Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

12 July 2010
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:31:00 WinXP 92.47.229.245 (DIAL.ONLINE.KZ):
JSC KAZAKHTELECOM ALMATY AFFILIATE,
ALMATY, ALMATY CITY, KZ. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		39 of 42 f2d7f7fcca
NEW 		none[none] none:none
 none|none none none
T:00:31:00 Win2K-f 4.162.111.153 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
NORTH LITTLE ROCK, ARKANSAS, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
7 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:00:43:00 Win2K-f 60.249.131.152 (HINET.NET):
ZUOYING ARMED FORCES GENERAL HOSPITAL,
KAOHSIUNG, T'AI-WAN, TW. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 42
35 of 38		 2f8c9d89ce
NEW
b9297745a1
NEW 		none[none]
4294884d84[0] 		none:none
ASM:Graph
 none|none
tElock| 		none
lines=64
embedded dns 		none
trace
T:01:55:00 WinXP 115.165.21.222 (CATV02.ITSCOM.JP):
ITS COMMUNICATIONS INC,
TOKYO, TOKYO, JP. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:03:56:00 WinXP 114.51.29.50 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 d0415ff47c
NEW 		none[none] none:none
 none|none none none
T:04:51:00 WinXP 200.225.148.74 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		n/a :siliconfireware.ru
:wpad 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		29 of 29 df17a625ee
NEW 		none[0] none:none
 ASPack| lines=298
embedded dns 		trace
T:05:54:00 Win2K-f 70.183.7.117 (COX.NET):
COX COMMUNICATIONS,
VIENNA, VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:05:59:00 WinXP 99.224.132.251 (ROGERS.COM):
ROGERS CABLE INC. FLFRD,
CA. (DSL) 		62.193.249.122:3305 FR:cx10man.weedns.com 135 pcap raw alerts
ruleset 		irc
695 lines 		Yeah : 1.8
profile 		none summary
tarball 		38 of 41 ecfbf321d3
NEW 		none[none] none:none
 none|none none none
T:06:02:00 WinXP 178.90.194.244 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) 		n/a CN:ilo.brenz.pl
DE:citi-bank.ru
:pftlzo.com
:fkaean.com
:yadfxl.com
:wykewo.com
:fljlbp.com
:yzfehy.com
:nwweja.com
:hrdakk.com
:ouyqzg.com
:bqlkko.com
:vhoasr.com
:sxbnuy.com
:txyojm.com
:joejua.com
:yedrur.com
:enueix.com
:ednsvr.com
:gkfceg.com
:itegor.com
:xodbhp.com
:pfquab.com
:uuehyq.com
:ebzyef.com
:ygqrov.com
:jafkun.com
:rufhdy.com
:eokoqt.com
:aqouwb.com
:yszuem.com
:oywocn.com
:oeenoe.com
:tusxyw.com
:iombtg.com
DE:ant.trenz.pl
:oqftuq.com
:akxqha.com
:aydawa.com
:jhvnry.com
:oomrxk.com
:yotqud.com
:kforey.com
:xaduwr.com
:yuxayx.com
:xxuyws.com
:ocuour.com
:ithzho.com
:ulxuol.com
:xiilly.com
:uumzqq.com 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 31575610e6
NEW 		none[none] none:none
 none|none none none
T:06:22:00 Win2K-f 211.74.204.114 (SEED.NET.TW):
SEEDNET-KAOHSIUNGDP-S,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:06:28:00 WinXP 113.254.193.217 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 42 a233db8c35
NEW 		none[none] none:none
 none|none none none
T:07:47:00 WinXP 117.104.53.2 (T-COM.NE.JP):
TOKAI CORPORATION,
SHIZUOKA, SHIZUOKA, JP. (DSL) 		62.193.249.122:3305 JP:cx10man.weedns.com 135 pcap raw alerts
ruleset 		irc
695 lines 		Yeah : 1.8
profile 		none summary
tarball 		38 of 41 ecfbf321d3
NEW 		none[none] none:none
 none|none none none
T:07:51:00 Win2K-f 63.246.124.195 (ALTUSCGI.NET):
PRIVATE CABLE ISP SUBSCRIBER (GEORGETOWN SC MARKET),
IRVING, TEXAS, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:08:25:00 WinXP 194.19.234.252 (-):
BTG,
RIGA, RIGA, LV. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:08:36:00 Win2K-f 220.180.187.156 (CNDATA.COM):
CHINANET ANHUI PROVINCE NETWORK,
HEFEI, ANHUI, CN. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
78 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 97fef473b9
NEW
a08f3b74a4
NEW 		ff4e7d6992 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=64
embedded dns
lines=90 		trace
trace
T:08:49:00 WinXP 4.244.114.148 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
KANSAS CITY, MISSOURI, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
39 of 41		 53bcb942c4
NEW
6d4ed181c0
NEW 		0455077c19 [0]
ecfe391a4c[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=91
lines=64
embedded dns 		trace
trace
T:09:27:00 WinXP 24.209.225.43 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CINCINNATI, OHIO, US. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:09:31:00 WinXP 125.4.250.49 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
TOKYO, TOKYO, JP. (DSL) 		n/a KR:cx10man.weedns.com 135 pcap raw alerts
ruleset 		irc
694 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41 ecfbf321d3
NEW 		none[none] none:none
 none|none none none
T:09:34:00 WinXP 109.162.69.187 (STERLINGSTUDENTS.NET):
EU-ZZ,
UK. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:10:16:00 Win2K-f 173.27.29.201 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
COLUMBIA, MISSOURI, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
39 of 41		 3bff218b8f
NEW
7eaf7b4470
NEW 		b570b734be [0]
8e0b194526[0] 		ASM:Graph
ASM:Graph
 tElock|
Armadillo| 		lines=64
embedded dns
lines=91 		trace
trace
T:10:19:00 Win2K-f 63.246.123.242 (ALTUSCGI.NET):
PRIVATE CABLE ISP SUBSCRIBER (GEORGETOWN SC MARKET),
IRVING, TEXAS, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:10:44:00 WinXP 70.65.131.172 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
LETHBRIDGE, ALBERTA, CA. (DSL) 		n/a US:gg.arrancar.org
US:72.20.40.26:555 		135 pcap raw alerts
ruleset 		other
186 lines 		Yeah : 1.3
profile 		none summary
tarball 		34 of 39 ce28648035
NEW 		126d2f4655 [0] ASM:Graph
 none|none lines=546 trace
T:14:32:00 WinXP 66.90.181.46 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS SAN ANTONIO HUB,
SAN ANTONIO, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
114 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
38 of 41		 d031b42d3f
NEW
fa14802705
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:15:42:00 WinXP 63.246.123.242 (ALTUSCGI.NET):
PRIVATE CABLE ISP SUBSCRIBER (GEORGETOWN SC MARKET),
IRVING, TEXAS, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:16:01:00 WinXP 114.149.254.102 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:16:24:00 WinXP 120.138.144.29 (STARCAT.NE.JP):
KMN CORPORATION,
TOKYO, TOKYO, JP. (DSL) 		n/a IT:cx10man.weedns.com 135 pcap raw alerts
ruleset 		irc
582 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41 daa7649455
NEW 		none[none] none:none
 none|none none none
T:16:25:00 WinXP 186.97.102.135 (-):
. 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 8015c2d45f
NEW 		749cbc2739 [0] ASM:Graph
 PolyEnE| lines=68 trace
T:16:27:00 Win2K-f 24.77.241.6 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
WINNIPEG, MANITOBA, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
123 lines 		Yeah : 1.3
profile 		none summary
tarball 		36 of 41
38 of 41		 34cbe7a593
NEW
3e83a2d4d7
NEW 		d38cb78003 [0]
b97fd63d29[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=91
lines=64
embedded dns 		trace
trace
T:17:46:00 WinXP 186.9.163.209 (IMOVIL.ENTELPCS.CL):
ENTEL PCS TELECOMUNICACIONES S.A,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:18:20:00 WinXP 182.169.124.202 (-):
. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 40 5285741560
NEW 		60590b8b67 [0] ASM:Graph
 none|none lines=59 trace
T:19:52:00 Win2K-f 70.64.3.47 (GASOC.COM):
SHAW COMMUNICATIONS INC,
SASKATOON, SASKATCHEWAN, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
77 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:20:16:00 WinXP 4.143.208.223 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
CHICAGO, ILLINOIS, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
169 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41 ff34a1caa4
NEW 		979a6569d4 [0] ASM:Graph
 Armadillo| lines=91 trace
T:20:21:00 WinXP 188.132.123.164 (-):
ETTIHADETISALAT,
RIYADH, AR RIYAD, SA. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:20:29:00 WinXP 120.138.135.183 (STARCAT.NE.JP):
KMN CORPORATION,
TOKYO, TOKYO, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 40
39 of 39		 b8e6f4caf7
NEW
fb92b91fe7
NEW 		f81eac6379 [0]
fe88ab8768[0] 		none:none
none:none
 tElock|
Armadillo| 		none
none 		trace
trace
T:20:32:00 Win2K-f 60.249.37.106 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
10 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:21:30:00 WinXP 122.146.83.141 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:21:59:00 Win2K-f 118.83.130.34 (NKNO.J-CNET.JP):
CITY TV NAKANO LIMITED,
TOKYO, TOKYO, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
127 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 36
34 of 36		 0b951c2832
NEW
e4ed4df0f0
NEW 		5fe761661a [0]
de471fc380[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=91
lines=64
embedded dns 		trace
trace
T:22:13:00 WinXP 114.149.254.102 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		31 of 32 741e3b03b3
NEW 		none[0] none:none
 none|none lines=61 trace
T:22:43:00 Win2K-f 125.58.70.38 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, TOKYO, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace