Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

25 October 2011
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:10:00 Win2K-f 123.195.116.142 (KBRONET.COM.TW):
TUNG HO MULTIMEDIA CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:01:06:00 WinXP 91.83.126.250 (SULINET.HU):
INVITEL TAVKOZLESI SZOLGALTATO RT,
HU. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:02:37:00 Win2K-f 4.225.166.112 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
DALLAS, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
103 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:02:42:00 WinXP 220.138.46.232 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAINAN, T'AI-WAN, TW. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 32 of 32 5818023061
NEW none[0] none:none
PolyEnE| lines=68 trace

T:02:53:00 Win2K-f 72.48.216.113 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS WACO HUB,
HEWITT, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
115 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 d031b42d3f
NEW
fa14802705
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:04:37:00 WinXP 186.122.39.36 (-):
. n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 43 36b7b47613
NEW none[none] none:none
none|none none none

T:04:45:00 WinXP 210.166.52.115 (MEGAEGG.NE.JP):
ENERGIA COMMUNICATIONS INC,
HIROSHIMA, HIROSHIMA, JP. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 43 of 43 debeecd50c
NEW none[none] none:none
none|none none none

T:05:31:00 WinXP 115.80.172.74 (TAIWANMOBILE.NET):
TAIWAN MOBILE CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:06:04:00 Win2K-f 173.214.230.166 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 68b5e580f0
NEW
b475ce7c0b
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:06:18:00 WinXP 93.102.47.61 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
COIMBRA, COIMBRA, PT. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:06:26:00 WinXP 101.12.39.66 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:06:41:00 Win2K-f 123.192.205.143 (KBRONET.COM.TW):
TUNG HO MULTIMEDIA CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:07:20:00 WinXP 93.102.149.94 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
PT. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 420b1a76c4
NEW none[none] none:none
none|none none none

07:24:00 WinXP 93.102.47.61 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
COIMBRA, COIMBRA, PT. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:07:25:00 WinXP 79.149.212.70 (RIMA-TDE.NET):
TELEFONICA MOVILES ESPANA (NCC#2008113582),
MADRID, MADRID, ES. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 40 5e8ccc4190
NEW 8d5f86583f [0] ASM:Graph
PolyEnE| lines=68 trace

T:08:21:00 Win2K-f 118.83.40.155 (HTOJ.J-CNET.JP):
JCN-HTMNET,
JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
122 lines Yeah : 1.3
profile none summary
tarball 32 of 36
34 of 36 0b951c2832
NEW
e4ed4df0f0
NEW 5fe761661a [0]
de471fc380[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:08:58:00 WinXP 109.53.145.114 (JWS.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 35 of 37 11daa95753
NEW none[none] none:none
none|none none none

T:09:41:00 WinXP 117.19.199.72 (TAIWANMOBILE.NET):
TAIWAN MOBILE CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 44 b6cb1b2f30
NEW none[none] none:none
none|none none none

T:10:22:00 WinXP 91.83.126.114 (SULINET.HU):
INVITEL TAVKOZLESI SZOLGALTATO RT,
HU. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:10:38:00 WinXP 186.110.234.218 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:10:49:00 Win2K-f 4.161.212.91 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
DENVER, COLORADO, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
230 lines Yeah : 1.3
profile none summary
tarball 41 of 42
40 of 42 7549900329
NEW
b71514f095
NEW 4b13f1921b [0]
f6aa3689d1[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:11:22:00 WinXP 186.109.68.7 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 f2f3d8239c
NEW none[none] none:none
none|none none none

T:11:25:00 WinXP 31.147.187.164 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.8
profile none summary
tarball 37 of 43 ea335fe3e9
NEW none[none] none:none
none|none none none

T:11:29:00 Win2K-f 72.43.103.147 (RR.COM):
ROAD RUNNER HOLDCO LLC,
KEW GARDENS, NEW YORK, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 d031b42d3f
NEW
fa14802705
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:11:55:00 Win2K-f 220.130.85.124 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAINAN, T'AI-WAN, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball 40 of 41
none 2bc8f15054
NEW
964911406f
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:12:02:00 WinXP 46.202.241.162 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 41 169a5d5c84
NEW none[none] none:none
none|none none none

T:12:08:00 WinXP 187.60.102.40 (VELOXZONE.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:12:41:00 WinXP 27.54.27.129 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

13:42:00 WinXP 190.227.138.45 (NET.AR):
TELECOM PERSONAL BS AS,
AR. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 f2f3d8239c
NEW none[none] none:none
none|none none none

T:14:26:00 WinXP 46.134.213.26 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 c19c8a2776
NEW none[none] none:none
none|none none none

T:15:14:00 WinXP 109.52.120.236 (JWS.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 3ae357d17b
NEW none[0] none:none
PolyEnE| lines=73 trace

15:17:00 WinXP 109.52.120.236 (JWS.COM):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 29 of 29 3ae357d17b
NEW none[0] none:none
PolyEnE| lines=73 trace

T:15:44:00 WinXP 212.129.95.65 (-):
METEOR GPRS,
DUBLIN, DUBLIN, IE. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:15:46:00 WinXP 95.69.12.105 (-):
GPRS COSTUMERS,
FARO, FARO, PT. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:16:11:00 WinXP 122.100.111.233 (UBBN.NET):
UNION BROADBAND NETWORK,
TAIPEI, T'AI-PEI, TW. (DSL) n/a 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:17:25:00 WinXP 65.113.118.175 (TRANQUILITY.NET):
CORAL WIRELESS LLC,
HONOLULU, HAWAII, US. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 41 e92ed9f79c
NEW none[none] none:none
none|none none none

T:17:46:00 WinXP 176.17.149.22 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:17:54:00 WinXP 173.19.77.26 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
PANAMA CITY, FLORIDA, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:18:16:00 WinXP 182.63.52.142 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

19:16:00 Win2K-f 122.160.71.49 (122.AIRTELBROADBAND.IN):
ABTS-DSL-DEL,
NEW DELHI, DELHI, IN. (DSL) n/a US:www.maxmind.com
:getmyip.co.uk
:www.getmyip.org
US:checkip.dyndns.org
DE:131.220.6.26:80 445 pcap raw alerts
ruleset http
5 lines Yeah : 0.8
profile none summary
tarball 2 of 37 223d8089f8
NEW none[3] none:none
StarForce| none trace

T:19:25:00 Win2K-f 122.160.71.49 (122.AIRTELBROADBAND.IN):
ABTS-DSL-DEL,
NEW DELHI, DELHI, IN. (DSL) n/a US:www.maxmind.com
US:checkip.dyndns.org
DE:131.220.6.26:80 445 pcap raw alerts
ruleset http
5 lines Yeah : 0.8
profile none summary
tarball 2 of 37 223d8089f8
NEW none[3] none:none
StarForce| none trace

T:20:08:00 Win2K-f 4.87.98.224 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
LEESBURG, FLORIDA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
182 lines Yeah : 1.3
profile none summary
tarball 37 of 41
36 of 40 47d3548e36
NEW
d8722af110
NEW ab13346633 [0]
ab30a55931[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:20:17:00 WinXP 14.98.70.11 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
104 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:21:21:00 WinXP 101.12.73.160 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

21:29:00 WinXP 101.12.73.160 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:23:53:00 Win2K-f 218.170.107.181 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 41 of 43
38 of 43 9956124c58
NEW
9f372cd7a5
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none