Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

19 January 2011
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:28:00 Win2K-f 69.193.111.147 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 41 of 43
38 of 43 3ad14df4db
NEW
635e5897a3
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:01:07:00 Win2K-f 64.179.173.118 (IW.NET):
PRAIRIEWAVE CABLE MODEM DHCP,
YANKTON, SOUTH DAKOTA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 40
38 of 40 67f1a33096
NEW
724cf0dc37
NEW 148e04eaab [0]
901dd267d4[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:01:13:00 WinXP 72.43.62.17 (RR.COM):
ROAD RUNNER HOLDCO LLC,
NEW YORK, NEW YORK, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 d031b42d3f
NEW
fa14802705
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:01:39:00 WinXP 173.18.143.115 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
DAPHNE, ALABAMA, US. (DSL) n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

02:18:00 Win2K-f 59.124.11.166 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:www.maxmind.com
EU:checkip.dyndns.org
:www.getmyip.org
EU:getmyip.co.uk
DE:131.220.6.26:80
EU:78.40.35.134:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
4 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:02:27:00 Win2K-f 59.124.11.166 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:www.maxmind.com
EU:getmyip.co.uk
US:www.vouchercodes.net
EU:checkip.dyndns.org
DE:131.220.6.26:80 445 pcap raw alerts
ruleset http
7 lines Yeah : 0.8
profile none summary
tarball 0 of 43
3 of 37 cb3f21893c
NEW
d9cb288f31
NEW none[none]
45603a001c[0] none:none
ASM:Graph
none|none
UPX| none
lines=174
embedded dns none
trace

T:03:17:00 WinXP 113.210.30.97 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
MY. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 1096ba143e
NEW none[none] none:none
none|none none none

T:03:39:00 WinXP 151.83.83.249 (SER-PR2-MAX.IUNET.IT):
INFOSTRADA,
IT. (DSL) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 04d4170d3b
NEW none[none] none:none
none|none none none

T:03:58:00 WinXP 61.120.236.220 (THN.NE.JP):
TOKAI CORPORATION,
NUMAZU, SHIZUOKA, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=64
embedded dns trace
trace

T:05:00:00 WinXP 121.123.56.171 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 1a7eb7e257
NEW none[none] none:none
none|none none none

05:07:00 WinXP 117.99.33.146 (-):
GPRS-SUBSCRIBERS-IN-EAST,
BHUBANESHWAR, ORISSA, IN. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 38 of 42 8a2553433c
NEW none[none] none:none
none|none none none

T:05:09:00 WinXP 91.200.96.2 (INTERCONNECT.RO):
SC SOFTKIT SRL,
BUCHAREST, BUCURESTI, RO. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 0cfab99612
NEW none[0] none:none
PolyEnE| lines=68 trace

T:07:52:00 Win2K-f 124.241.150.81 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

08:29:00 Win2K-f 199.15.197.107 (-):
. n/a US:www.maxmind.com
EU:getmyip.co.uk
:checkip.dyndns.org
:www.getmyip.org
DE:131.220.6.26:80
199.15.197.107:6042
US:208.43.124.51:80
EU:78.40.35.134:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
3 lines Yeah : 0.8
profile none summary
tarball 2 of 37 216ec67841
NEW none[3] none:none
StarForce| none trace

T:09:18:00 WinXP 173.28.128.212 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
DAVENPORT, IOWA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
115 lines Yeah : 1.3
profile none summary
tarball 38 of 41
39 of 41 10759405e0
NEW
d08e00dfaf
NEW 292d343248 [0]
854c49d8c4[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:09:23:00 WinXP 124.66.254.17 (FCH.NE.JP):
FUREAI CHANNEL INC,
HIROSHIMA, HIROSHIMA, JP. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 d11b1f56f9
NEW none[none] none:none
none|none none none

T:09:42:00 WinXP 61.222.227.12 (-):
TAIWAN PROVINCE RUNNING WATER CO. LTD. DI SEVERN DISTRICT MANAGE CHU,
KAOHSIUNG, T'AI-WAN, TW. (100Mbps) n/a 135 pcap raw alerts
ruleset other
8 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:09:53:00 WinXP 96.15.148.76 (-):
ALLTEL SIP CUSTOMERS - LITTLE ROCK,
WEST MONROE, LOUISIANA, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 aad01847fa
NEW none[none] none:none
none|none none none

T:10:03:00 WinXP 217.17.100.157 (-):
CS-SAT-TRAKT,
CS. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 34 of 34 d20f157117
NEW 738f555183 [0] ASM:Graph
PolyEnE| lines=68 trace

T:10:59:00 WinXP 211.170.191.132, 222.170.127.203 (INVALID IPV4 ADDRESS):
INVALID IPV4 ADDRESS,
INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS. (INVALID IPV4 ADDRESS) 91.193.194.67:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
CN:lb.perfectexe.com
CN:exe4.perfectexe.com
EU:www.derquda.com
CN:hn.yigeyuming.com
:a.95622.com
CN:2b.perfectexe.com
CN:2b.yigeyuming.com
:eastva11eytribune.com
CN:122.224.6.48:666
69.64.147.243:80
EU:91.193.194.114:80 135 pcap raw alerts
ruleset irc
http
155 lines Yeah : 1.8
profile none summary
tarball 38 of 43
28 of 42
29 of 43
32 of 36
35 of 36
22 of 42 3ef3c2ad56
NEW
8809b6417c
NEW
b34e640329
NEW
bea8cb1865
NEW
fac78fde16
NEW
fe100c25d4
NEW none[none]
none [none]
none [none]
154de51a66[0]
882896ab05[0]
none [none] none:none
none:none
none:none
ASM:Graph
ASM:Graph
none:none
none|none
none|none
none|none
Armadillo|
tElock|
none|none none
none
none
lines=91
lines=126
embedded dns
none none
none
none
trace
trace
none

T:11:12:00 WinXP 201.162.4.153 (CABLEXTREMO.COM.MX):
CABLEVISION DE SALTILLO SA DE CV,
MX. (DSL) n/a 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 29 of 39 cb5bf0f8ae
NEW none[none] none:none
none|none none none

T:11:44:00 WinXP 208.3.14.82 (ARDMORE.NET):
INTEGRITY ONLINE,
ARDMORE, OKLAHOMA, US. (DSL) n/a US:gg.arrancar.org
US:69.43.160.145:555 135 pcap raw alerts
ruleset other
186 lines Yeah : 1.3
profile none summary
tarball 40 of 42 4fe6a9804c
NEW none[none] none:none
none|none none none

11:46:00 WinXP 90.151.121.108 (PERMONLINE.RU):
DYNAMIC DISTRIBUTION IP'S FOR BROADBAND SERVICES,
MOSCOW, MOSCOW CITY, RU. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 32 of 32 488d27fe97
NEW none[none] none:none
none|none none none

T:12:20:00 WinXP 183.86.129.29 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=64
embedded dns trace
trace

T:12:50:00 WinXP 184.74.74.92 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
77 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:13:09:00 Win2K-f 70.184.145.7 (COX.NET):
COX COMMUNICATIONS,
OCALA, FLORIDA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
356 lines Yeah : 1.3
profile none summary
tarball 41 of 43 0455fd02b3
NEW none[none] none:none
none|none none none

T:13:16:00 Win2K-f 67.198.110.148 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS NETWORKS INC,
HARLINGEN, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 d031b42d3f
NEW
fa14802705
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:13:56:00 Win2K-f 173.165.162.205 (COMCASTBUSINESS.NET):
COMCAST BUSINESS COMMUNICATIONS INC,
MT. LAUREL, NEW JERSEY, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:09:00 WinXP 91.66.12.117 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BREMEN, BREMEN, DE. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 2c94e3fd00
NEW none[none] none:none
none|none none none

T:14:23:00 WinXP 62.40.61.94 (O2.IE):
O2 IRELAND MOBILE PHONE OPERATOR,
DUBLIN, DUBLIN, IE. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 32 of 32 5818023061
NEW none[0] none:none
PolyEnE| lines=68 trace

14:26:00 WinXP 122.120.64.51 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:14:56:00 WinXP 189.48.115.98 (VELOXZONE.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
BELO HORIZONTE, MINAS GERAIS, BR. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 32 of 32 b502f83a7c
NEW 28f5be93b0 [0] ASM:Graph
PolyEnE| lines=73 trace

T:15:19:00 Win2K-f 114.202.123.113 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 60.190.222.139:65520 CN:proxim.ircgalaxy.pl
US:microsoft.com
EU:ii.derquda.com
CN:lb.perfectexe.com
EU:www.derquda.com
EU:justnewleft.ru
CN:exe4.perfectexe.com
CN:hn.yigeyuming.com
:a.95622.com
:1.95622.com
:lawadult.com
CN:2b.perfectexe.com
CN:222.170.127.203:88
CN:60.190.222.139:65520 135 pcap raw alerts
ruleset irc
http
179 lines Yeah : 1.8
profile none summary
tarball 6 of 43
28 of 42
38 of 40
38 of 40
29 of 43
23 of 41
6 of 43
22 of 42 7b219e9e34
NEW
8809b6417c
NEW
89f410e7cc
NEW
909270c172
NEW
b34e640329
NEW
c5a4a504e7
NEW
f1fbf8e8c7
NEW
fe100c25d4
NEW none[none]
none [none]
2593cbda62[0]
55c25968a5[0]
none [none]
none [none]
none [none]
none [none] none:none
none:none
ASM:Graph
ASM:Graph
none:none
none:none
none:none
none:none
none|none
none|none
Armadillo|
tElock|
none|none
none|none
none|none
none|none none
none
lines=91
lines=125
embedded dns
none
none
none
none none
none
trace
trace
none
none
none
none

T:15:44:00 Win2K-f 216.189.216.178 (ORLANDOTELCO.NET):
ORLANDO TELEPHONE COMPANY INC,
ORLANDO, FLORIDA, US. (100Mbps) n/a EU:justnewleft.ru
CN:2b.yigeyuming.com
:seoenjoy.com
US:i.nuseek.com
:search.dmtracker.com
:educatehouse.com
:seomop.com
69.64.147.243:80 139 pcap raw alerts
ruleset http
irc
56 lines Yeah : 0.8
profile none summary
tarball 30 of 42
38 of 43
21 of 41 267f6b4afc
NEW
3ef3c2ad56
NEW
68417ceeb8
NEW none[none]
none [none]
none [none] none:none
none:none
none:none
none|none
none|none
none|none none
none
none none
none
none

T:16:13:00 Win2K-f 4.224.141.71 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
INDIANAPOLIS, INDIANA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset irc
35 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:17:04:00 WinXP 119.154.57.34 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
LAHORE, PUNJAB, PK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 0cfab99612
NEW none[0] none:none
PolyEnE| lines=68 trace

T:17:06:00 Win2K-f 121.121.138.32 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 83.133.119.197:65520 :a.95622.com
:1.95622.com
:categoryfood.com
:a.forexinvest4.com
US:i.nuseek.com
:search.dmtracker.com
CN:exe4.perfectexe.com
EU:justnewleft.ru
CN:proxim.ircgalaxy.pl
EU:ii.derquda.com
CN:2b.yigeyuming.com
CN:lb.perfectexe.com
:seowant.com
US:clicks.blinksearchtool.com
EU:www.derquda.com
CA:r.looksmart.com
:treegugger.com
US:develophouse.com
:techpopular.com
US:websiteseducation.com 445 pcap raw alerts
ruleset irc
http
77 lines Yeah : 1.3
profile none summary
tarball 6 of 43
22 of 42 7b219e9e34
NEW
fe100c25d4
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:17:57:00 WinXP 122.146.253.61 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

19:03:00 WinXP 204.111.83.114 (SHENTEL.NET):
SHENTEL SERVICE COMPANY,
EDINBURG, VIRGINIA, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 1096ba143e
NEW none[none] none:none
none|none none none

19:25:00 WinXP 187.80.6.12 (CAMPUSEAI.ORG):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 04d4170d3b
NEW none[none] none:none
none|none none none

T:20:19:00 Win2K-f 70.65.141.6 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
LETHBRIDGE, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
186 lines Yeah : 1.3
profile none summary
tarball 37 of 39 ef08153145
NEW none[none] none:none
none|none none none

T:21:46:00 WinXP 208.94.180.75 (KARIBCABLE.COM):
KARIB CABLE,
KINGSTOWN, SAINT GEORGE, VC. (100Mbps) n/a RU:siliconfireware.ru
RU:auction.nic.ru
:www.google-analytics.com
RU:domain-parking.ru
GB:welcome3.smile.co.uk
:wpad
GB:195.92.84.198:80 445 pcap raw alerts
ruleset http
http
http
38 lines Yeah : 0.8
profile none summary
tarball 41 of 43 b415d4fbfc
NEW none[none] none:none
none|none none none