Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

10 October 2011
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

00:08:00 WinXP 180.207.244.179 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none 2f6cab0a72
NEW none[none] none:none
none|none none none

00:16:00 Win2K-f 58.27.195.47 (WATEEN.NET):
NATIONAL WIMAX/IMS ENVIRONMENT,
LAHORE, PUNJAB, PK. (DSL) n/a US:www.maxmind.com
US:checkip.dyndns.org
US:208.43.124.51:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28
3 of 37 7d99b0e910
NEW
d9cb288f31
NEW none[0]
45603a001c[0] none:none
ASM:Graph
PolyEnE|
UPX| lines=68
lines=174
embedded dns trace
trace

T:00:17:00 Win2K-f 95.81.253.229 (-):
VOLGATELECOM OJSC,
RU. (DSL) n/a :carolh.com
US:i.nuseek.com
US:www.comcast.com
111.88.18.182:6667
KR:124.137.70.222:6667
US:69.241.45.4:80
IT:83.211.221.197:6667
94.27.66.219:6667 445 pcap raw alerts
ruleset http
irc
138 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:00:21:00 WinXP 180.215.142.203 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball none none none none none none none

T:00:45:00 WinXP 46.203.99.225 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:01:35:00 WinXP 24.155.14.29 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS WACO,
WOODWAY, TEXAS, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

02:25:00 WinXP 109.184.31.34 (STERLINGSTUDENTS.NET):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

T:03:32:00 WinXP 49.238.29.97 (-):
. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:04:05:00 Win2K-f 27.98.30.195 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:04:36:00 WinXP 95.37.131.22 (MTS-NN.RU):
NETWORK FOR PPPOE CLIENTS TERMINATIONS IN,
NIZHNIY NOVGOROD, NIZHEGOROD, RU. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:05:01:00 WinXP 178.24.66.30 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:05:07:00 WinXP 61.62.145.104 (SO-NET.NET.TW):
SONY NETWORK TAIWAN LIMITED,
TAIPEI, T'AI-PEI, TW. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:05:44:00 Win2K-f 1.247.145.130 (-):
. 95.143.193.118:65520 US:microsoft.com
DE:proxima.ircgalaxy.pl
CN:sb.letmedo.net
:netnetnet1.com
CN:w.nucleardiscover.com
RU:sedsed1.com
CN:hn.yigeyuming.com
:a.95622.com
CN:ru.letmedo.net
DE:83.133.119.197:65520 135 pcap raw alerts
ruleset irc
http
120 lines Yeah : 1.8
profile none summary
tarball none none none none none none none

T:05:46:00 WinXP 94.77.57.115 (-):
KSS,
MOSCOW, MOSCOW CITY, RU. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball none none none none none none none

T:06:12:00 WinXP 111.88.12.69 (HOSTS-WORLDCALL.NET.PK):
WORLDCALL TELECOM LTD,
PK. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball none none none none none none none

T:06:22:00 WinXP 46.202.77.163 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:06:27:00 Win2K-f 212.170.164.54 (RIMA-TDE.NET):
TELEFONICA DE ESPANA (NCC#2007050901),
SEVILLA, ANDALUCIA, ES. (DSL) n/a US:as.casalemedia.com
:hf.davinci.com
US:activex.microsoft.com
US:codecs.microsoft.com
:hurterassoc.com
:annuitybroker.net
DE:proxima.ircgalaxy.pl
CN:s5.perfectexe.com
:a.95622.com
CN:myck.nucleardiscover.com
:nazzel.com
CN:w.nucleardiscover.com
RU:sedsed1.com
:s5.mainpage.cc
CN:ck3.nucleardiscover.com
IR:82.99.253.2:6667
UZ:84.54.75.199:6667 445 pcap raw alerts
ruleset http
84 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:07:08:00 WinXP 85.24.205.100 (BAHNHOF.SE):
BAHNHOF INTERNET AB,
STOCKHOLM, STOCKHOLMS LAN, SE. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

07:32:00 WinXP 85.24.205.100 (BAHNHOF.SE):
BAHNHOF INTERNET AB,
STOCKHOLM, STOCKHOLMS LAN, SE. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28
34 of 34
3 of 37 7d99b0e910
NEW
d20f157117
NEW
d9cb288f31
NEW none[0]
738f555183[0]
45603a001c[0] none:none
ASM:Graph
ASM:Graph
PolyEnE|
PolyEnE|
UPX| lines=68
lines=68
lines=174
embedded dns trace
trace
trace

T:07:48:00 WinXP 217.202.39.30 (-):
TELECOM ITALIA MOBILE,
ROME, LAZIO, IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
4 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

08:44:00 WinXP 212.96.184.141 (AGNET.CZ):
SPERLNET S.R.O,
PRAGUE, HLAVNI MESTO PRAHA, CZ. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:08:46:00 WinXP 101.13.185.91 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:09:14:00 WinXP 110.11.241.229 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a 135 pcap raw alerts
ruleset other
22 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:09:34:00 WinXP 151.83.38.20 (SER-PR2-MAX.IUNET.IT):
INFOSTRADA,
ROME, LAZIO, IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:09:39:00 WinXP 109.87.66.134 (JWS.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:10:17:00 WinXP 77.20.198.88 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BERLIN, BERLIN, DE. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:11:11:00 WinXP 87.11.57.123 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
PARMA, EMILIA-ROMAGNA, IT. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:11:14:00 WinXP 188.153.108.246 (DSL.VODAFONE.IT):
IP ADDRESSES ALLOCATED TO DSL CUSTOMERS,
IT. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball none none none none none none none

T:11:42:00 WinXP 2.198.18.24 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:11:51:00 WinXP 178.17.125.54 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

12:01:00 WinXP 87.11.57.123 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
PARMA, EMILIA-ROMAGNA, IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 40
26 of 28
34 of 34
3 of 37 5e8ccc4190
NEW
7d99b0e910
NEW
d20f157117
NEW
d9cb288f31
NEW 8d5f86583f [0]
none [0]
738f555183[0]
45603a001c[0] ASM:Graph
none:none
ASM:Graph
ASM:Graph
PolyEnE|
PolyEnE|
PolyEnE|
UPX| lines=68
lines=68
lines=68
lines=174
embedded dns trace
trace
trace
trace

T:12:05:00 WinXP 119.154.35.241 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
ISLAMABAD, ISLAMABAD, PK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:13:02:00 WinXP 177.28.150.118 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:14:46:00 WinXP 186.254.102.47 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:16:25:00 WinXP 164.132.48.247 (-):
IUNET S.P.A,
MILANO, LOMBARDIA, IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

16:49:00 WinXP 164.132.48.247 (-):
IUNET S.P.A,
MILANO, LOMBARDIA, IT. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 3ae357d17b
NEW none[0] none:none
PolyEnE| lines=73 trace

T:16:59:00 WinXP 114.166.238.144 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

17:03:00 Win2K-f 182.18.144.112 (-):
. n/a US:www.maxmind.com
US:checkip.dyndns.org
:www.getmyip.org
:getmyip.co.uk
US:208.43.124.51:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:17:56:00 WinXP 46.202.184.112 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:20:50:00 Win2K-f 63.16.91.208 (UU.NET):
UUNET TECHNOLOGIES INC,
ROANOKE, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
81 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:20:55:00 WinXP 117.20.153.163 (-):
STARHUB HSPA,
SINGAPORE, SINGAPORE, SG. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

23:51:00 WinXP 118.171.30.122 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 c19c8a2776
NEW none[none] none:none
none|none none none