Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

23 January 2011
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:22:00 WinXP 109.99.205.150 (JWS.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 43 ad97e8accf
NEW none[none] none:none
none|none none none

T:00:57:00 Win2K-f 24.79.164.25 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
WINNIPEG, MANITOBA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
1008 lines Yeah : 1.3
profile none summary
tarball 15 of 41 770a04a72c
NEW none[3] none:none
none|none none trace

T:01:03:00 Win2K-f 122.148.139.89 (DODO.COM.AU):
LAYER 2 BROADBAND CUSTOMER NETWORK,
SYDNEY, NEW SOUTH WALES, AU. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
82 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

03:03:00 WinXP 60.250.190.187 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:03:48:00 WinXP 189.67.161.13 (VELOXZONE.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
BELO HORIZONTE, MINAS GERAIS, BR. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 40 of 40 23406743e0
NEW none[none] none:none
none|none none none

T:04:18:00 WinXP 115.80.239.238 (TAIWANMOBILE.NET):
TAIWAN MOBILE CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:05:53:00 WinXP 121.120.186.130 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:06:04:00 WinXP 14.96.51.193 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
102 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:07:18:00 Win2K-f 113.255.186.68 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HK. (DSL) 207.152.67.19:7000 US:dns.aswend.com 135 pcap raw alerts
ruleset irc
447 lines Yeah : 1.8
profile none summary
tarball 38 of 41 88730549bb
NEW none[none] none:none
none|none none none

T:07:24:00 WinXP 186.26.229.152 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 42 94f7fe0057
NEW none[none] none:none
none|none none none

T:07:44:00 WinXP 84.224.39.170 (PGSM.HU):
PANNON GSM TELECOMMUNICATIONS INC,
BUDAPEST, BUDAPEST, HU. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:07:50:00 WinXP 121.121.100.2 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) n/a :moscow-advokat.ru
:washington.dc.us.undernet.org
SE:vancouver.dal.net
SE:brussels.be.eu.undernet.org
:london.uk.eu.undernet.org
:lia.zanet.net
SE:qis.md.us.dal.net
SE:viking.dal.net 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 41 of 42 ff851345d8
NEW none[none] none:none
none|none none none

T:08:11:00 WinXP 79.163.36.172 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WARSAW, WARSZAWA, PL. (DSL) n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 34 of 34 d20f157117
NEW 738f555183 [0] ASM:Graph
PolyEnE| lines=68 trace

T:08:49:00 WinXP 4.252.97.255 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
RENSSELAER, INDIANA, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
185 lines Yeah : 1.3
profile none summary
tarball 8 of 33 b7082104e4
NEW c5b49e7b82 [0] ASM:Graph
tElock| lines=41 trace

T:09:35:00 Win2K-f 59.120.228.224 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 135 pcap raw alerts
ruleset other
52 lines Yeah : 1.3
profile none summary
tarball 0 of 33 57ce4acac2
NEW none[0] none:none
Armadillo| lines=90 trace

T:10:07:00 WinXP 95.75.13.78 (-):
TELECOM ITALIA MOBILE,
IT. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 88f3393e20
NEW none[none] none:none
none|none none none

T:12:03:00 WinXP 124.44.47.9 (WAKWAK.NE.JP):
XEPHION(NTT-ME CORPORATION),
TOKYO, TOKYO, JP. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 42 of 43 c66d771507
NEW none[none] none:none
none|none none none

T:12:09:00 WinXP 79.163.171.244 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
PL. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 41 5c6df5141d
NEW none[none] none:none
none|none none none

12:21:00 Win2K-f 202.159.215.187 (BOL.NET.IN):
MTNL INTERNET SERVICE PROVIDER IN THE CITY OF DELHI AND MUMBAI,
NEW DELHI, DELHI, IN. (DSL) n/a US:www.maxmind.com
US:checkip.dyndns.org
US:208.43.124.51:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 4 of 37 8ce32ded17
NEW none[3] none:none
Armadillo| none trace

T:12:23:00 WinXP 75.38.87.130 (-):
HAVANA HOUSE,
BAKERSFIELD, CALIFORNIA, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:13:26:00 WinXP 189.127.98.17 (UNOTEL.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 42 4aa9b2104a
NEW none[none] none:none
none|none none none

T:14:54:00 WinXP 114.46.216.249 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 32 of 32 b502f83a7c
NEW 28f5be93b0 [0] ASM:Graph
PolyEnE| lines=73 trace

T:15:01:00 WinXP 91.67.33.1 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
OLDENBURG, NIEDERSACHSEN, DE. (DSL) n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:15:13:00 Win2K-f 70.62.5.169 (RR.COM):
ROAD RUNNER HOLDCO LLC,
GAHANNA, OHIO, US. (DSL) n/a 135 pcap raw alerts
ruleset other
4 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:15:25:00 WinXP 119.154.43.226 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
ISLAMABAD, ISLAMABAD, PK. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
3 lines Yeah : 1.3
profile none summary
tarball 42 of 43 af29b1f33c
NEW none[none] none:none
none|none none none

T:15:45:00 WinXP 63.245.67.68 (-):
COLUMBUS COMMUNICATIONS GRENADA LTD,
ST. GEORGE'S, SAINT GEORGE, GD. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 42 of 43 c2ac099554
NEW none[none] none:none
none|none none none

T:16:18:00 Win2K-f 218.47.105.57 (PLALA.OR.JP):
NTT PLALA INC,
TOKYO, TOKYO, JP. (DSL) n/a 135 pcap raw alerts
ruleset other
4 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:16:40:00 WinXP 201.238.3.205 (-):
TELECOMUNICACIONES MOVILNET,
CARACAS, DISTRITO FEDERAL, VE. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:18:24:00 Win2K-f 72.43.103.101 (RR.COM):
ROAD RUNNER HOLDCO LLC,
KEW GARDENS, NEW YORK, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 d031b42d3f
NEW
fa14802705
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:19:29:00 Win2K-f 122.148.139.89 (DODO.COM.AU):
LAYER 2 BROADBAND CUSTOMER NETWORK,
SYDNEY, NEW SOUTH WALES, AU. (DSL) n/a 135 pcap raw alerts
ruleset other
351 lines Yeah : 1.3
profile none summary
tarball 33 of 41 de37f2fc47
NEW bac4cc6eec [0] ASM:Graph
Armadillo| lines=218 trace

19:38:00 WinXP 121.121.18.192 (MAXIS.NET.MY):
MAXIS BROADBAND SDN BHD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 43 of 43 478652dcdd
NEW none[none] none:none
none|none none none

T:19:39:00 WinXP 186.253.26.216 (-):
. 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 41 1096ba143e
NEW none[none] none:none
none|none none none

20:53:00 WinXP 174.39.243.238 (WINDSTREAM.NET):
ALLTEL MIP CUSTOMERS - OMAHA,
YORK, NEBRASKA, US. (DSL) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 43 90b78e3a59
NEW none[none] none:none
none|none none none

T:21:56:00 Win2K-f 70.65.225.221 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
RED DEER, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
186 lines Yeah : 1.3
profile none summary
tarball 41 of 43 c97c6a16b6
NEW none[none] none:none
none|none none none

T:22:11:00 Win2K-f 97.97.93.39 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CLEARWATER, FLORIDA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
22 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:23:10:00 WinXP 41.239.10.87 (TEDATA.NET):
AFRINIC,
EG. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 d11b1f56f9
NEW none[none] none:none
none|none none none

23:39:00 WinXP 79.133.139.20 (-):
ADSL USERS,
RU. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:23:40:00 WinXP 204.111.83.116 (SHENTEL.NET):
SHENTEL SERVICE COMPANY,
EDINBURG, VIRGINIA, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 40 of 41 1096ba143e
NEW none[none] none:none
none|none none none