|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| 01:41:00 | WinXP | 79.163.247.116 (CENTERTEL.PL): PTK CENTERTEL BROADBAND SERVICES, PL. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 41 | 5c6df5141d NEW |
none[none] | none:none |
none|none | none | none |
| T:01:46:00 | WinXP | 114.140.11.171 (FETNET.NET): FAR EASTONE TELECOMMUNICATION CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:04:39:00 | Win2K-f | 175.119.9.157 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 113 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 5 of 41 |
14f47ffd1e NEW 50437008d9 NEW |
90bf4b99ff [0] c1b09ac5d7[0] |
ASM:Graph ASM:Graph |
tElock| Armadillo| |
lines=56 embedded dns lines=90 |
trace trace |
| T:04:51:00 | WinXP | 81.198.141.118 (-): ADDRESS POOL FOR LTC-HOME CUSTOMERS, RIGA, RIGA, LV. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 41 | 9d38d43309 NEW |
none[none] | none:none |
none|none | none | none |
| T:06:38:00 | Win2K-f | 113.252.242.234 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1002 lines |
Yeah : 1.3 profile |
none | summary tarball |
20 of 41 | 76b84a1bf1 NEW |
none[3] | none:none |
none|none | none | trace | |
| T:07:02:00 | WinXP | 24.152.241.61 (PTD.NET): PENTELEDATA INC. - CABLE, SHAMOKIN, PENNSYLVANIA, US. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
42 of 42 | b809c9f32f NEW |
934b294ce4 [0] | none:none |
PolyEnE| | none | trace |
| T:07:23:00 | WinXP | 118.231.122.47 (FETNET.NET): FAR EASTONE TELECOMMUNICATION CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:08:32:00 | Win2K-f | 125.4.247.108 (ZAQ.NE.JP): J:COM WEST CO. LTD, TOKYO, TOKYO, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 41 40 of 41 |
2b9840a764 NEW cf1c3ff0b0 NEW |
a7dbe16bd8 [0] none [none] |
ASM:Graph none:none |
Armadillo| none|none |
lines=91 none |
trace none |
| 08:47:00 | Win2K-f | 125.18.243.226 (-): BHARTI AIRTEL LTD. ES-CARRIER, BHOPAL, MADHYA PRADESH, IN. (100Mbps) |
n/a | US:www.maxmind.com EU:getmyip.co.uk US:www.getmyip.org :checkip.dyndns.org DE:131.220.6.26:80 208.78.70.70:80 US:75.126.138.202:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 4 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:08:47:00 | Win2K-f | 211.208.221.152 (HANANET.NET): HANARO TELECOM INC, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
83.133.119.206:65520 | US:microsoft.com CN:proxima.ircgalaxy.pl LV:ad.ghura.pl CN:ku1.installstorm.com CN:sb.installstorm.com US:sendinvest.com :findhobbits.com CN:sky.installstorm.com US:64.120.176.66:8392 US:64.191.44.8:8392 |
135 | pcap | raw alerts ruleset |
irc http 233 lines |
Yeah : 1.8 profile |
none | summary tarball |
13 of 41 40 of 41 0 of 41 18 of 40 20 of 41 19 of 40 39 of 41 9 of 41 |
17ad929104 NEW 1824c59f34 NEW 24b05eb9dd NEW 4feab58b34 NEW ad7bb85f48 NEW b5ce8e80cd NEW caaeb70f9f NEW d8a1156d70 NEW |
none[none] da8a48fc3a[0] none [none] none [none] none [none] none [none] fdabb272e7[0] none [none] |
none:none ASM:Graph none:none none:none none:none none:none ASM:Graph none:none |
none|none tElock| none|none none|none none|none none|none Armadillo| none|none |
none lines=112 embedded dns none none none none lines=91 none |
none trace none none none none trace none |
| T:08:56:00 | Win2K-f | 189.168.107.111 (PROD-INFINITUM.COM.MX): GESTIN DE DIRECCIONAMIENTO UNINET, CANCUN, QUINTANA ROO, MX. (DSL) |
n/a | :in1.7cy.net :healthwy.com CN:pic.iwillhavesexygirls.com :bf18585e.linkbucks.com :static.linkbucks.com US:ad.xtendmedia.com US:content.yieldmanager.com :cookex.amp.yahoo.com US:rts.sparkstudios.com :www.google-analytics.com 74.125.19.100:80 |
445 | pcap | raw alerts ruleset |
http irc 37 lines |
Yeah : 0.8 profile |
none | summary tarball |
17 of 41 13 of 41 |
c0918b8c50 NEW c77b03f5bd NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:09:01:00 | Win2K-f | 201.109.1.31 (PROD-DIAL.COM.MX): UNINET S.A. DE C.V, MX. (DIAL) |
60.190.222.139:65520 | LV:ad.ghura.pl :in1.7cy.net CN:ku1.installstorm.com CN:sb.installstorm.com CN:sky.installstorm.com :www.infostockcotv.info CN:pic.iwillhavesexygirls.com :bf18585e.linkbucks.com :static.linkbucks.com CN:58.221.42.38:250 66.114.48.13:80 |
445 | pcap | raw alerts ruleset |
irc http 39 lines |
Yeah : 1.3 profile |
none | summary tarball |
12 of 41 8 of 41 20 of 41 19 of 40 17 of 41 17 of 41 9 of 41 |
1e34e8d159 NEW 2cb2e4374e NEW ad7bb85f48 NEW b5ce8e80cd NEW bc46417a2c NEW c0918b8c50 NEW d8a1156d70 NEW |
none[none] none [none] none [none] none [none] none [none] none [none] none [none] |
none:none none:none none:none none:none none:none none:none none:none |
none|none none|none none|none none|none none|none none|none none|none |
none none none none none none none |
none none none none none none none |
| T:09:17:00 | Win2K-f | 98.149.93.230 (RR.COM): ROAD RUNNER HOLDCO LLC, OXNARD, CALIFORNIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 59 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 8 of 33 |
53bfe15e91 NEW b7082104e4 NEW |
1473091351 [0] c5b49e7b82[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=75 embedded dns lines=41 |
trace trace |
| 10:49:00 | Win2K-f | 84.3.149.137 (T-ONLINE.HU): HUNGARIAN TELECOM, ESZTERGOM, KOMAROM-ESZTERGOM, HU. (DSL) |
n/a | US:www.maxmind.com EU:getmyip.co.uk :checkip.dyndns.org US:www.getmyip.org 208.78.70.70:80 US:67.15.94.80:80 US:75.126.138.202:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:10:58:00 | Win2K-f | 84.3.149.137 (T-ONLINE.HU): HUNGARIAN TELECOM, ESZTERGOM, KOMAROM-ESZTERGOM, HU. (DSL) |
n/a | US:www.maxmind.com :checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:11:00:00 | WinXP | 115.80.139.5 (TAIWANMOBILE.NET): TAIWAN MOBILE CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:11:39:00 | Win2K-f | 203.118.238.245 (-): GRAND TAINAN TECHNOLOGY CO.LTD, TAINAN, T'AI-WAN, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 40 of 41 |
5fae5f1583 NEW a3395c110a NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:11:52:00 | WinXP | 79.163.233.159 (CENTERTEL.PL): PTK CENTERTEL BROADBAND SERVICES, PL. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 41 | 5c6df5141d NEW |
none[none] | none:none |
none|none | none | none |
| T:12:02:00 | Win2K-f | 62.47.214.63 (TELEKOM.AT): HIGHWAY CUSTOMERS, INNSBRUCK, TIROL, AT. (DSL) |
n/a | NL:wow.blackirc.us | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:12:12:00 | WinXP | 68.147.48.28 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, CALGARY, ALBERTA, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 111 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
270559591a NEW b3ae886db6 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:12:13:00 | WinXP | 95.104.38.60 (CAUCASUS.NET): CAUCASUS ONLINE BROADBAND NETWORK, GE. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 32 | 24137d8412 NEW |
73a916deb4 [0] | none:none |
PolyEnE| | none | trace |
| T:12:33:00 | Win2K-f | 61.46.143.242 (ZAQ.NE.JP): J:COM WEST CO. LTD, OSAKA, OSAKA, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 33 of 33 |
07fabc79ef NEW 53bfe15e91 NEW |
none[0] 1473091351[0] |
none:none ASM:Graph |
Armadillo| tElock| |
lines=90 lines=75 embedded dns |
trace trace |
| T:12:40:00 | Win2K-f | 208.93.255.21 (NORWOODLIGHT.COM): NORWOOD LIGHT BROADBAND, NORWOOD, MASSACHUSETTS, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 10 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:12:51:00 | WinXP | 122.146.252.192 (SPARQNET.NET): NEW CENTRY INFOCOM TECH. CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 77 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:13:45:00 | Win2K-f | 75.15.180.255 (PACBELL.NET): AT&T INTERNET SERVICES, BAKERSFIELD, CALIFORNIA, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 40 of 41 |
1e12f5145a NEW f208493e65 NEW |
617af909de [0] 5100adb4f9[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
| T:14:28:00 | WinXP | 216.210.85.9 (SPEAKEASY.NET): US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 118 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 40 of 41 |
42656236d9 NEW f205d53608 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:14:37:00 | WinXP | 71.101.164.143 (VERIZON.NET): VERIZON INTERNET SERVICES INC, LAKELAND, FLORIDA, US. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 40 | 5e8ccc4190 NEW |
8d5f86583f [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:15:07:00 | WinXP | 66.57.19.127 (RR.COM): ROAD RUNNER HOLDCO LLC, CARY, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 39 of 40 |
d08635ca20 NEW e2479cbb98 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| 15:51:00 | WinXP | 71.101.164.143 (VERIZON.NET): VERIZON INTERNET SERVICES INC, LAKELAND, FLORIDA, US. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 40 | 5e8ccc4190 NEW |
8d5f86583f [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:16:56:00 | WinXP | 71.116.212.170 (VERIZON.NET): VERIZON INTERNET SERVICES INC, LOS ANGELES, CALIFORNIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:17:12:00 | WinXP | 219.234.80.181 (IAPCM.AC.CN): BEIJING TELETRON TELECOM ENGINEERING CO. LTD, BEIJING, BEIJING, CN. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:17:14:00 | WinXP | 24.234.68.105 (COX.NET): COX COMMUNICATIONS INC, LAS VEGAS, NEVADA, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| 17:41:00 | WinXP | 66.50.4.147 (PRTC.NET): PRTC RAS, SAN JUAN, PUERTO RICO, PR. (DSL) |
213.155.0.224:80 60.190.222.139:65520 | CN:proxim.ircgalaxy.pl DE:citi-bank.ru |
445 | pcap | raw alerts ruleset |
http irc 5 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 | 5d26f533fd NEW |
none[none] | none:none |
none|none | none | none |
| T:18:40:00 | Win2K-f | 173.24.242.74 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, HUNTSVILLE, ALABAMA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 40 38 of 40 |
474acf88e5 NEW 68f0c14692 NEW |
1f53944b24 [0] ccc1b24d53[0] |
ASM:Graph ASM:Graph |
tElock| Armadillo| |
lines=64 embedded dns lines=91 |
trace trace |
| T:19:25:00 | WinXP | 69.183.220.17 (SNET.NET): AT&T INTERNET SERVICES, MERIDEN, CONNECTICUT, US. (DSL) |
n/a | :www.google.com.au US:www.altavista.com :jbeegvia.ru |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
32 of 32 | bb7681eca8 NEW |
none[3] | none:none |
tElock| | none | trace |
| T:19:37:00 | WinXP | 121.120.188.108 (MAXIS.NET.MY): MAXIS BROADBAND SDN BHD, KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| 20:00:00 | Win2K-f | 162.42.208.14 (CYBERTRAILS.COM): CYBERTRAILS, PHOENIX, ARIZONA, US. (DSL) |
n/a | US:www.maxmind.com :checkip.dyndns.org EU:getmyip.co.uk US:www.getmyip.org 208.78.70.70:80 US:67.15.94.80:80 US:75.126.138.202:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:20:01:00 | Win2K-f | 75.60.208.35 (SBCGLOBAL.NET): AT&T INTERNET SERVICES, COLUMBUS, OHIO, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:21:44:00 | WinXP | 122.146.252.192 (SPARQNET.NET): NEW CENTRY INFOCOM TECH. CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| 22:22:00 | Win2K-f | 200.186.74.222 (STERLINGSTUDENTS.NET): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:22:38:00 | WinXP | 63.24.117.91 (UU.NET): UUNET TECHNOLOGIES INC, KUNA, IDAHO, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 123 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | 73f1082158 NEW |
none[0] | none:none |
Armadillo| | lines=90 | trace | |
| T:23:47:00 | WinXP | 193.93.110.216 (GRAT.NET.UA): GRAT NETWORK INTERNET SERVICE PROVIDER, KIEV, KYYIV, UA. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 1d0ce31c6d NEW |
none[none] | none:none |
none|none | none | none |