|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:01:11:00 | WinXP | 219.86.160.83 (TFN.NET.TW): TAIWAN FIXED NETWORK CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | a0139d7ad8 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:01:54:00 | WinXP | 175.113.174.215 (-): . |
83.133.119.197:65520 | DE:proxim.ircgalaxy.pl US:microsoft.com CN:shabi.coolnuff.com CN:w.nucleardiscover.com EU:nonetnet.com IT:mewgost.com IT:151.100.14.36:3128 183.81.143.232:3128 187.120.226.164:3128 189.65.79.88:3128 VE:190.72.186.19:3128 VE:190.73.163.49:3128 BR:200.139.135.118:3128 BR:200.149.163.95:3128 EU:77.78.185.54:3128 SE:85.228.182.128:3128 95.155.98.55:3128 |
135 | pcap | raw alerts ruleset |
irc http 124 lines |
Yeah : 1.8 profile |
none | summary tarball |
29 of 43 29 of 41 14 of 42 36 of 42 38 of 42 |
564048b35d NEW 87101f64b4 NEW 87f04cd6c7 NEW bf063bba17 NEW f269760f66 NEW |
none[none] none [none] none [none] none [none] none [none] |
none:none none:none none:none none:none none:none |
none|none none|none none|none none|none none|none |
none none none none none |
none none none none none |
| T:01:56:00 | WinXP | 65.50.73.7 (BILTMORECOMMUNICATIONS.NET): DIRECPATH LLC, ATLANTA, GEORGIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 37 of 40 |
5d445c59d8 NEW 8a54950abb NEW |
892e12db7b [0] f6b9e43917[0] |
ASM:Graph ASM:Graph |
tElock| Armadillo| |
lines=64 embedded dns lines=91 |
trace trace |
| T:02:06:00 | Win2K-f | 24.155.16.138 (GRANDENETWORKS.NET): GRANDE COMMUNICATIONS ODESSA HUB, ODESSA, TEXAS, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
d031b42d3f NEW fa14802705 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:04:25:00 | WinXP | 59.103.215.232 (PIE.NET.PK): PAKISTAN TELECOMMUNICATION COMPANY LIMITED, ISLAMABAD, ISLAMABAD, PK. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 1096ba143e NEW |
none[none] | none:none |
none|none | none | none |
| T:05:03:00 | WinXP | 81.9.233.84 (CM-81-9-237-10.TELECABLE.ES): TELECABLE, OVIEDO, ASTURIAS, ES. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
29 of 29 | 3ae357d17b NEW |
none[0] | none:none |
PolyEnE| | lines=73 | trace |
| T:05:16:00 | WinXP | 70.77.72.254 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, PRINCE GEORGE, BRITISH COLUMBIA, CA. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1008 lines |
Yeah : 1.3 profile |
none | summary tarball |
31 of 41 | 682a384fe9 NEW |
none[3] | none:none |
none|none | none | trace | |
| T:05:39:00 | WinXP | 180.177.140.183 (-): . |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 42 | 194a3a1b0f NEW |
none[none] | none:none |
none|none | none | none |
| T:05:53:00 | WinXP | 186.210.85.175 (-): . |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | 5a07de7dc6 NEW |
none[none] | none:none |
none|none | none | none |
| 06:00:00 | WinXP | 49.15.56.105 (-): . |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 42 | 8a2553433c NEW |
none[none] | none:none |
none|none | none | none |
| T:06:17:00 | WinXP | 178.25.225.163 (FINEBLANK.COM): EU-ZZ, UK. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
42 of 42 | 0c3e031d4a NEW |
none[none] | none:none |
none|none | none | none |
| T:06:35:00 | WinXP | 94.52.205.173 (-): NEW COM TELECOMUNICATII SA, BUCHAREST, BUCURESTI, RO. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:07:39:00 | WinXP | 175.112.196.204 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 77 lines |
Yeah : 1.3 profile |
none | summary tarball |
3 of 41 33 of 33 |
8b41cb7a41 NEW 97fef473b9 NEW |
ef18d720f3 [0] ff4e7d6992[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=90 lines=64 embedded dns |
trace trace |
| T:08:00:00 | WinXP | 14.98.129.187 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:08:10:00 | WinXP | 46.202.225.51 (-): . |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
| T:08:39:00 | WinXP | 82.81.23.180 (BEZEQINT.NET): ADSL-CUSTOMER-CONNECTION, TEL AVIV, TEL AVIV, IL. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
| T:09:19:00 | WinXP | 216.188.232.111 (GRANDENETWORKS.NET): GRANDE COMMUNICATIONS ODESSA HUB, MIDLAND, TEXAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
d031b42d3f NEW fa14802705 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:09:35:00 | WinXP | 220.130.190.124 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 none |
2bc8f15054 NEW 964911406f NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:10:00:00 | WinXP | 187.47.5.163 (VELOXZONE.COM.BR): COMITE GESTOR DA INTERNET NO BRASIL, SãO PAULO, SAO PAULO, BR. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
| T:10:02:00 | WinXP | 109.60.188.100 (JWS.COM): EU-ZZ, UK. (DSL) |
n/a | DE:moscow-advokat.ru SE:ozbytes.dal.net AT:graz.at.eu.undernet.org |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | 04d4170d3b NEW |
none[none] | none:none |
none|none | none | none |
| 10:04:00 | WinXP | 68.183.153.160 (DSLEXTREME.COM): DSL EXTREME, LOS ANGELES, CALIFORNIA, US. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 41 | 6c56402f1b NEW |
none[none] | none:none |
none|none | none | none |
| T:10:17:00 | WinXP | 186.222.151.46 (-): . |
n/a | DE:moscow-advokat.ru DE:82.98.86.164:6667 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
25 of 25 | 7f60162c2c NEW |
none[0] | none:none |
PolyEnE| | lines=93 embedded dns |
trace |
| T:10:35:00 | WinXP | 119.154.127.134 (PIE.NET.PK): PAKISTAN TELECOMMUNICATION COMPANY LIMITED, ISLAMABAD, ISLAMABAD, PK. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
37 of 42 | e3a9035c2b NEW |
none[none] | none:none |
none|none | none | none |
| T:11:21:00 | WinXP | 89.204.200.106 (O2.IE): O2 IRELAND MOBILE PHONE OPERATOR, DUBLIN, DUBLIN, IE. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace | |
| 12:39:00 | Win2K-f | 220.128.128.86 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:www.maxmind.com US:checkip.dyndns.org EU:getmyip.co.uk :www.getmyip.org DE:131.220.6.26:80 EU:78.40.35.134:80 EU:91.198.22.71:80 |
445 | pcap | raw alerts ruleset |
http 4 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:12:40:00 | Win2K-f | 72.45.57.31 (ATLANTICBB.NET): ATLANTIC BROADBAND, MIDDLETOWN, DELAWARE, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
d031b42d3f NEW fa14802705 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:12:48:00 | Win2K-f | 220.128.128.86 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:www.maxmind.com :www.getmyip.org EU:getmyip.co.uk US:www.vouchercodes.net EU:checkip.dyndns.org DE:131.220.6.26:80 US:217.160.239.39:80 |
445 | pcap | raw alerts ruleset |
http 6 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| 12:53:00 | WinXP | 118.141.222.233 (LLOYD-EXCHANGE.LLOYDWISE.CN): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 | 9276456bf8 NEW |
none[none] | none:none |
none|none | none | none |
| T:12:54:00 | WinXP | 120.138.168.13 (STARCAT.NE.JP): KMN CORPORATION, NAGOYA, TOKYO, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 40 39 of 39 |
b8e6f4caf7 NEW fb92b91fe7 NEW |
f81eac6379 [0] fe88ab8768[0] |
none:none none:none |
tElock| Armadillo| |
none none |
trace trace |
| T:14:48:00 | WinXP | 41.71.150.231 (-): . |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
| T:16:09:00 | Win2K-f | 202.70.235.39 (ONINET.NE.JP): OKAYAMA NETWORK INC, OKAYAMA, OKAYAMA, JP. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 186 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 42 | 34d9fd5614 NEW |
none[none] | none:none |
none|none | none | none | |
| T:16:47:00 | WinXP | 177.31.82.161 (-): . |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:17:33:00 | WinXP | 180.188.152.173 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 122 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 40 of 41 |
56703b9d17 NEW c55e86f7e9 NEW |
de8764ef05 [0] c790c10ad1[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
| T:17:45:00 | Win2K-f | 111.88.59.161 (HOSTS-WORLDCALL.NET.PK): WORLDCALL TELECOM LTD, PK. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 59 lines |
Yeah : 1.3 profile |
none | summary tarball |
8 of 42 | 716b852fea NEW |
none[none] | none:none |
none|none | none | none | |
| T:18:09:00 | Win2K-f | 50.72.215.161 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 38 of 43 |
965cac2fb0 NEW a26d336ff2 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:18:18:00 | Win2K-f | 211.20.36.178 (-): LONG MOUNTAIN ENTERPRISE CO. LTD, TAIPEI, T'AI-PEI, TW. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 37 of 40 |
5d445c59d8 NEW 728d86e39a NEW |
892e12db7b [0] none [none] |
ASM:Graph none:none |
tElock| none|none |
lines=64 embedded dns none |
trace none |
| T:18:34:00 | WinXP | 164.132.20.251 (-): IUNET S.P.A, MILANO, LOMBARDIA, IT. (DSL) |
n/a | DE:moscow-advokat.ru DE:82.98.86.164:6667 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 59b9ffbd71 NEW |
none[none] | none:none |
none|none | none | none |
| T:18:43:00 | Win2K-f | 72.47.74.143 (CEBRIDGE.NET): CEBRIDGE CONNECTIONS, ELKINS, WEST VIRGINIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
d031b42d3f NEW fa14802705 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| 19:04:00 | WinXP | 174.42.169.11 (WINDSTREAM.NET): ALLTEL MIP CUSTOMERS - WARRENSVILLE HEIGHTS, SALISBURY, NORTH CAROLINA, US. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
| T:19:15:00 | WinXP | 173.18.225.127 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, EXCELSIOR, MINNESOTA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 59 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 8 of 33 |
53bfe15e91 NEW b7082104e4 NEW |
1473091351 [0] c5b49e7b82[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=75 embedded dns lines=41 |
trace trace |
| T:19:33:00 | Win2K-f | 61.58.150.235 (TINP.NET.TW): TAIWAN INFRASTRUCTURE NETWORK TECHNOLOGIES, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW 57ce4acac2 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:19:39:00 | WinXP | 123.194.180.188 (KBRONET.COM.TW): TUNG HO MULTIMEDIA CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:moscow-advokat.ru DE:82.98.86.164:6667 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
25 of 25 | 7f60162c2c NEW |
none[0] | none:none |
PolyEnE| | lines=93 embedded dns |
trace |
| T:21:33:00 | WinXP | 24.234.237.249 (COX.NET): COX COMMUNICATIONS INC, LAS VEGAS, NEVADA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| 23:58:00 | Win2K-f | 46.45.184.69 (-): . |
n/a | US:www.maxmind.com EU:getmyip.co.uk US:www.vouchercodes.net US:208.43.124.51:80 |
445 | pcap | raw alerts ruleset |
http 1003 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |