Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

29 August 2010
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:17:00 Win2K-f 60.250.246.160 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32
3 of 37		 d41d8cd98f
NEW
e2aef2545b
NEW 		none[3]
none [none] 		ASM:Graph
none:none
 none|none
none|none 		lines=0
none 		trace
none
T:00:22:00 WinXP 189.66.115.158 (TIMBRASIL.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
RIO DE JANEIRO, RIO DE JANEIRO, BR. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:00:54:00 WinXP 119.154.3.203 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
RAWALPINDI, PUNJAB, PK. (DSL) 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:01:00:00 WinXP 219.84.118.30 (SO-NET.NET.TW):
SONY NETWORK TAIWAN LIMITED,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:01:02:00 WinXP 114.27.90.72 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:01:04:00 Win2K-f 122.49.244.141 (CCNET-AI.NE.JP):
COMMUNITY NETWORK CENTER INC,
TOYOKAWA, AICHI, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
88 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:02:31:00 Win2K-f 24.67.50.162 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
VERNON, BRITISH COLUMBIA, CA. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
144 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:02:51:00 Win2K-f 202.170.181.120 (CCNETMIE.NE.JP):
COMMUNITY NETWORK CENTER INC,
TOKYO, TOKYO, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		none
0 of 32		 20c94c7ab1
NEW
d41d8cd98f
NEW 		none[none]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		none
trace
T:03:22:00 Win2K-f 115.165.32.1 (CATV02.ITSCOM.JP):
ITS COMMUNICATIONS INC,
TOKYO, TOKYO, JP. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:03:42:00 Win2K-f 68.147.25.142 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
186 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:05:27:00 WinXP 121.121.29.243 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:05:39:00 Win2K-f 203.95.63.15 (T-COM.NE.JP):
TOKAI CORPORATION,
KANAZAWA, ISHIKAWA, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:06:40:00 WinXP 80.171.127.43 (HANSENET.DE):
HANSENET-ADSL,
HAMBURG, HAMBURG, DE. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
16 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:06:56:00 WinXP 89.214.39.188 (-):
GPRS COSTUMERS,
FARO, FARO, PT. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:06:59:00 WinXP 189.87.207.85 (VELOXZONE.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
UBERABA, MINAS GERAIS, BR. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:07:17:00 WinXP 60.250.246.160 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32
3 of 37		 d41d8cd98f
NEW
e2aef2545b
NEW 		none[3]
none [none] 		ASM:Graph
none:none
 none|none
none|none 		lines=0
none 		trace
none
T:07:24:00 WinXP 193.126.128.41 (NET.NOVIS.PT):
KPNQWEST PORTUGAL / IOL ISP,
PT. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:07:26:00 WinXP 115.82.84.130 (TAIWANMOBILE.NET):
TAIWAN MOBILE CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
07:39:00 WinXP 193.126.128.41 (NET.NOVIS.PT):
KPNQWEST PORTUGAL / IOL ISP,
PT. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:10:00:00 WinXP 184.59.26.137 (-):
. 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:10:14:00 WinXP 64.181.117.210 (-):
JHW CHARITABLE ANNUITY TRUST,
CHARLESTON, WEST VIRGINIA, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
117 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:10:34:00 WinXP 189.48.189.67 (VELOXZONE.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
RIO DE JANEIRO, RIO DE JANEIRO, BR. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:10:59:00 Win2K-f 70.184.145.155 (COX.NET):
COX COMMUNICATIONS,
OCALA, FLORIDA, US. (DSL) 		60.190.222.139:65520 US:microsoft.com
DE:proxim.ircgalaxy.pl
LV:ad.ghura.pl
:www.pirateparty.in.ua
US:www.iknow.co.jp
JP:www.myeclipseide.jp
PL:ssl.aukro.ua
UA:spooky.cartoons.org.ua
JP:www.ristex.jp
:sb.perfectexe.com
JP:131.113.221.138:443
JP:131.206.55.11:443
BR:201.20.45.207:443
JP:202.218.170.179:443
UA:212.82.216.42:443
JP:222.146.58.38:443
UA:62.149.23.110:443
US:68.232.187.4:443
US:69.57.128.35:443
UA:77.120.104.50:443
UA:77.120.110.76:443 		135 pcap raw alerts
ruleset 		irc
http
137 lines 		Yeah : 1.8
profile 		none summary
tarball 		none
0 of 32		 7f5a2fd586
NEW
d41d8cd98f
NEW 		none[none]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		none
trace
T:11:01:00 WinXP 69.193.68.239 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:11:10:00 Win2K-f 71.49.166.160 (EMBARQHSD.NET):
EMBARQ CORPORATION,
HUMBLE, TEXAS, US. (DSL) 		n/a  
JP:131.113.221.138:443
US:17.40.253.116:443
174.123.60.178:443
174.36.220.203:443
191.132.154.190:443
UA:195.214.214.53:443
PR:200.5.0.0:443
BR:201.49.212.100:443
JP:202.191.113.9:443
JP:202.218.203.244:443
UA:212.82.216.42:443
JP:219.99.163.41:443
UA:62.149.23.110:443
US:65.74.140.3:443
US:66.96.213.5:443
US:69.57.128.35:443 		445 pcap raw alerts
ruleset 		irc
25 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:11:27:00 WinXP 186.9.12.3 (IMOVIL.ENTELPCS.CL):
ENTEL PCS TELECOMUNICACIONES S.A,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:11:41:00 Win2K-f 93.89.216.123 (-):
INTERPHONE-VPN2-NET,
MARIUPOL, DONETS'KA OBLAST', UA. (DSL) 		n/a JP:www.jica.go.jp
:www.epra
110.50.209.195:443
US:140.177.205.56:443
JP:163.209.180.1:443
JP:164.46.227.120:443
UA:195.214.214.53:443
BR:201.20.45.207:443
JP:202.218.111.122:443
JP:202.218.170.179:443
JP:202.218.203.244:443
JP:203.179.38.26:443
JP:222.146.58.38:443
US:69.57.128.35:443
UA:77.120.121.35:443 		445 pcap raw alerts
ruleset 		other
19 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:11:52:00 Win2K-f 175.112.87.34 (-):
. 		60.190.222.139:65520 US:microsoft.com
DE:proxim.ircgalaxy.pl
LV:ad.ghura.pl
:sb.perfectexe.com
JP:www.science-forum.co.jp
JP:www.marantz.jp
:www.imagemfolheados.com.br
JP:direct.ips.co.jp
:www.epra
:ex2.broadser
:apply.reedexpo.co.jp
JP:m-repo.lib.meiji.ac.jp
:www.mlh.co.jp
:nodes.com.ua
JP:g105.secure.ne.jp
PL:ssl.aukro.ua
:la2.meganet.org.ua
109.72.122.165:443
115.125.150.234:443
173.192.153.178:80
174.123.60.178:443
PL:193.23.48.228:443
JP:202.164.228.11:443
JP:202.218.111.122:443
JP:202.226.91.62:443
UA:212.82.216.42:443
US:68.232.187.4:443
US:69.57.128.35:443
UA:77.120.121.35:443
DE:83.133.119.206:65520
95.169.190.41:443 		135 pcap raw alerts
ruleset 		irc
http
28 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:12:15:00 WinXP 219.115.197.226 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
OSAKA, OSAKA, JP. (DSL) 		62.193.249.122:3305 JP:cx10man.weedns.com 135 pcap raw alerts
ruleset 		irc
695 lines 		Yeah : 1.8
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:12:44:00 Win2K-f 174.116.16.200 (ROGERS.COM):
ROGERS CABLE COMMUNICATIONS INC,
ST. JOHN'S, NEWFOUNDLAND AND LABRADOR, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:13:11:00 WinXP 201.69.155.177 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:13:18:00 WinXP 186.9.10.41 (IMOVIL.ENTELPCS.CL):
ENTEL PCS TELECOMUNICACIONES S.A,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:13:23:00 Win2K-f 173.170.223.26 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
77 lines 		Yeah : 1.3
profile 		none summary
tarball 		2 of 36
0 of 32		 9ba1f1416a
NEW
d41d8cd98f
NEW 		none[3]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		trace
trace
T:13:50:00 WinXP 4.225.92.83 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
WESTFIELD, INDIANA, US. (DIAL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:14:16:00 Win2K-f 173.30.195.68 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
FEDERAL WAY, WASHINGTON, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
10 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:14:19:00 WinXP 112.201.239.63 (PLDT.NET):
IPG,
LAS PINAS CITY, MANILA, PH. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		none
0 of 32		 14335fc765
NEW
d41d8cd98f
NEW 		none[none]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		none
trace
T:15:11:00 WinXP 109.83.156.116 (JWS.COM):
EU-ZZ,
UK. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:15:34:00 WinXP 92.115.140.235 (HOST-STATIC-92-115-28-10.MOLDTELECOM.MD):
JSC MOLDTELECOM SA,
CHISINAU, CHISINAU, MD. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
15:49:00 WinXP 66.50.4.116 (PRTC.NET):
PRTC RAS,
SAN JUAN, PUERTO RICO, PR. (DSL) 		60.190.222.139:65520 DE:proxim.ircgalaxy.pl
DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
irc
3 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
16:17:00 Win2K-f 85.185.224.115 (-):
BADR RAYAN SARBANDAR,
AHVAZ, KHUZESTAN, IR. (100Mbps) 		n/a US:www.maxmind.com
:www.getmyip.org
:checkip.dyndns.org
EU:getmyip.co.uk
:www.vouchercodes.com
DE:131.220.6.26:80
EU:91.198.22.70:80 		445 pcap raw alerts
ruleset 		http
42 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:17:01:00 Win2K-f 85.185.224.115 (-):
BADR RAYAN SARBANDAR,
AHVAZ, KHUZESTAN, IR. (100Mbps) 		n/a US:www.maxmind.com
EU:getmyip.co.uk
:www.vouchercodes.com
US:checkip.dyndns.org
DE:131.220.6.26:80 		445 pcap raw alerts
ruleset 		http
44 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:17:19:00 WinXP 186.10.173.155 (-):
. 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:17:52:00 WinXP 201.69.155.234 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:17:54:00 WinXP 174.100.156.16 (RR.COM):
ROAD RUNNER HOLDCO LLC,
STOW, OHIO, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
104 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:21:08:00 WinXP 71.49.167.134 (EMBARQHSD.NET):
EMBARQ CORPORATION,
HUMBLE, TEXAS, US. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
22:10:00 WinXP 121.121.224.96 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:23:50:00 Win2K-f 70.68.156.221 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
COQUITLAM, BRITISH COLUMBIA, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace