Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

09 October 2011
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:32:00 WinXP 27.98.18.76 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=64
embedded dns trace
trace

T:00:50:00 WinXP 76.177.75.21 (RR.COM):
ROAD RUNNER HOLDCO LLC,
LONDON, KENTUCKY, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:01:18:00 WinXP 119.154.124.119 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
ISLAMABAD, ISLAMABAD, PK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 34 of 34 d20f157117
NEW 738f555183 [0] ASM:Graph
PolyEnE| lines=68 trace

01:38:00 WinXP 119.154.124.119 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
ISLAMABAD, ISLAMABAD, PK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 34 of 34 d20f157117
NEW 738f555183 [0] ASM:Graph
PolyEnE| lines=68 trace

02:21:00 Win2K-f 220.128.128.86 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:www.maxmind.com
:getmyip.co.uk
EU:checkip.dyndns.org
:www.getmyip.org
US:208.43.124.51:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:02:31:00 Win2K-f 220.128.128.86 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:www.maxmind.com
:www.getmyip.org
:getmyip.co.uk
US:checkip.dyndns.org 445 pcap raw alerts
ruleset http
18 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:03:14:00 Win2K-f 114.203.44.26 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 94.63.149.150:65520 :proxima.ircgalaxy.pl
US:microsoft.com
CN:sb.letmedo.net
EU:netnetnet1.com
RU:sedsed1.com
CN:w.nucleardiscover.com
CN:hn.yigeyuming.com
:a.95622.com
112.206.58.3:3128
117.201.179.115:3128
KR:121.175.66.184:3128
182.185.223.74:3128
187.160.129.5:3128
EU:78.25.48.127:3128
IL:88.155.109.100:3128
94.253.172.65:3128
95.57.10.213:3128
95.58.183.30:3128 135 pcap raw alerts
ruleset irc
http
127 lines Yeah : 1.8
profile none summary
tarball 22 of 43
35 of 43
35 of 43
37 of 43
30 of 32
40 of 43
26 of 43
16 of 44 258c957144
NEW
3129f5662b
NEW
595430f951
NEW
69f32b85f1
NEW
8390780c27
NEW
d36b3bb24b
NEW
e9a62d4b65
NEW
f593071f74
NEW none[none]
none [none]
none [none]
none [none]
none [4]
none [none]
none [none]
none [none] none:none
none:none
none:none
none:none
none:none
none:none
none:none
none:none
none|none
none|none
none|none
none|none
tElock|
none|none
none|none
none|none none
none
none
none
none
none
none
none none
none
none
none
trace
none
none
none

T:03:15:00 WinXP 111.255.207.207 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 40 of 41 1096ba143e
NEW none[none] none:none
none|none none none

T:03:25:00 Win2K-f 124.124.89.97 (PHOTONINFOTECH.COM):
RELIANCE COMMUNICATIONS LTD,
BANGALORE, KARNATAKA, IN. (DSL) n/a EU:netnetnet1.com
CN:w.nucleardiscover.com
CN:ck3.nucleardiscover.com
RU:sedsed1.com
US:soccereurope.net
:images.ddc.com
174.123.157.154:80
183.82.202.96:6667
TW:60.249.39.108:6667 135 pcap raw alerts
ruleset http
irc
54 lines Yeah : 0.8
profile none summary
tarball 4 of 41
26 of 43 4be1c730de
NEW
a45be17207
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:03:52:00 Win2K-f 111.254.55.252 (-):
. n/a US:pethyena.com
US:activex.microsoft.com
US:codecs.microsoft.com
:mircnet.com
US:this.content.served.by.adshuffle.com
US:i.casalemedia.com
42.201.155.240:6667
EU:91.207.7.250:80
95.56.20.248:6667
95.58.64.243:6667 445 pcap raw alerts
ruleset http
irc
64 lines Argh : 0.3
profile none summary
tarball 1 of 43 7971be5103
NEW none[none] none:none
none|none none none

T:04:00:00 WinXP 178.167.193.193 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 43 of 43 24e8de6cb2
NEW none[none] none:none
none|none none none

T:05:16:00 WinXP 89.41.102.203 (HOST-STATIC-89-41-127-10.MOLDTELECOM.MD):
JSC MOLDTELECOM SA,
CHISINAU, CHISINAU, MD. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

T:05:58:00 Win2K-f 70.253.136.206 (SWBELL.NET):
AT&T INTERNET SERVICES,
DALLAS, TEXAS, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:06:21:00 WinXP 122.16.88.40 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
KAWASAKI, KANAGAWA, JP. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 0ab0d85629
NEW none[none] none:none
none|none none none

T:06:24:00 WinXP 77.23.167.68 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BAMBERG, BAYERN, DE. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 29 of 29 1a2c0e6130
NEW none[0] none:none
none|none lines=60 trace

T:06:53:00 Win2K-f 24.155.52.141 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS CORPUS CHRISTI HUB,
CORPUS CHRISTI, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 d031b42d3f
NEW
fa14802705
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:08:00:00 WinXP 109.87.66.134 (JWS.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:08:23:00 WinXP 92.223.32.77 (QSC.DE):
GINKO,
DE. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:08:40:00 WinXP 115.81.17.140 (TAIWANMOBILE.NET):
TAIWAN MOBILE CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:08:43:00 WinXP 95.37.68.250 (MTS-NN.RU):
NETWORK FOR PPPOE CLIENTS TERMINATIONS IN,
NIZHNIY NOVGOROD, NIZHEGOROD, RU. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

08:59:00 Win2K-f 81.198.224.95 (-):
ADDRESS POOL FOR LTC-HOME CUSTOMERS,
RIGA, RIGA, LV. (DSL) n/a US:www.maxmind.com
:getmyip.co.uk
:www.getmyip.org
EU:checkip.dyndns.org
US:208.43.124.51:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:09:13:00 WinXP 79.133.150.217 (-):
ADSL USERS,
RU. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:09:31:00 WinXP 188.173.222.221 (RIPE.NET):
EUROPEAN REGIONAL REGISTRY,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 44 dd0a92984c
NEW none[none] none:none
none|none none none

T:10:45:00 WinXP 113.10.100.30 (-):
STARHUB HSDPA SG,
SG. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 44 42c549538f
NEW none[none] none:none
none|none none none

T:10:51:00 WinXP 87.16.11.57 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
SCANDIANO, EMILIA-ROMAGNA, IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 40 5e8ccc4190
NEW 8d5f86583f [0] ASM:Graph
PolyEnE| lines=68 trace

T:12:15:00 WinXP 178.158.139.26 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

T:12:33:00 WinXP 83.167.110.16 (-):
PUBLIC NET FOR SUBSCIBERS COMCOR-TV,
MOSCOW, MOSCOW CITY, RU. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:12:46:00 WinXP 2.192.65.193 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 42 fbe753efa2
NEW none[none] none:none
none|none none none

T:12:55:00 WinXP 190.227.136.26 (NET.AR):
TELECOM PERSONAL BS AS,
AR. (DSL) n/a :siliconfireware.ru
:wpad
RU:www.bbin.ru
RU:www.binbank.ru 445 pcap raw alerts
ruleset http
http
22 lines Yeah : 0.8
profile none summary
tarball 29 of 29 df17a625ee
NEW none[0] none:none
ASPack| lines=298
embedded dns trace

T:12:58:00 WinXP 109.184.255.91 (STERLINGSTUDENTS.NET):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

T:13:24:00 WinXP 80.104.114.244 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A,
MILANO, LOMBARDIA, IT. (DIAL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 38 of 42 8a2553433c
NEW none[none] none:none
none|none none none

T:13:36:00 Win2K-f 70.60.191.151 (RR.COM):
ROAD RUNNER HOLDCO LLC,
MEMPHIS, TENNESSEE, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:13:37:00 WinXP 116.202.0.160 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 37 of 42 88edab3d8b
NEW none[none] none:none
none|none none none

T:13:52:00 WinXP 24.155.159.44 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS WACO HUB,
WACO, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 d031b42d3f
NEW
fa14802705
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:14:35:00 WinXP 2.195.74.116 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:15:33:00 WinXP 79.13.56.47 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA NET,
BOLOGNA, EMILIA-ROMAGNA, IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:15:40:00 WinXP 109.175.248.91 (STERLINGSTUDENTS.NET):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

16:05:00 WinXP 109.175.248.91 (STERLINGSTUDENTS.NET):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:17:18:00 WinXP 27.54.17.113 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 44 42c549538f
NEW none[none] none:none
none|none none none

17:58:00 WinXP 189.64.162.84 (TIMBRASIL.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
SãO PAULO, SAO PAULO, BR. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 32 of 32 488d27fe97
NEW none[none] none:none
none|none none none

T:19:17:00 Win2K-f 63.16.83.84 (UU.NET):
UUNET TECHNOLOGIES INC,
CHINO VALLEY, ARIZONA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
4 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

21:14:00 WinXP 85.24.137.201 (LEGOTILLVERKNING.SE):
EXCELLENT-HOSTING-SWEDEN-NET,
SE. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 34 of 34 d20f157117
NEW 738f555183 [0] ASM:Graph
PolyEnE| lines=68 trace

T:22:28:00 WinXP 59.116.110.242 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 44 7005fde006
NEW none[none] none:none
none|none none none

T:23:14:00 WinXP 27.54.14.147 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 43 cebfbf3c54
NEW none[none] none:none
none|none none none

T:23:46:00 WinXP 180.207.244.179 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none 2f6cab0a72
NEW none[none] none:none
none|none none none

T:23:54:00 Win2K-f 110.12.71.87 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 83.133.119.197:65520 DE:proxim.ircgalaxy.pl
US:microsoft.com
CN:sb.letmedo.net
EU:netnetnet1.com
RU:sedsed1.com
CN:w.nucleardiscover.com
CN:hn.yigeyuming.com
:a.95622.com
CN:ru.letmedo.net
CN:myck.nucleardiscover.com
US:5centcoin.com
EU:91.226.97.54:80 135 pcap raw alerts
ruleset irc
http
143 lines Yeah : 1.8
profile none summary
tarball 35 of 43
15 of 42
35 of 43
37 of 43
29 of 32
28 of 32
6 of 42
16 of 44 3129f5662b
NEW
3420de55b8
NEW
595430f951
NEW
69f32b85f1
NEW
8a75955033
NEW
9276c8b36b
NEW
d91aa726d0
NEW
f593071f74
NEW none[none]
none [none]
none [none]
none [none]
2bf3e548b9[0]
none [0]
none [none]
none [none] none:none
none:none
none:none
none:none
ASM:Graph
none:none
none:none
none:none
none|none
none|none
none|none
none|none
tElock|
Armadillo|
none|none
none|none none
none
none
none
lines=126
embedded dns
lines=90
none
none none
none
none
none
trace
trace
none
none