|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| 07:56:00 | Win2K-f | 118.171.82.59 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:www.maxmind.com :checkip.dyndns.org US:67.15.94.80:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:17:22:00 | Win2K-f | 24.103.28.212 (RR.COM): ROAD RUNNER HOLDCO LLC, FT. LEE, NEW JERSEY, US. (DSL) |
n/a | IL:26search.com :findhobbits.com :picturewant.com US:gmtimesads.34.blueseek.com US:www.advertise.com :www.egotvonline.com US:media.egotvonline.com 69.55.63.98:80 |
135 | pcap | raw alerts ruleset |
http http http http http http 54 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:17:53:00 | WinXP | 174.39.231.225 (WINDSTREAM.NET): ALLTEL MIP CUSTOMERS - OMAHA, SCHUYLER, NEBRASKA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 172 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 39 of 41 |
53aa804019 NEW 95ddd4a823 NEW |
29c6cdbf45 [0] 9e78315a6d[0] |
ASM:Graph ASM:Graph |
tElock| Armadillo| |
lines=64 embedded dns lines=91 |
trace trace |
| 18:18:00 | Win2K-f | 209.127.79.44 (-): ICMI DIGITAL ROTORY (240 PORTS), CORPUS CHRISTI, TEXAS, US. (DSL) |
n/a | US:www.maxmind.com EU:getmyip.co.uk US:www.getmyip.org :checkip.dyndns.org DE:131.220.6.26:80 208.78.70.70:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:18:27:00 | WinXP | 92.246.221.245 (NACKSYSTEM.NET): EU-ZZ, UK. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | ccf5d5d19e NEW |
none[none] | none:none |
none|none | none | none |
| 18:34:00 | WinXP | 24.165.124.199 (RR.COM): ROAD RUNNER HOLDCO LLC, HAMILTON, OHIO, US. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| 18:56:00 | WinXP | 92.246.221.245 (NACKSYSTEM.NET): EU-ZZ, UK. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | ccf5d5d19e NEW |
none[none] | none:none |
none|none | none | none |
| T:19:53:00 | Win2K-f | 173.170.67.239 (RR.COM): ROAD RUNNER HOLDCO LLC, HERNDON, VIRGINIA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 186 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 41 | a4497aa84e NEW |
d1b46a6ff9 [0] | ASM:Graph |
none|none | lines=546 | trace | |
| T:20:04:00 | WinXP | 117.254.105.4 (STERLINGSTUDENTS.NET): NIB (NATIONAL INTERNET BACKBONE), NEW DELHI, DELHI, IN. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | eda3b7766c NEW |
7556343561 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:20:14:00 | Win2K-f | 110.10.49.131 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 113 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 5 of 41 |
14f47ffd1e NEW 50437008d9 NEW |
90bf4b99ff [0] c1b09ac5d7[0] |
ASM:Graph ASM:Graph |
tElock| Armadillo| |
lines=56 embedded dns lines=90 |
trace trace |
| T:20:48:00 | WinXP | 24.79.228.180 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, WINNIPEG, MANITOBA, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 125 lines |
Yeah : 1.3 profile |
none | summary tarball |
36 of 41 38 of 41 |
34cbe7a593 NEW 3e83a2d4d7 NEW |
d38cb78003 [0] b97fd63d29[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
| T:22:50:00 | WinXP | 201.69.243.109 (STERLINGSTUDENTS.NET): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | 07cd99a10b NEW |
f8f0f72da6 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:22:56:00 | WinXP | 174.1.204.53 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, CA. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1008 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 41 | 682a384fe9 NEW |
none[3] | none:none |
none|none | none | trace | |
| T:23:35:00 | WinXP | 210.117.52.226 (KRLINE.NET): KRNIC, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
83.133.119.206:65520 | CN:proxima.ircgalaxy.pl US:microsoft.com :cps-h3.ep.sci.hokudai.ac.jp BR:www.saredrogarias.com.br BR:www.billboxrecords.com.br :apply.reedexpo.co.jp GB:forum.gryada.org.ua JP:www.kajima.co.jp BR:loja.tray.com.br UA:bunker.org.ua JP:center.umin.ac.jp BR:www.digimer.com.br JP:ex2.broadserver.jp BR:ssl876.locaweb.com.br JP:www.gsec.keio.ac.jp JP:130.69.92.68:443 JP:131.113.221.138:443 GB:193.169.188.64:443 UA:195.214.214.53:443 JP:202.164.228.11:443 JP:202.218.170.179:443 UA:212.82.216.42:443 JP:219.99.163.41:443 UA:77.120.99.240:443 |
135 | pcap | raw alerts ruleset |
irc http 145 lines |
Yeah : 1.8 profile |
none | summary tarball |
40 of 41 39 of 41 36 of 41 |
1824c59f34 NEW caaeb70f9f NEW f0a4409bf8 NEW |
da8a48fc3a [0] fdabb272e7[0] none [none] |
ASM:Graph ASM:Graph none:none |
tElock| Armadillo| none|none |
lines=112 embedded dns lines=91 none |
trace trace none |