:194.215.38.3:80 EE:195.50.195.10:443 EE:62.65.192.24:80 |
135 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:06:42:00 | WinXP | 112.200.69.10 (PLDT.NET): IPG, LAS PINAS CITY, MANILA, PH. (DSL) |
n/a | FI:194.215.38.3:80 EE:195.50.195.10:443 EE:62.65.192.24:80 |
135 | pcap | raw alerts ruleset |
http 14 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:06:59:00 | WinXP | 218.117.136.74 (BBTEC.NET): JAPAN NATION-WIDE NETWORK OF SOFTBANK BB CORP, KITAKYUSHU, FUKUOKA, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:07:04:00 | Win2K-f | 211.135.62.62 (ZAQ.NE.JP): J:COM WEST CO. LTD, OSAKA, OSAKA, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 88 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 37 of 41 |
53bfe15e91 NEW 6c28235817 NEW |
1473091351 [0] e88650c1e2[0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns none |
trace trace |
| T:07:05:00 | WinXP | 117.96.252.37 (-): GPRS-SUBSCRIBERS-IN-NORTH, DELHI, DELHI, IN. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:09:00:00 | WinXP | 112.78.78.161 (-): VIBO TELECOM INC, TAIPEI, T'AI-PEI, TW. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 40 | 5e8ccc4190 NEW |
8d5f86583f [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:10:01:00 | WinXP | 173.29.255.1 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, CHANHASSEN, MINNESOTA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 39 of 41 |
10759405e0 NEW d08e00dfaf NEW |
292d343248 [0] 854c49d8c4[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
| T:10:13:00 | Win2K-f | 4.137.73.120 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, CHARLOTTE, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 118 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 40 of 41 |
577956a476 NEW ec1bfe948b NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:10:57:00 | Win2K-f | 63.25.148.13 (UU.NET): UUNET TECHNOLOGIES INC, TULSA, OKLAHOMA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 12 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:12:10:00 | Win2K-f | 121.202.21.11 (SMARTONE-VODAFONE.COM): SMARTONE MOBILE COMMUNICATIONS LTD, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 4 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |