|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| 00:15:00 | Win2K-f | 149.75.199.200 (TRILOGYBEHC.ORG): TRILOGY INC, AUSTIN, TEXAS, US. (DSL) |
n/a | US:www.maxmind.com :getmyip.co.uk US:checkip.dyndns.org :www.getmyip.org US:208.43.124.51:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| 00:58:00 | WinXP | 78.130.39.237 (REV.OPTIMUS.PT): OPTIMUS PORTUGAL, LEIRIA, LEIRIA, PT. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
38 of 42 | 8a2553433c NEW |
none[none] | none:none |
none|none | none | none |
| 01:28:00 | WinXP | 182.173.148.188 (-): . |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
43 of 43 | 6c462d3955 NEW |
none[none] | none:none |
none|none | none | none |
| T:01:55:00 | WinXP | 14.98.190.106 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| 02:53:00 | WinXP | 68.183.153.210 (DSLEXTREME.COM): DSL EXTREME, LOS ANGELES, CALIFORNIA, US. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 41 | 6c56402f1b NEW |
none[none] | none:none |
none|none | none | none |
| T:03:26:00 | WinXP | 91.149.98.232 (-): CJSC VYATKA CELLULAR COMMUNICATIONS DYNAMIC IP POOL, MOSCOW, MOSCOW CITY, RU. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 42 | 8a2553433c NEW |
none[none] | none:none |
none|none | none | none |
| T:03:42:00 | Win2K-f | 173.17.199.77 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, SAVAGE, MINNESOTA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 65 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 8 of 33 |
53bfe15e91 NEW b7082104e4 NEW |
1473091351 [0] c5b49e7b82[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=75 embedded dns lines=41 |
trace trace |
| T:05:12:00 | Win2K-f | 27.98.18.76 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 99 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 40 40 of 41 |
6a6aaa5b73 NEW 8bde6dd126 NEW |
63889c9976 [0] 885c68f500[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=42 lines=64 embedded dns |
trace trace |
| T:05:43:00 | WinXP | 68.146.223.178 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, CALGARY, ALBERTA, CA. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 18 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:05:46:00 | Win2K-f | 14.97.119.215 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:05:58:00 | Win2K-f | 24.153.122.231 (MYACTV.NET): ANTIETAM CABLE TELEVISION INC, HAGERSTOWN, MARYLAND, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
d031b42d3f NEW fa14802705 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:06:07:00 | WinXP | 217.202.238.113 (-): TELECOM ITALIA MOBILE, ROME, LAZIO, IT. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:06:33:00 | WinXP | 63.22.149.22 (UU.NET): UUNET TECHNOLOGIES INC, CAMBRIDGE, MASSACHUSETTS, US. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 | 9276456bf8 NEW |
none[none] | none:none |
none|none | none | none |
| 07:15:00 | WinXP | 211.76.40.167 (UBBN.NET): UNION BROADBAND NETWORK, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
other 0 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:07:21:00 | WinXP | 123.193.223.63 (KBRONET.COM.TW): TUNG HO MULTIMEDIA CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 6 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:08:01:00 | WinXP | 96.8.184.144 (GVTC.COM): GUADALUPE VALLEY TELEPHONE COOPERATIVE INC, CANYON LAKE, TEXAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 39 of 40 |
9bdd2c95b1 NEW cd456ac095 NEW |
d1bbd693ba [0] d75caee680[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
| T:08:35:00 | WinXP | 77.20.97.28 (SUPERKABEL.DE): KABEL-DEUTSCHLAND-CUSTOMER-SERVICES, LANDAU, RHEINLAND-PFALZ, DE. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | a0139d7ad8 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:08:45:00 | WinXP | 115.82.53.32 (TAIWANMOBILE.NET): TAIWAN MOBILE CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | d11b1f56f9 NEW |
none[none] | none:none |
none|none | none | none |
| T:08:58:00 | Win2K-f | 14.98.59.216 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:09:37:00 | WinXP | 177.30.5.249 (-): . |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 1096ba143e NEW |
none[none] | none:none |
none|none | none | none |
| T:09:59:00 | WinXP | 123.194.4.85 (KBRONET.COM.TW): TUNG HO MULTIMEDIA CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 42 | 3977189133 NEW |
none[none] | none:none |
none|none | none | none |
| T:10:48:00 | WinXP | 4.226.171.142 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, MEMPHIS, TENNESSEE, US. (DIAL) |
n/a | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:12:44:00 | WinXP | 114.181.175.223 (PLALA.OR.JP): NTT PLALA INC, TOKYO, TOKYO, JP. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 14 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | 09245a76fe NEW |
4767a61119 [0] | ASM:Graph |
none|none | lines=59 | trace | |
| 16:03:00 | WinXP | 187.80.159.77 (CAMPUSEAI.ORG): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | 0cfab99612 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| 16:04:00 | WinXP | 186.180.48.162 (-): . |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
34 of 36 | 1595515522 NEW |
none[none] | none:none |
none|none | none | none |
| T:16:12:00 | Win2K-f | 211.127.157.38 (CUSTOMER.SOLOOT.JP): KIMITSU INC, TOKYO, TOKYO, JP. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 18 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:16:14:00 | WinXP | 213.22.178.15 (CPE.NETCABO.PT): TVCABO-PORTUGAL CABLE MODEM NETWORK, LEIRIA, LEIRIA, PT. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:16:25:00 | WinXP | 119.154.78.33 (PIE.NET.PK): PAKISTAN TELECOMMUNICATION COMPANY LIMITED, LAHORE, PUNJAB, PK. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
40 of 43 | 56ec0e9028 NEW |
none[none] | none:none |
none|none | none | none |
| T:16:27:00 | WinXP | 208.94.180.92 (KARIBCABLE.COM): KARIB CABLE, KINGSTOWN, SAINT GEORGE, VC. (100Mbps) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 42 | 751685117f NEW |
none[none] | none:none |
none|none | none | none |
| T:18:43:00 | WinXP | 119.154.113.171 (PIE.NET.PK): PAKISTAN TELECOMMUNICATION COMPANY LIMITED, ISLAMABAD, ISLAMABAD, PK. (DSL) |
213.155.0.224:80 | DE:sys.zief.pl DE:citi-bank.ru DE:83.133.119.197:65520 |
445 | pcap | raw alerts ruleset |
http 4 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 43 | 213005cee3 NEW |
none[none] | none:none |
none|none | none | none |
| T:19:06:00 | WinXP | 61.215.172.106 (CABLENET.NE.JP): CABLENET SAITAMA CO. LTD, TOKYO, TOKYO, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 111 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 43 41 of 42 |
4f4bbf29ec NEW 743e8678f4 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:19:53:00 | Win2K-f | 67.125.140.230 (PACBELL.NET): AT&T INTERNET SERVICES, FRESNO, CALIFORNIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:20:08:00 | WinXP | 216.211.246.246 (NORWOODLIGHT.COM): NORWOOD LIGHT BROADBAND, NORWOOD, MASSACHUSETTS, US. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
34 of 34 | d20f157117 NEW |
738f555183 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:20:36:00 | Win2K-f | 49.135.135.167 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:20:45:00 | WinXP | 14.98.176.184 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:21:39:00 | WinXP | 4.174.146.139 (LEVEL3.NET): LEVEL 3 COMMUNICATIONS INC, DARBY, PENNSYLVANIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 128 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:22:49:00 | WinXP | 58.39.221.198 (ONLINE.SH.CN): CHINANET SHANGHAI PROVINCE NETWORK, SHANGHAI, SHANGHAI, CN. (DSL) |
n/a | DE:moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | 246f38a76e NEW |
none[none] | none:none |
none|none | none | none |
| T:23:25:00 | WinXP | 14.98.116.113 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:23:40:00 | Win2K-f | 75.38.94.36 (SBCGLOBAL.NET): DANNY CHON DBA, PLANO, TEXAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:23:54:00 | WinXP | 117.19.212.116 (TAIWANMOBILE.NET): TAIWAN MOBILE CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |