Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

28 September 2010
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:20:00 WinXP 217.203.16.29 (-):
TELECOM ITALIA MOBILE,
PRATO, TOSCANA, IT. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 42 of 43 8dc969b010
NEW none[none] none:none
none|none none none

T:00:38:00 WinXP 76.164.151.175 (BEVCOMM.NET):
BLUE EARTH VALLEY COMMUNICATIONS INC. (BEVCOM),
US. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

01:29:00 WinXP 76.164.151.175 (BEVCOMM.NET):
BLUE EARTH VALLEY COMMUNICATIONS INC. (BEVCOM),
US. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:03:41:00 WinXP 194.84.31.44 (-):
(EK000205) OOO PEPSI EKTB EKATERINBURG,
MOSCOW, MOSCOW CITY, RU. (100Mbps) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
NEW none[0] none:none
none|none lines=60 trace

T:04:07:00 WinXP 89.195.195.110 (-):
ORANGE HIGH SPEED INTERNET,
LONDON, ENGLAND, UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 41 of 43 84d0f4d7c9
NEW none[none] none:none
none|none none none

T:04:14:00 WinXP 184.74.74.92 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:05:24:00 Win2K-f 68.206.28.216 (RR.COM):
ROAD RUNNER HOLDCO LLC,
BEAUMONT, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:05:50:00 Win2K-f 173.25.155.83 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
ALBANY, GEORGIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:06:27:00 Win2K-f 221.124.24.20 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) n/a 135 pcap raw alerts
ruleset other
182 lines Yeah : 1.3
profile none summary
tarball 37 of 43 6838fb72ff
NEW none[none] none:none
none|none none none

T:06:36:00 Win2K-f 24.155.233.52 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS SAN ANTONIO HUB,
SAN ANTONIO, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:06:57:00 WinXP 92.41.235.37 (THREE.CO.UK):
MOBILE BROADBAND SERVICE,
UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 34 of 36 1595515522
NEW none[none] none:none
none|none none none

T:07:01:00 WinXP 117.254.49.75 (STERLINGSTUDENTS.NET):
NIB (NATIONAL INTERNET BACKBONE),
NEW DELHI, DELHI, IN. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:08:16:00 WinXP 79.163.144.181 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WROCLAW, DOLNOSLASKIE, PL. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 41 5c6df5141d
NEW none[none] none:none
none|none none none

T:08:47:00 WinXP 115.82.84.193 (TAIWANMOBILE.NET):
TAIWAN MOBILE CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 32 of 32 b502f83a7c
NEW 28f5be93b0 [0] ASM:Graph
PolyEnE| lines=73 trace

T:09:00:00 WinXP 113.254.60.209 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
101 lines Yeah : 1.3
profile none summary
tarball 40 of 41
38 of 41 a5ceb6c29d
NEW
adadfc0e1c
NEW d64cd9d18b [0]
0f57439d82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=64
embedded dns trace
trace

T:09:22:00 WinXP 173.28.128.212 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
DAVENPORT, IOWA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
39 of 41 10759405e0
NEW
d08e00dfaf
NEW 292d343248 [0]
854c49d8c4[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:10:22:00 WinXP 79.149.204.218 (RIMA-TDE.NET):
TELEFONICA MOVILES ESPANA (NCC#2008113582),
MADRID, MADRID, ES. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:10:33:00 Win2K-f 72.184.203.91 (RR.COM):
ROAD RUNNER HOLDCO LLC,
BRANDON, FLORIDA, US. (DSL) 62.193.249.122:3305 IT:cx10man.weedns.com 135 pcap raw alerts
ruleset irc
607 lines Yeah : 1.8
profile none summary
tarball 39 of 41 2d3a252cbc
NEW none[none] none:none
none|none none none

T:11:13:00 WinXP 117.254.7.124 (STERLINGSTUDENTS.NET):
NIB (NATIONAL INTERNET BACKBONE),
NEW DELHI, DELHI, IN. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 29 of 29 986b59708d
NEW none[0] none:none
PolyEnE| lines=57 trace

T:11:18:00 Win2K-f 173.168.81.7 (RR.COM):
ROAD RUNNER HOLDCO LLC,
LUTZ, FLORIDA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
1008 lines Yeah : 1.3
profile none summary
tarball 31 of 41 682a384fe9
NEW none[3] none:none
none|none none trace

T:11:20:00 WinXP 151.83.225.1 (SER-PR2-MAX.IUNET.IT):
INFOSTRADA,
IT. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

11:21:00 WinXP 151.83.225.1 (SER-PR2-MAX.IUNET.IT):
INFOSTRADA,
IT. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

T:11:59:00 WinXP 24.103.21.106 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ROSEDALE, NEW YORK, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
39 of 41 0563ea7af7
NEW
7e1532574f
NEW bc2e11a802 [0]
e6930769d0[0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=65
embedded dns
lines=91 trace
trace

T:12:14:00 WinXP 109.53.223.33 (JWS.COM):
EU-ZZ,
UK. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 43 543e92e51d
NEW none[none] none:none
none|none none none

T:12:28:00 WinXP 92.251.159.100 (-):
H3G IRELAND SUBSCRIBERS,
IE. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:12:53:00 Win2K-f 61.20.160.137 (FETNET.NET):
FAR EASTONE TELECOMMUNICATION CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:13:20:00 WinXP 4.131.76.164 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
HALLSVILLE, TEXAS, US. (DSL) n/a RU:siliconfireware.ru
RU:auction.nic.ru
:www.google-analytics.com
RU:domain-parking.ru
RU:www.bbin.ru
RU:www.binbank.ru
:wpad
RU:193.232.158.144:80 445 pcap raw alerts
ruleset http
http
http
http
58 lines Yeah : 0.8
profile none summary
tarball 29 of 29 df17a625ee
NEW none[0] none:none
ASPack| lines=298
embedded dns trace

13:20:00 WinXP 187.80.31.172 (CAMPUSEAI.ORG):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

T:15:57:00 WinXP 96.15.197.16 (-):
ALLTEL SIP CUSTOMERS - LITTLE ROCK,
PRAIRIE GROVE, ARKANSAS, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 986b59708d
NEW none[0] none:none
PolyEnE| lines=57 trace

T:16:06:00 WinXP 194.19.234.252 (-):
BTG,
RIGA, RIGA, LV. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:16:59:00 WinXP 71.101.49.154 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
LAKELAND, FLORIDA, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 40 5e8ccc4190
NEW 8d5f86583f [0] ASM:Graph
PolyEnE| lines=68 trace

17:03:00 WinXP 96.15.197.16 (-):
ALLTEL SIP CUSTOMERS - LITTLE ROCK,
PRAIRIE GROVE, ARKANSAS, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 986b59708d
NEW none[0] none:none
PolyEnE| lines=57 trace

T:17:27:00 WinXP 190.105.35.24 (NET.AR):
VER TV S.A,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:17:32:00 WinXP 24.100.112.244 (NEWWAVECOMM.NET):
NEW WAVE COMMUNICATIONS,
TAYLORVILLE, ILLINOIS, US. (DSL) n/a US:gg.arrancar.org
US:69.43.160.145:555 135 pcap raw alerts
ruleset other
186 lines Yeah : 1.3
profile none summary
tarball 41 of 41 a4497aa84e
NEW d1b46a6ff9 [0] ASM:Graph
none|none lines=546 trace

T:18:04:00 Win2K-f 173.22.167.52 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
SPRINGFIELD, MISSOURI, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:42:00 Win2K-f 122.196.22.98 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
OSAKA, OSAKA, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball 40 of 41
40 of 41 71e6f60517
NEW
ab4e3226c4
NEW 1ef1781501 [0]
c2d0313e73[0] ASM:Graph
none:none
Armadillo|
tElock| lines=91
none trace
trace

T:18:49:00 WinXP 115.164.219.108 (-):
DIGI TELECOMMUNICATIONS SDN BHD,
SHAH ALAM, SELANGOR, MY. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 38 of 40 68e76ac69b
NEW none[none] none:none
none|none none none

T:19:14:00 Win2K-f 114.200.181.7 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
102 lines Yeah : 1.3
profile none summary
tarball 40 of 41
38 of 41 3dc6500eb1
NEW
ff3843f312
NEW none[none]
30a7e641cf[0] none:none
ASM:Graph
none|none
Armadillo| none
lines=90 none
trace

T:23:20:00 WinXP 217.203.18.213 (-):
TELECOM ITALIA MOBILE,
ROME, LAZIO, IT. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 42 of 43 8dc969b010
NEW none[none] none:none
none|none none none

T:23:30:00 Win2K-f 61.215.146.218 (CABLENET.NE.JP):
CABLENET SAITAMA CO. LTD,
TOKYO, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 40 of 41
40 of 41 10c560fc02
NEW
1b8d146832
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:23:33:00 WinXP 116.126.210.26 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 83.133.119.206:65520 DE:proxima.ircgalaxy.pl
US:microsoft.com
LV:ad.ghura.pl
JP:form.cao.go.jp
UA:spooky.cartoons.org.ua
US:forums.ubuntulinux.jp
UA:bunker.org.ua
:ex2.broadser
:www.jaif.or.jp
JP:131.113.221.138:443
US:140.177.205.56:443
UA:193.110.163.66:443
PL:193.23.48.228:443
UA:195.214.214.53:443
BR:201.20.45.207:443
JP:202.218.170.179:443
JP:203.180.136.89:443
UA:62.149.23.110:443
US:69.64.68.151:443 135 pcap raw alerts
ruleset irc
http
165 lines Yeah : 1.8
profile none summary
tarball 18 of 43
39 of 41
31 of 33 65e302400b
NEW
ab9c4b5f21
NEW
d789c8d157
NEW none[none]
5fe48b2dcc[0]
5f6572479f[0] none:none
ASM:Graph
ASM:Graph
none|none
Armadillo|
PolyEnE| none
lines=42
lines=113
embedded dns none
trace
trace

T:23:36:00 WinXP 188.192.43.34 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
DE. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 42 of 43 5f186aa322
NEW none[none] none:none
none|none none none