Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

31 May 2011
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:16:00 WinXP 199.117.151.179 (TRANQUILITY.NET):
CORAL WIRELESS LLC,
HONOLULU, HAWAII, US. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 41 e92ed9f79c
NEW none[none] none:none
none|none none none

T:00:50:00 WinXP 60.234.100.201 (ORCON.NET.NZ):
ORCON INTERNET LTD SUPPORT,
AUCKLAND, AUCKLAND, NZ. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:01:02:00 WinXP 151.83.140.27 (SER-PR2-MAX.IUNET.IT):
INFOSTRADA,
IT. (DSL) n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 42 4c86b00d13
NEW none[none] none:none
none|none none none

T:01:35:00 WinXP 77.23.184.6 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BAMBERG, BAYERN, DE. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 5f186aa322
NEW none[none] none:none
none|none none none

T:03:19:00 Win2K-f 14.96.33.160 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:03:40:00 WinXP 109.87.66.134 (JWS.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:03:48:00 WinXP 24.38.176.177 (FULLCHANNEL.NET):
FULL CHANNEL TV INC,
WARREN, RHODE ISLAND, US. (DSL) n/a :gg.arrancar.org 135 pcap raw alerts
ruleset other
158 lines Yeah : 1.3
profile none summary
tarball 37 of 41 51a03793ab
NEW 429f7618d3 [0] ASM:Graph
none|none lines=546 trace

T:04:20:00 WinXP 188.176.70.234 (DSL.TELE.DK):
TDC-TELEDANMARK-BREDBAANDSADSL-NET,
DK. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 32 of 32 b502f83a7c
NEW 28f5be93b0 [0] ASM:Graph
PolyEnE| lines=73 trace

T:05:07:00 WinXP 118.165.17.28 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:05:26:00 Win2K-f 70.74.241.39 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
EDMONTON, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:05:50:00 WinXP 92.226.128.15 (ALICEDSL.DE):
HANSENET-ADSL,
FRANKFURT, HESSEN, DE. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

06:06:00 WinXP 92.226.128.15 (ALICEDSL.DE):
HANSENET-ADSL,
FRANKFURT, HESSEN, DE. (DSL) 213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:07:03:00 Win2K-f 175.114.91.151 (-):
. 60.190.222.139:65520 US:microsoft.com
DE:proxima.ircgalaxy.pl
CN:yigeshabi.8800.org
IT:wertlist.com
CN:w.nucleardiscover.com
CN:russia.9966.org
CN:myck.nucleardiscover.com
US:lasiklasereyetreatment.info
CN:ck3.nucleardiscover.com
US:discountpremiumcredit.com
US:searchportal.information.com
CN:ck4.nucleardiscover.com
CN:seo.hi72.com
US:as.casalemedia.com
:cdn.dsultra.com
IT:195.14.112.197:80
CN:60.190.223.75:888 135 pcap raw alerts
ruleset irc
http
169 lines Yeah : 1.8
profile none summary
tarball 25 of 41
29 of 43
25 of 43
20 of 42
39 of 41
31 of 33 03f191c225
NEW
36093c1d73
NEW
6d1c54e9c2
NEW
8662cd182e
NEW
ab9c4b5f21
NEW
d789c8d157
NEW none[none]
none [none]
none [none]
none [none]
5fe48b2dcc[0]
5f6572479f[0] none:none
none:none
none:none
none:none
ASM:Graph
ASM:Graph
none|none
none|none
none|none
none|none
Armadillo|
PolyEnE| none
none
none
none
lines=42
lines=113
embedded dns none
none
none
none
trace
trace

T:07:13:00 Win2K-f 114.39.74.1 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:creditbiotechnology.info
US:runningwithscissor.com
US:images01.tzimg.com
:domdex.com
US:images.smartname.com
US:p.chango.com
US:oysavings.com
US:i.nuseek.com
:pagead2.googlesyndication.com
US:140.174.25.1:80 445 pcap raw alerts
ruleset http
irc
405 lines Argh : 0.3
profile none summary
tarball 1 of 42 4c7e5e74bb
NEW none[none] none:none
none|none none none

T:07:19:00 Win2K-f 79.163.23.50 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WARSAW, WARSZAWA, PL. (DSL) n/a CN:ck4.nucleardiscover.com
US:seacomms.com
US:as.casalemedia.com
DE:www.sedoparking.com
US:activex.microsoft.com
US:codecs.microsoft.com
US:hotcollegedegree.com
:ajax.googleapis.com
US:img.sedoparking.com
:pagead2.googlesyndication.com
:domdex.com
CA:www.searchnut.com
:personalgenomesequencing.com
US:i.nuseek.com
:www.google-analytics.com
74.125.224.64:80 445 pcap raw alerts
ruleset http
30 lines Argh : 0.3
profile none summary
tarball 1 of 43 fbb008ccc4
NEW none[none] none:none
none|none none none

T:09:17:00 WinXP 69.79.116.22 (INTELNET.NET.GT):
TELGUA,
GUATEMALA, GUATEMALA, GT. (DSL) n/a 445 pcap raw alerts
ruleset other
0 lines Argh : 0.3
profile none summary
tarball none none none none none none none

09:43:00 Win2K-f 193.137.7.195 (ESTV.IPV.PT):
INSTITUTO POLITECNICO DE VISEU,
PT. (DSL) n/a US:www.maxmind.com
EU:getmyip.co.uk
US:www.vouchercodes.net 445 pcap raw alerts
ruleset http
1014 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:10:13:00 WinXP 204.111.79.134 (SHENTEL.NET):
SHENTEL SERVICE COMPANY,
WOODSTOCK, VIRGINIA, US. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 1096ba143e
NEW none[none] none:none
none|none none none

10:48:00 WinXP 46.72.20.88 (-):
. n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 0cfab99612
NEW none[0] none:none
PolyEnE| lines=68 trace

T:10:56:00 Win2K-f 69.193.35.184 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
1004 lines Yeah : 1.3
profile none summary
tarball 32 of 41 43b8f21924
NEW none[3] none:none
none|none none trace

T:11:18:00 Win2K-f 202.57.14.180 (-):
PRIMA-JKT-PANIN,
JAKARTA, JAKARTA RAYA, ID. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
88 lines Yeah : 1.3
profile none summary
tarball 37 of 42
33 of 33 397a46e596
NEW
53bfe15e91
NEW none[none]
1473091351[0] none:none
ASM:Graph
none|none
tElock| none
lines=75
embedded dns none
trace

12:39:00 Win2K-f 122.180.147.210 (122.AIRTELBROADBAND.IN):
BHARTI AIRTEL LTD. TELEMEDIA SERVICES,
NEW DELHI, DELHI, IN. (DSL) n/a US:www.maxmind.com
:www.getmyip.org
:checkip.dyndns.org
US:208.43.124.51:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 4 of 37 8ce32ded17
NEW none[3] none:none
Armadillo| none trace

T:12:48:00 Win2K-f 122.180.147.210 (122.AIRTELBROADBAND.IN):
BHARTI AIRTEL LTD. TELEMEDIA SERVICES,
NEW DELHI, DELHI, IN. (DSL) n/a US:www.maxmind.com
US:checkip.dyndns.org 445 pcap raw alerts
ruleset http
19 lines Yeah : 0.8
profile none summary
tarball 4 of 37 8ce32ded17
NEW none[3] none:none
Armadillo| none trace

T:14:23:00 WinXP 164.132.121.64 (-):
IUNET S.P.A,
MILANO, LOMBARDIA, IT. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

T:14:41:00 WinXP 186.198.149.162 (-):
. n/a DE:moscow-advokat.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 38 of 42 1f7e28e64a
NEW none[none] none:none
none|none none none

T:15:16:00 WinXP 189.48.161.82 (VELOXZONE.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
RIO DE JANEIRO, RIO DE JANEIRO, BR. (DSL) n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 25 of 25 7f60162c2c
NEW none[0] none:none
PolyEnE| lines=93
embedded dns trace

15:24:00 Win2K-f 58.68.41.119 (AIRCEL.CO.IN):
DISHNET WIRELESS LTD INDIA,
MUMBAI, MAHARASHTRA, IN. (100Mbps) n/a US:www.maxmind.com
:www.getmyip.org
EU:checkip.dyndns.org
EU:getmyip.co.uk
US:208.43.124.51:80
EU:78.40.35.134:80
EU:91.198.22.71:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:15:32:00 Win2K-f 58.68.41.119 (AIRCEL.CO.IN):
DISHNET WIRELESS LTD INDIA,
MUMBAI, MAHARASHTRA, IN. (100Mbps) n/a US:www.maxmind.com
:www.getmyip.org
EU:getmyip.co.uk
US:www.vouchercodes.net
:checkip.dyndns.org
US:217.160.239.39:80 445 pcap raw alerts
ruleset http
19 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:15:35:00 Win2K-f 124.241.157.136 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 40 of 43
41 of 43 a676ff29c5
NEW
dfd6bb8595
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

15:39:00 WinXP 204.111.79.134 (SHENTEL.NET):
SHENTEL SERVICE COMPANY,
WOODSTOCK, VIRGINIA, US. (DSL) n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

15:53:00 Win2K-f 201.33.23.182 (STERLINGSTUDENTS.NET):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a US:www.maxmind.com
:www.getmyip.org
EU:getmyip.co.uk
US:checkip.dyndns.org
US:208.43.124.51:80
EU:78.40.35.134:80
EU:91.198.22.71:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:15:56:00 WinXP 218.175.146.189 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:16:32:00 WinXP 208.94.177.5 (KARIBCABLE.COM):
KARIB CABLE,
KINGSTOWN, SAINT GEORGE, VC. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 40 of 41
37 of 41 c89b154681
NEW
d2b40c91a1
NEW 58d02dbffa [0]
fbaa414397[0] ASM:Graph
ASM:Graph
StarForce|
Armadillo| lines=64
embedded dns
lines=91 trace
trace

T:16:43:00 Win2K-f 50.72.239.187 (-):
. n/a 135 pcap raw alerts
ruleset other
1007 lines Yeah : 1.3
profile none summary
tarball 17 of 41 e1693609f9
NEW none[3] none:none
none|none none trace

T:19:21:00 WinXP 60.250.199.56 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 34 of 38
35 of 38 38ed850a0e
NEW
b9297745a1
NEW 46990f37cd [0]
4294884d84[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:19:53:00 WinXP 187.160.137.65 (NIC-R2-R1-MTY.NIC.MX):
NETWORK INFORMATION CENTER MEXICO,
MX. (DSL) n/a RU:siliconfireware.ru
RU:auction.nic.ru
:www.google-analytics.com
RU:domain-parking.ru
RU:ebookfinaltrash.ru
:www.epartner.ru
RU:s.holm.ru
RU:ggsaffiliates.com
RU:www.ggsaffiliates.com
:wpad
RU:gamingpartners.org
RU:js.gamingpartners.org 445 pcap raw alerts
ruleset http
http
http
http
45 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
NEW none[0] none:none
ASPack| lines=281
embedded dns trace

23:21:00 Win2K-f 203.196.139.82 (DIRECT.NET.IN):
TATA COMMUNICATIONS INTERNET SERVICES LTD,
NEW DELHI, DELHI, IN. (DSL) n/a US:www.maxmind.com
EU:checkip.dyndns.org
EU:getmyip.co.uk
:www.getmyip.org
US:208.43.124.51:80
EU:78.40.35.134:80
EU:91.198.22.71:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:23:33:00 WinXP 211.75.247.164 (HINET.NET):
TAINAN NEW EDISON COMMUNICATION,
TAINAN, T'AI-WAN, TW. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:23:35:00 Win2K-f 210.120.52.130 (BORA.NET):
BORANET-NET,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 37 of 42
37 of 41 359d245014
NEW
3d25e55087
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none