Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

29 November 2011
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:02:10:00 WinXP 178.159.56.76 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:02:22:00 WinXP 72.45.61.112 (ATLANTICBB.NET):
ATLANTIC BROADBAND,
MIDDLETOWN, DELAWARE, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
38 of 41		 d031b42d3f
NEW
fa14802705
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:03:18:00 WinXP 109.98.239.211 (JWS.COM):
EU-ZZ,
UK. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		32 of 32 488d27fe97
NEW 		none[none] none:none
 none|none none none
03:29:00 WinXP 109.98.239.211 (JWS.COM):
EU-ZZ,
UK. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		32 of 32 488d27fe97
NEW 		none[none] none:none
 none|none none none
T:03:41:00 WinXP 64.136.73.53 (64.IN-ADDR.ARPA):
CENTRAMEDIA INCORPORATED,
PAMPA, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
112 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 44
38 of 43		 67c849c687
NEW
fcd5ed4078
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:04:07:00 Win2K-f 60.244.187.53 (APOL.COM.TW):
ASIA PACIFIC ON-LINE SERVICES INC,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
77 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:04:25:00 WinXP 189.116.75.67 (TIMBRASIL.COM.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
SãO PAULO, SAO PAULO, BR. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		38 of 42 0d1eb4df79
NEW 		none[none] none:none
 none|none none none
T:04:35:00 WinXP 92.230.82.13 (ALICEDSL.DE):
HANSENET-ADSL,
MUNICH, BAYERN, DE. (DSL) 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		42 of 43 500518ab72
NEW 		none[none] none:none
 none|none none none
T:05:09:00 WinXP 94.50.107.97 (PERMONLINE.RU):
DYNAMIC DISTRIBUTION IP'S FOR BROADBAND SERVICES,
MOSCOW, MOSCOW CITY, RU. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		37 of 43 9a9f76bab3
NEW 		none[none] none:none
 none|none none none
T:06:10:00 WinXP 117.20.171.96 (-):
STARHUB HSPA,
SINGAPORE, SINGAPORE, SG. (DSL) 		n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		39 of 43 66a7e9abab
NEW 		none[none] none:none
 none|none none none
T:06:33:00 Win2K-f 1.251.61.249 (-):
. 		83.133.119.197:65520 DE:proxima.ircgalaxy.pl
US:microsoft.com
:newsoftnewsworld.com
EU:adquorum.com
:vetvetcom.com
:backup-windows.ru
EU:tretr23.com
:ytreytre.com
DE:83.133.119.197:65520
RO:89.46.58.133:3128 		135 pcap raw alerts
ruleset 		irc
http
122 lines 		Yeah : 1.8
profile 		none summary
tarball 		38 of 42
31 of 33
30 of 43
31 of 33
29 of 44
30 of 43
30 of 43
21 of 43		 0ed155401e
NEW
168aab35a3
NEW
5f48731984
NEW
667f0c59f3
NEW
b44d3ea50e
NEW
c5055355dc
NEW
c6c7c05857
NEW
ef397e1d19
NEW 		none[none]
60b730b97e[0]
none [none]
8fe2be2095[0]
none [none]
none [none]
none [none]
none [none] 		none:none
ASM:Graph
none:none
ASM:Graph
none:none
none:none
none:none
none:none
 none|none
tElock|
none|none
Armadillo|
none|none
none|none
none|none
none|none 		none
lines=120
embedded dns
none
lines=91
none
none
none
none 		none
trace
none
trace
none
none
none
none
T:06:49:00 Win2K-f 62.182.70.115 (DOBROE.RU):
ZHANR-NET,
MOSCOW, MOSCOW CITY, RU. (DSL) 		n/a :gmail-smtp-in.l.google.com
AT:mailw.lix.aon.at
NO:mx3.hydroispartner.com
CA:mail112.cra-arc.gc.ca
AT:mx01.bagis.at
US:mail.global.frontbridge.com
DE:samsungmail1.sdsg.de
US:mail.midohio.net.mail1.psmtp.com
US:kali-gmbh.com.s200a1.psmtp.com
DE:mail2.hsb-systemhaus.de
110.139.240.104:6667
CN:121.31.253.12:6667
223.175.233.116:6667
223.175.239.27:6667
DE:87.139.105.231:25
HU:91.82.197.254:25 		445 pcap raw alerts
ruleset 		http
http
74 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:06:55:00 Win2K-f 218.161.99.203 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a :backup-windows.ru
EU:svobodaslova.in
US:psmtp1dsm.meredith.com
CA:mail1.bbandt.com
US:wedu.com.s7a1.psmtp.com
US:email.ultra-nspi.com
:mx1.emailsrvr.com
:inbound30.exchangedefender.com
CA:inbound.wgholdsworth.com.netsolmail.net
US:mail-fwd.mx.g19.rapidsite.net
US:weeklystandard.com.s8a1.psmtp.com
:smtp.secureserver.net
:aspmx.l.google.com
EU:smtpin0.mail.de.uu.net
GB:cluster8.eu.messagelabs.com
CA:inbound.wgozdz.com.netsolmail.net
US:mx1.networkdr.net
GB:mx181.emailfiltering.com
DE:proxima.ircgalaxy.pl
DE:mailin.rzone.de
EU:tretr23.com
DE:195.190.13.182:80
DE:195.190.13.182:8103
RO:85.121.39.222:80 		445 pcap raw alerts
ruleset 		http
36 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:08:01:00 Win2K-f 4.174.149.91 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
PHILADELPHIA, PENNSYLVANIA, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:10:10:00 WinXP 93.102.156.141 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
PT. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:10:47:00 WinXP 123.99.1.184 (TAIWANMOBILE.NET):
TAIWAN MOBILE CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		39 of 43 771890b092
NEW 		none[none] none:none
 none|none none none
T:12:08:00 WinXP 212.129.76.221 (-):
METEOR MOBILE BROADBAND,
DUBLIN, DUBLIN, IE. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		41 of 43 fb486908b0
NEW 		none[none] none:none
 none|none none none
T:12:26:00 WinXP 84.237.207.85 (MICROLINK.LV):
TELEKOM,
RIGA, RIGA, LV. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		38 of 43 a621c94e61
NEW 		none[none] none:none
 none|none none none
T:15:10:00 WinXP 2.193.106.252 (-):
. 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		39 of 43 a54598088e
NEW 		none[none] none:none
 none|none none none
T:15:36:00 WinXP 220.130.253.73 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:15:54:00 WinXP 217.201.186.62 (-):
TELECOM ITALIA MOBILE,
ROME, LAZIO, IT. (DSL) 		n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41 735d25139c
NEW 		none[none] none:none
 none|none none none
16:58:00 WinXP 101.14.138.84 (-):
. 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		41 of 43 fb486908b0
NEW 		none[none] none:none
 none|none none none
T:18:28:00 WinXP 186.51.229.34 (-):
. 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		41 of 43 ac4721eddd
NEW 		none[none] none:none
 none|none none none
18:51:00 Win2K-f 218.63.69.77 (163DATA.COM.CN):
CHINANET YUNNAN PROVINCE NETWORK,
BEIJING, BEIJING, CN. (DIAL) 		n/a US:www.maxmind.com
:www.getmyip.org
EU:checkip.dyndns.org
DE:131.220.6.26:80 		445 pcap raw alerts
ruleset 		http
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:18:54:00 WinXP 151.64.112.126 (51-151.NET24.IT):
IUNET-BNET,
ROME, LAZIO, IT. (DSL) 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41 d11b1f56f9
NEW 		none[none] none:none
 none|none none none
19:10:00 Win2K-f 64.56.64.18 (VRTSERVERS.NET):
VRTSERVERS INC,
LOS ANGELES, CALIFORNIA, US. (DSL) 		n/a US:www.maxmind.com
US:checkip.dyndns.org
DE:131.220.6.26:80 		445 pcap raw alerts
ruleset 		http
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:19:19:00 Win2K-f 64.56.64.18 (VRTSERVERS.NET):
VRTSERVERS INC,
LOS ANGELES, CALIFORNIA, US. (DSL) 		n/a US:www.maxmind.com
:www.getmyip.org
EU:getmyip.co.uk
JP:www.sbtjapan.com
US:checkip.dyndns.org
DE:131.220.6.26:80
US:208.43.124.51:80
US:64.56.64.18:8119 		445 pcap raw alerts
ruleset 		http
55 lines 		Yeah : 0.8
profile 		none summary
tarball 		3 of 37 d9cb288f31
NEW 		45603a001c [0] ASM:Graph
 UPX| lines=174
embedded dns 		trace
T:22:23:00 Win2K-f 220.128.103.249 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
none		 2bc8f15054
NEW
964911406f
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:22:41:00 WinXP 180.207.203.206 (-):
. 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		38 of 43 eae5387e7c
NEW 		none[none] none:none
 none|none none none