|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:16:00 | WinXP | 117.254.165.29 (STERLINGSTUDENTS.NET): NIB (NATIONAL INTERNET BACKBONE), NEW DELHI, DELHI, IN. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 00:26:00 | Win2K-f | 94.102.11.210 (NI.NET.TR): NETINTERNET BILGISAYAR VE TELEKOMUNIKASYAN SAN. VE TIC. LTD. STI, TR. (DSL) |
n/a | US:www.maxmind.com EU:getmyip.co.uk EU:checkip.dyndns.org :www.getmyip.org US:67.15.94.80:80 EU:78.40.35.134:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:00:35:00 | Win2K-f | 94.102.11.210 (NI.NET.TR): NETINTERNET BILGISAYAR VE TELEKOMUNIKASYAN SAN. VE TIC. LTD. STI, TR. (DSL) |
n/a | US:www.maxmind.com :checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:00:48:00 | WinXP | 93.102.128.26 (REV.OPTIMUS.PT): OPTIMUS PORTUGAL, COIMBRA, COIMBRA, PT. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:01:11:00 | Win2K-f | 71.67.113.72 (RR.COM): ROAD RUNNER HOLDCO LLC, CINCINNATI, OHIO, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:01:40:00 | Win2K-f | 184.76.168.237 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
2 of 36 0 of 32 |
ca832de942 NEW d41d8cd98f NEW |
none[3] none [3] |
none:none ASM:Graph |
none|none none|none |
none lines=0 |
trace trace |
| T:02:00:00 | WinXP | 70.60.199.198 (RR.COM): ROAD RUNNER HOLDCO LLC, MONROE, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| 03:01:00 | WinXP | 173.22.237.97 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, VALDOSTA, GEORGIA, US. (100Mbps) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:03:45:00 | WinXP | 210.66.1.33 (SEED.NET.TW): SEEDNET-TAICHUNGDP-S, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:04:01:00 | WinXP | 41.138.187.140 (-): . |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:04:08:00 | Win2K-f | 113.254.54.36 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 99 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 none |
d41d8cd98f NEW f6fe271bf6 NEW |
none[3] none [none] |
ASM:Graph none:none |
none|none none|none |
lines=0 none |
trace none |
| T:04:52:00 | WinXP | 109.86.115.152 (JWS.COM): EU-ZZ, UK. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:05:09:00 | WinXP | 112.110.129.138 (-): GPRS VAS SERVICES, IN. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:05:31:00 | Win2K-f | 70.182.94.31 (COX.NET): COX COMMUNICATIONS, OKLAHOMA CITY, OKLAHOMA, US. (DSL) |
60.190.222.139:65520 | US:microsoft.com CN:proxim.ircgalaxy.pl |
135 | pcap | raw alerts ruleset |
irc 136 lines |
Yeah : 1.8 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:05:52:00 | Win2K-f | 114.51.236.147 (E-MOBILE.NE.JP): EMOBILE LTD, TOKYO, TOKYO, JP. (DSL) |
83.133.119.206:65520 | CN:proxim.ircgalaxy.pl LV:ad.ghura.pl :www.pirateparty.in.ua UA:isu2.tup.km.ua GB:forum.gryada.org.ua RU:www.treasuryislandcasino.com.ua JP:ir.kagoshima-u.ac.jp :itmedia.smartseminar.jp :www.mlh.co.jp :www.digimer.com.br 115.125.150.234:443 JP:131.113.221.138:443 JP:163.209.180.1:443 GB:193.169.188.64:443 UA:193.178.147.110:443 IE:193.95.154.4:443 PR:200.5.0.0:443 BR:201.49.212.100:443 BR:201.76.50.168:443 US:68.232.187.4:443 UA:77.120.121.35:443 |
445 | pcap | raw alerts ruleset |
irc http 33 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:06:15:00 | WinXP | 210.142.254.177 (CATVNET.NE.JP): CATV NETWORK SERVICES(STNET INCORPORATED), OSAKA, OSAKA, JP. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:06:22:00 | WinXP | 186.9.42.141 (IMOVIL.ENTELPCS.CL): ENTEL PCS TELECOMUNICACIONES S.A, SANTIAGO, REGION METROPOLITANA, CL. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:07:47:00 | WinXP | 24.67.47.0 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, VERNON, BRITISH COLUMBIA, CA. (DSL) |
n/a | US:gg.arrancar.org US:69.43.160.145:555 |
135 | pcap | raw alerts ruleset |
other 186 lines |
Yeah : 1.3 profile |
none | summary tarball |
none 0 of 32 |
13923caf71 NEW d41d8cd98f NEW |
none[none] none [3] |
none:none ASM:Graph |
none|none none|none |
none lines=0 |
none trace |
| T:07:58:00 | WinXP | 114.51.190.158 (E-MOBILE.NE.JP): EMOBILE LTD, TOKYO, TOKYO, JP. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 13 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:08:44:00 | WinXP | 200.119.188.216 (-): GT. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:09:09:00 | WinXP | 189.65.46.22 (TIMBRASIL.COM.BR): COMITE GESTOR DA INTERNET NO BRASIL, SãO PAULO, SAO PAULO, BR. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:09:11:00 | WinXP | 180.69.175.240 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
60.190.222.139:65520 | CN:proxim.ircgalaxy.pl US:microsoft.com LV:ad.ghura.pl :www.jaif.or.jp UA:isu2.tup.km.ua :www.saredrogarias.com.br :www.imagemfolheados.com.br :www.inde UA:global-host.com.ua UA:www.rulez.org.ua JP:www.jica.go.jp :nodes.com.ua JP:g105.secure.ne.jp RU:www.treasuryislandcasino.com.ua UA:bunker.org.ua US:mst.com.ua :www.epra :www.pirateparty.in.ua :itmedia.smartseminar.jp LV:kdert.com GB:forum.gryada.org.ua US:forums.ubuntulinux.jp BR:ssl876.locaweb.com.br BR:loja.tray.com.br :www.mlh.co.jp UA:masterkey.com.ua UA:weather.co.ua :sb.perfectexe.com US:www.iknow.co.jp JP:ssl.form-mailer.jp :cps-h3.ep.sci.hokudai.ac.jp BR:www.billboxrecords.com.br :rastu.com.ua JP:direct.ips.co.jp :www.irt JP:k.jfc.go.jp JP:m-repo.lib.meiji.ac.jp JP:www.marantz.jp US:www.stone.co.ua :shop.poziti JP:www.okilogistics.co.jp JP:www.gsec.keio.ac.jp 110.50.209.195:443 US:140.177.205.56:443 JP:163.209.180.1:443 174.123.60.178:443 189.38.91.24:443 BR:201.20.45.207:443 JP:202.218.111.122:443 UA:212.82.216.42:443 JP:219.99.163.41:443 US:64.79.197.143:443 US:68.232.187.4:443 UA:77.120.104.50:443 EU:91.196.95.24:443 |
135 | pcap | raw alerts ruleset |
irc http 128 lines |
Yeah : 1.8 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| 11:50:00 | WinXP | 189.117.4.82 (TIMBRASIL.COM.BR): COMITE GESTOR DA INTERNET NO BRASIL, SãO PAULO, SAO PAULO, BR. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:12:17:00 | Win2K-f | 173.18.228.235 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, FOLEY, ALABAMA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
2 of 36 0 of 32 |
ca832de942 NEW d41d8cd98f NEW |
none[3] none [3] |
none:none ASM:Graph |
none|none none|none |
none lines=0 |
trace trace |
| T:12:26:00 | WinXP | 75.15.235.184 (SBCGLOBAL.NET): AT&T INTERNET SERVICES, BAKERSFIELD, CALIFORNIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 111 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:12:26:00 | Win2K-f | 24.79.147.83 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, WINNIPEG, MANITOBA, CA. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1008 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace | |
| T:14:31:00 | WinXP | 76.177.53.34 (RR.COM): ROAD RUNNER HOLDCO LLC, BEREA, KENTUCKY, US. (DSL) |
n/a | :siliconfireware.ru RU:www.bbin.ru RU:www.binbank.ru :wpad RU:195.200.213.55:80 |
445 | pcap | raw alerts ruleset |
http http http 22 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:14:51:00 | WinXP | 74.71.85.161 (RR.COM): ROAD RUNNER HOLDCO LLC, EAST SYRACUSE, NEW YORK, US. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:14:59:00 | WinXP | 114.48.180.182 (E-MOBILE.NE.JP): EMOBILE LTD, TOKYO, TOKYO, JP. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:15:35:00 | WinXP | 79.163.217.54 (CENTERTEL.PL): PTK CENTERTEL BROADBAND SERVICES, PL. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 16:17:00 | WinXP | 109.86.115.152 (JWS.COM): EU-ZZ, UK. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:17:04:00 | WinXP | 114.51.27.253 (E-MOBILE.NE.JP): EMOBILE LTD, TOKYO, TOKYO, JP. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:18:13:00 | WinXP | 201.42.24.234 (STERLINGSTUDENTS.NET): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
ftp 13 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:18:24:00 | Win2K-f | 63.28.54.110 (UU.NET): UUNET TECHNOLOGIES INC, FEASTERVILLE TREVOSE, PENNSYLVANIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 126 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:18:48:00 | WinXP | 186.40.213.21 (-): . |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 19:04:00 | WinXP | 71.49.160.156 (EMBARQHSD.NET): EMBARQ CORPORATION, HUMBLE, TEXAS, US. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:19:27:00 | Win2K-f | 202.182.172.26 (PESAT.NET.ID): PT. PASIFIK SATELIT NUSANTARA, JAKARTA, JAKARTA RAYA, ID. (100Mbps) |
n/a | 135 | pcap | raw alerts ruleset |
other 11 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| 19:59:00 | WinXP | 4.246.3.106 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, SAN JOSE, CALIFORNIA, US. (DIAL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:19:59:00 | Win2K-f | 122.146.83.128 (SPARQNET.NET): NEW CENTRY INFOCOM TECH. CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:20:26:00 | WinXP | 173.168.180.253 (RR.COM): ROAD RUNNER HOLDCO LLC, OLDSMAR, FLORIDA, US. (DSL) |
62.193.249.122:3305 | JP:cx10man.weedns.com | 135 | pcap | raw alerts ruleset |
irc 609 lines |
Yeah : 1.8 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:20:31:00 | WinXP | 174.39.176.52 (WINDSTREAM.NET): ALLTEL MIP CUSTOMERS - OMAHA, NORTH PLATTE, NEBRASKA, US. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:21:15:00 | WinXP | 114.51.211.223 (E-MOBILE.NE.JP): EMOBILE LTD, TOKYO, TOKYO, JP. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:21:39:00 | Win2K-f | 202.53.238.102 (INDO.NET.ID): INTERNAL NETWORK M-WEB ARKADIA, JAKARTA, JAKARTA RAYA, ID. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 198 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:22:02:00 | Win2K-f | 113.252.109.204 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 99 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 none |
d41d8cd98f NEW f6fe271bf6 NEW |
none[3] none [none] |
ASM:Graph none:none |
none|none none|none |
lines=0 none |
trace none |
| T:23:28:00 | Win2K-f | 173.200.73.19 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 | d41d8cd98f NEW |
none[3] | ASM:Graph |
none|none | lines=0 | trace |
| T:23:53:00 | WinXP | 109.227.198.87 (STERLINGSTUDENTS.NET): EU-ZZ, UK. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |