Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

29 August 2011
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:41:00 WinXP 68.183.153.96 (DSLEXTREME.COM):
DSL EXTREME,
LOS ANGELES, CALIFORNIA, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 41 6c56402f1b
NEW none[none] none:none
none|none none none

T:00:53:00 WinXP 213.66.164.142 (TELIA.COM):
TELIA NETWORK SERVICES,
DANDERYD, STOCKHOLMS LAN, SE. (DSL) n/a RU:siliconfireware.ru
:www.proxy-socks.net
:wpad 445 pcap raw alerts
ruleset http
http
http
3 lines Yeah : 0.8
profile none summary
tarball 41 of 41 6c21e2c88b
NEW none[none] none:none
none|none none none

T:01:00:00 Win2K-f 98.101.143.183 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:01:32:00 Win2K-f 122.146.243.178 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

02:27:00 WinXP 68.183.153.96 (DSLEXTREME.COM):
DSL EXTREME,
LOS ANGELES, CALIFORNIA, US. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 41 6c56402f1b
NEW none[none] none:none
none|none none none

T:03:10:00 WinXP 211.124.237.93 (ZAQ.NE.JP):
K CABLE TELEVISION CORPORATION INC,
OSAKA, OSAKA, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 32
33 of 33 07fabc79ef
NEW
53bfe15e91
NEW none[0]
1473091351[0] none:none
ASM:Graph
Armadillo|
tElock| lines=90
lines=75
embedded dns trace
trace

T:03:37:00 WinXP 31.147.188.102 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 88f3393e20
NEW none[none] none:none
none|none none none

T:03:50:00 WinXP 188.173.222.221 (RIPE.NET):
EUROPEAN REGIONAL REGISTRY,
UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 44 dd0a92984c
NEW none[none] none:none
none|none none none

04:10:00 WinXP 188.173.222.221 (RIPE.NET):
EUROPEAN REGIONAL REGISTRY,
UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 44 dd0a92984c
NEW none[none] none:none
none|none none none

T:04:27:00 WinXP 113.252.43.218 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:05:11:00 Win2K-f 14.98.250.38 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
80 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:06:37:00 WinXP 101.12.225.60 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:07:16:00 Win2K-f 4.159.17.1 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MINNEAPOLIS, MINNESOTA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
80 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:07:39:00 WinXP 59.190.70.52 (EONET.NE.JP):
K-OPTICOM CORPORATION,
HIKONE, SHIGA, JP. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

10:14:00 WinXP 119.154.20.6 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
ISLAMABAD, ISLAMABAD, PK. (DSL) n/a DE:moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 04d4170d3b
NEW none[none] none:none
none|none none none

11:55:00 WinXP 90.149.59.210 (TELE2.NO):
TELE2-ADSL-DYNAMIC,
OSLO, OSLO, NO. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

12:02:00 WinXP 189.119.236.181 (TIMBRASIL.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
SãO PAULO, SAO PAULO, BR. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:13:27:00 WinXP 190.227.140.35 (NET.AR):
TELECOM PERSONAL BS AS,
AR. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 f2f3d8239c
NEW none[none] none:none
none|none none none

T:14:31:00 WinXP 90.149.59.210 (TELE2.NO):
TELE2-ADSL-DYNAMIC,
OSLO, OSLO, NO. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:15:45:00 WinXP 79.133.132.206 (-):
ADSL USERS,
RU. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

T:15:52:00 WinXP 109.52.102.222 (JWS.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 0cfab99612
NEW none[0] none:none
PolyEnE| lines=68 trace

T:16:54:00 Win2K-f 218.45.206.53 (MS01.ITSCOM.JP):
ITSCOM_MANSIONLAN,
YOKOHAMA, KANAGAWA, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
115 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 761a66b891
NEW
98d05c039b
NEW b469dac5dc [0]
none [none] ASM:Graph
none:none
tElock|
none|none lines=64
embedded dns
none trace
none

T:18:46:00 WinXP 4.153.248.209 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
ROGERSVILLE, TENNESSEE, US. (DIAL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 f502585714
NEW none[0] none:none
PolyEnE| lines=63 trace

T:19:34:00 WinXP 76.6.225.187 (EMBARQHSD.NET):
EMBARQ CORPORATION,
PATASKALA, OHIO, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.0.224:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

19:40:00 WinXP 208.126.86.51 (NETINS.NET):
LOST NATION-ELWOOD TELEPHONE COMPANY,
WATERLOO, IOWA, US. (DSL) n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 44 3aeedd9a76
NEW none[none] none:none
none|none none none

T:19:48:00 Win2K-f 14.98.150.64 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

23:16:00 Win2K-f 211.20.204.168 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:www.maxmind.com
:checkip.dyndns.org
DE:131.220.6.26:80
TW:211.20.204.168:5464 445 pcap raw alerts
ruleset http
5 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:23:20:00 Win2K-f 117.19.224.132 (TAIWANMOBILE.NET):
TAIWAN MOBILE CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 761a66b891
NEW
98d05c039b
NEW b469dac5dc [0]
none [none] ASM:Graph
none:none
tElock|
none|none lines=64
embedded dns
none trace
none

T:23:33:00 Win2K-f 72.45.61.112 (ATLANTICBB.NET):
ATLANTIC BROADBAND,
MIDDLETOWN, DELAWARE, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 d031b42d3f
NEW
fa14802705
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:23:56:00 Win2K-f 173.29.34.36 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
CLINTON, IOWA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
188 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 44 1db29886ac
NEW
4fb660188f
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none