|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:40:00 | WinXP | 46.109.184.134 (-): . |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 41 | 9d38d43309 NEW |
none[none] | none:none |
none|none | none | none |
| T:01:30:00 | WinXP | 173.31.94.82 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, MIDDLETOWN, NEW YORK, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 59 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 8 of 33 |
53bfe15e91 NEW b7082104e4 NEW |
1473091351 [0] c5b49e7b82[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=75 embedded dns lines=41 |
trace trace |
| T:03:21:00 | WinXP | 87.189.80.227 (T-DIALIN.NET): DEUTSCHE TELEKOM AG, GEILENKIRCHEN, NORDRHEIN-WESTFALEN, DE. (DIAL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
37 of 43 | ca3e3b13f3 NEW |
none[none] | none:none |
none|none | none | none |
| T:04:04:00 | WinXP | 65.36.21.120 (GRANDENETWORKS.NET): GRANDE COMMUNICATIONS ODESSA HUB, SAN MARCOS, TEXAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
d031b42d3f NEW fa14802705 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:05:38:00 | Win2K-f | 211.133.213.201 (THN.NE.JP): TOKAI CORPORATION, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 111 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 40 of 41 |
71e6f60517 NEW ab4e3226c4 NEW |
1ef1781501 [0] c2d0313e73[0] |
ASM:Graph none:none |
Armadillo| tElock| |
lines=91 none |
trace trace |
| T:05:45:00 | WinXP | 116.203.212.58 (-): . |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 40 | 5e8ccc4190 NEW |
8d5f86583f [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| 07:03:00 | WinXP | 109.87.66.134 (JWS.COM): EU-ZZ, UK. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
| T:07:17:00 | WinXP | 110.11.246.174 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
95.143.193.118:65520 | :proxim.ircgalaxy.pl US:microsoft.com :mnbmnbmnb.com EU:tretr23.com :ytreytre.com IN:121.245.130.186:3128 175.106.57.172:3128 178.122.120.173:3128 178.122.53.234:3128 EU:188.247.135.115:80 AR:200.43.164.95:3128 223.175.231.225:3128 223.175.232.20:3128 223.175.240.173:3128 223.175.240.216:3128 223.175.242.25:3128 CN:58.249.63.43:3128 HU:77.234.66.255:3128 |
135 | pcap | raw alerts ruleset |
irc http 122 lines |
Yeah : 1.8 profile |
none | summary tarball |
38 of 42 31 of 43 33 of 42 26 of 42 39 of 42 |
0ed155401e NEW 16db2c6e04 NEW 69f59a0454 NEW 7ee94178a2 NEW f4c93e7909 NEW |
none[none] none [none] none [none] none [none] none [none] |
none:none none:none none:none none:none none:none |
none|none none|none none|none none|none none|none |
none none none none none |
none none none none none |