Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

09 September 2010
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:32:00 WinXP 216.81.98.112 (ACCESSATC.NET):
ALMA TELEPHONE,
ALMA, MICHIGAN, US. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:00:59:00 Win2K-f 4.182.166.46 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
PEARBLOSSOM, CALIFORNIA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
133 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:01:26:00 WinXP 175.113.220.248 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
223 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
01:27:00 Win2K-f 117.102.80.5 (-):
BIZNET-CSBLOCKBLOCK,
JAKARTA, JAKARTA RAYA, ID. (100Mbps) 		n/a US:www.maxmind.com
EU:checkip.dyndns.org
US:67.15.94.80:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:01:35:00 Win2K-f 117.102.80.5 (-):
BIZNET-CSBLOCKBLOCK,
JAKARTA, JAKARTA RAYA, ID. (100Mbps) 		n/a US:www.maxmind.com
:checkip.dyndns.org
DE:131.220.6.26:80 		445 pcap raw alerts
ruleset 		http
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:02:24:00 Win2K-f 60.249.37.247 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:02:59:00 Win2K-f 202.147.220.106 (KCN-TV.NE.JP):
KUMAMOTO CABLE NETWORK CORPORATION,
KUMAMOTO, KUMAMOTO, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		2 of 36
0 of 32		 ca832de942
NEW
d41d8cd98f
NEW 		none[3]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		trace
trace
T:04:28:00 WinXP 151.82.197.117 (51-151.NET24.IT):
IUNET-BNET,
IT. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:04:53:00 WinXP 89.194.203.192 (-):
ORANGE HIGH SPEED INTERNET,
LONDON, ENGLAND, UK. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:06:07:00 WinXP 93.102.200.10 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
PT. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:06:47:00 Win2K-f 112.204.248.9 (PLDT.NET):
IPG,
PH. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
10 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:07:42:00 WinXP 114.22.160.114 (DION.NE.JP):
KDDI CORPORATION,
TOKYO, TOKYO, JP. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:07:45:00 WinXP 79.163.98.62 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WARSAW, WARSZAWA, PL. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:08:00:00 WinXP 81.131.7.91 (BTOPENWORLD.COM):
BT BROADBAND,
LONDON, ENGLAND, UK. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:08:51:00 WinXP 178.167.204.105 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:08:51:00 WinXP 66.90.186.194 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS AUSTIN HUB,
AUSTIN, TEXAS, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:09:01:00 Win2K-f 210.166.19.214 (CTT.NE.JP):
CABLE TELEVISION TOYAMA INCORPORETED,
TOYAMA, TOYAMA, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:09:05:00 Win2K-f 97.96.8.56 (RR.COM):
ROAD RUNNER HOLDCO LLC,
VALRICO, FLORIDA, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:09:26:00 WinXP 67.241.66.235 (RR.COM):
ROAD RUNNER HOLDCO LLC,
FULTON, NEW YORK, US. (DSL) 		n/a :siliconfireware.ru
:wpad
:www.proxy-socks.net
US:master-x.com 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:09:36:00 WinXP 41.247.48.118 (TELKOMADSL.CO.ZA):
AFRINIC,
EAST LONDON, EASTERN CAPE, ZA. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:09:37:00 WinXP 84.224.86.21 (PGSM.HU):
PANNON GSM TELECOMMUNICATIONS INC,
BUDAPEST, BUDAPEST, HU. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:10:32:00 WinXP 186.9.136.31 (IMOVIL.ENTELPCS.CL):
ENTEL PCS TELECOMUNICACIONES S.A,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:11:55:00 Win2K-f 122.146.82.135 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:12:04:00 WinXP 71.49.163.165 (EMBARQHSD.NET):
EMBARQ CORPORATION,
HUMBLE, TEXAS, US. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:12:26:00 Win2K-f 4.162.228.30 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
NACOGDOCHES, TEXAS, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		2 of 36
0 of 32		 9ba1f1416a
NEW
d41d8cd98f
NEW 		none[3]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		trace
trace
T:12:29:00 WinXP 92.251.145.104 (-):
H3G IRELAND SUBSCRIBERS,
IE. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:13:16:00 Win2K-f 216.188.245.13 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS WACO HUB,
WACO, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
114 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:13:24:00 WinXP 112.203.20.161 (PLDT.NET):
IPG,
MANILA, MANILA, PH. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		none
0 of 32		 14335fc765
NEW
d41d8cd98f
NEW 		none[none]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		none
trace
T:14:01:00 Win2K-f 24.80.170.231, 173.192.153.178 (INVALID IPV4 ADDRESS):
INVALID IPV4 ADDRESS,
INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS. (INVALID IPV4 ADDRESS) 		n/a DE:irc.zief.pl
LV:ad.ghura.pl
:sb.perfectexe.com
LV:kdert.com
CN:exe.perfectexe.com
CN:2b.perfectexe.com
CN:sb.iwillhavebigdick.com
CN:122.224.6.48:255
CN:222.170.127.203:88
DE:83.133.119.206:65520 		135 pcap raw alerts
ruleset 		http
466 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:14:40:00 Win2K-f 98.81.66.5, 173.192.153.178 (INVALID IPV4 ADDRESS):
INVALID IPV4 ADDRESS,
INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS. (INVALID IPV4 ADDRESS) 		n/a DE:irc.zief.pl
CN:exe.perfectexe.com
CN:cao.iwillhavebigdick.com
CN:sb.iwillhavebigdick.com
:in.7cy.net
:in1.7cy.net
CN:3b.iwillhavebigdick.com
US:articlesbsae.com
US:articles-bsae.razor.pureleads.sendori.com
:aslads.ask.com
:losangelesca.localguides.com
:ajax.googleapis.com
:partner.googleadservices.com
:www.traveladvertising.com
:m.localguides.com
US:www.yellowpages.com
:pagead2.googlesyndication.com
US:69.43.160.145:555
74.125.19.164:80
DE:83.133.119.206:65520 		445 pcap raw alerts
ruleset 		http
55 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:14:52:00 Win2K-f 173.168.255.203 (RR.COM):
ROAD RUNNER HOLDCO LLC,
BRADENTON, FLORIDA, US. (DSL) 		62.193.249.122:3305 FR:cx10man.weedns.com 135 pcap raw alerts
ruleset 		irc
610 lines 		Yeah : 1.8
profile 		none summary
tarball 		none
0 of 32		 0ca4c77461
NEW
d41d8cd98f
NEW 		none[none]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		none
trace
T:15:01:00 WinXP 186.40.229.2 (-):
. 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
3 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:16:17:00 Win2K-f 68.142.65.1 (LLNW.NET):
LIMELIGHT NETWORKS INC,
PHOENIX, ARIZONA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		none
0 of 32		 c9b4b7f0b9
NEW
d41d8cd98f
NEW 		none[none]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		none
trace
T:16:21:00 Win2K-f 24.68.133.248 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
VICTORIA, BRITISH COLUMBIA, CA. (DSL) 		n/a :americaaward.com
US:rusticsconces.com
US:ads1.revenue.net
US:panther1.cpxinteractive.com
US:adserving.cpxinteractive.com 		445 pcap raw alerts
ruleset 		http
38 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:16:39:00 WinXP 68.151.251.94 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
EDMONTON, ALBERTA, CA. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		none
0 of 32		 c9b4b7f0b9
NEW
d41d8cd98f
NEW 		none[none]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		none
trace
T:17:03:00 Win2K-f 24.88.71.34 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CHAPIN, SOUTH CAROLINA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:17:27:00 WinXP 115.83.179.29 (TAIWANMOBILE.NET):
TAIWAN MOBILE CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:17:59:00 WinXP 208.126.64.227, 173.192.153.178 (INVALID IPV4 ADDRESS):
INVALID IPV4 ADDRESS,
INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS. (INVALID IPV4 ADDRESS) 		n/a DE:irc.zief.pl
US:gg.arrancar.org
LV:ad.ghura.pl
:sb.perfectexe.com
LV:kdert.com
CN:exe.perfectexe.com
LV:streq.cn
LV:bestkind.ru
EU:ppcstructure.org
CN:2b.perfectexe.com
EU:188.95.159.40:999
US:69.43.160.145:555 		135 pcap raw alerts
ruleset 		irc
http
http
http
1007 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:18:04:00 Win2K-f 64.181.43.167 (MYPCSTV.COM):
CITY OF PHILIPPI,
PHILIPPI, WEST VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		none
0 of 32		 14335fc765
NEW
d41d8cd98f
NEW 		none[none]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		none
trace
T:18:28:00 WinXP 121.120.19.193 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:18:42:00 WinXP 4.182.164.124 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
NEW YORK, NEW YORK, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
79 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:18:43:00 Win2K-f 24.76.48.210 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
STEINBACH, MANITOBA, CA. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
1008 lines 		Yeah : 1.3
profile 		none summary
tarball 		none c8f1d1dc45
NEW 		none[none] none:none
 none|none none none
T:19:07:00 WinXP 4.137.2.12 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
SALUDA, NORTH CAROLINA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
112 lines 		Yeah : 1.3
profile 		none summary
tarball 		none
0 of 32		 14335fc765
NEW
d41d8cd98f
NEW 		none[none]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		none
trace
T:20:04:00 WinXP 59.103.211.136 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
ISLAMABAD, ISLAMABAD, PK. (DSL) 		213.155.0.224:80 CN:sys.zief.pl
DE:citi-bank.ru 		445 pcap raw alerts
ruleset 		http
4 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:21:07:00 WinXP 65.254.160.108 (GCRONLINE.NET):
GCR COMPANY,
SOUTH BOSTON, VIRGINIA, US. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:21:12:00 WinXP 71.67.113.72 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CINCINNATI, OHIO, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		2 of 36
0 of 32		 ca832de942
NEW
d41d8cd98f
NEW 		none[3]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		trace
trace
T:21:38:00 Win2K-f 61.205.155.182 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
OSAKA, OSAKA, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
111 lines 		Yeah : 1.3
profile 		none summary
tarball 		none
0 of 32		 c72eeb0952
NEW
d41d8cd98f
NEW 		none[none]
none [3] 		none:none
ASM:Graph
 none|none
none|none 		none
lines=0 		none
trace
T:21:55:00 Win2K-f 118.83.151.208 (NKNO.J-CNET.JP):
CITY TV NAKANO LIMITED,
JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
122 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:23:01:00 WinXP 59.103.194.40 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
ISLAMABAD, ISLAMABAD, PK. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none