Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

12 January 2012
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:22:00 Win2K-f 75.37.173.250 (SBCGLOBAL.NET):
JASON LEE,
PLANO, TEXAS, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:01:27:00 WinXP 91.64.160.111 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BERLIN, BERLIN, DE. (DSL) n/a DE:moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 1511a3f219
NEW none[none] none:none
none|none none none

T:04:35:00 WinXP 101.1.209.128 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:05:12:00 WinXP 93.95.186.101 (-):
LAN_GS,
KIEV, KYYIV, UA. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:05:16:00 WinXP 114.185.52.190 (PLALA.OR.JP):
NTT PLALA INC,
JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
13 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
NEW none[0] none:none
none|none lines=60 trace

T:05:35:00 Win2K-f 202.147.222.243 (KCN-TV.NE.JP):
KUMAMOTO CABLE NETWORK CORPORATION,
KUMAMOTO, KUMAMOTO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 40 of 42
39 of 40 1c6fe0e622
NEW
6eb9029327
NEW none[none]
8cbcf621b4[0] none:none
ASM:Graph
none|none
tElock| none
lines=64
embedded dns none
trace

T:05:47:00 WinXP 109.125.59.217 (STERLINGSTUDENTS.NET):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 40 of 42 00fda472cb
NEW none[none] none:none
none|none none none

T:07:07:00 WinXP 84.32.55.57 (VDNET.LT):
NTT DATA SERVICE FOR VIGINTA PARTNER,
VILNIUS, VILNIAUS APSKRITIS, LT. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 67db574df4
NEW none[none] none:none
none|none none none

T:07:10:00 Win2K-f 1.251.61.44 (-):
. 83.133.119.197:65520 DE:proxima.ircgalaxy.pl
US:microsoft.com
EU:vbnjhg.com
EU:ivestgrpp.ru 135 pcap raw alerts
ruleset irc
http
http
http
http
130 lines Yeah : 1.8
profile none summary
tarball 31 of 33
31 of 33
17 of 43 168aab35a3
NEW
667f0c59f3
NEW
e3a3dd9f16
NEW 60b730b97e [0]
8fe2be2095[0]
none [none] ASM:Graph
ASM:Graph
none:none
tElock|
Armadillo|
none|none lines=120
embedded dns
lines=91
none trace
trace
none

T:08:39:00 WinXP 46.109.110.19 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

T:09:59:00 WinXP 193.93.110.216 (GRAT.NET.UA):
GRAT NETWORK INTERNET SERVICE PROVIDER,
KIEV, KYYIV, UA. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 41 1d0ce31c6d
NEW none[none] none:none
none|none none none

T:10:37:00 Win2K-f 98.101.143.183 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:54:00 Win2K-f 220.216.62.212 (THN.NE.JP):
TOKAI CORPORATION,
SHIZUOKA, SHIZUOKA, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=64
embedded dns trace
trace

T:11:11:00 WinXP 46.249.74.207 (-):
. n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 8a695d69c7
NEW none[none] none:none
none|none none none

T:11:11:00 WinXP 46.214.124.153 (-):
. n/a DE:citi-bank.ru
DK:bem.dk
US:banboon.com
MY:bdb.com.my 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball none c3f210f80c
NEW none[none] none:none
none|none none none

T:11:22:00 WinXP 176.17.19.250 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 39 of 40 5e8ccc4190
NEW 8d5f86583f [0] ASM:Graph
PolyEnE| lines=68 trace

T:12:41:00 WinXP 70.63.52.230 (RR.COM):
ROAD RUNNER HOLDCO LLC,
INDIANAPOLIS, INDIANA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
82 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:12:59:00 WinXP 120.138.128.3 (STARCAT.NE.JP):
KMN CORPORATION,
TOKYO, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
127 lines Yeah : 1.3
profile none summary
tarball 39 of 41
40 of 41 6a1dc43309
NEW
94e49d5627
NEW 522dace6c1 [0]
777259292a[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:13:15:00 WinXP 190.208.110.66 (-):
TELMEX CHILE S.A HFC,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

T:13:32:00 WinXP 123.194.144.38 (KBRONET.COM.TW):
TUNG HO MULTIMEDIA CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:13:38:00 WinXP 77.20.197.44 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
HAMBURG, HAMBURG, DE. (DSL) n/a 445 pcap raw alerts
ruleset ftp
12 lines Yeah : 0.8
profile none summary
tarball 29 of 29 1a2c0e6130
NEW none[0] none:none
none|none lines=60 trace

T:14:10:00 WinXP 109.86.130.69 (JWS.COM):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:14:16:00 WinXP 134.249.156.195 (TERMBILLING.COM):
VARIOUS REGISTRIES,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none 4357a05f13
NEW none[none] none:none
none|none none none

T:15:08:00 WinXP 118.83.39.52 (HTOJ.J-CNET.JP):
JCN-HTMNET,
JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
123 lines Yeah : 1.3
profile none summary
tarball 32 of 36
34 of 36 0b951c2832
NEW
e4ed4df0f0
NEW 5fe761661a [0]
de471fc380[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:15:10:00 Win2K-f 96.8.188.216 (GVTC.COM):
GUADALUPE VALLEY TELEPHONE COOPERATIVE INC,
NEW BRAUNFELS, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
39 of 40 9bdd2c95b1
NEW
cd456ac095
NEW d1bbd693ba [0]
d75caee680[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:15:27:00 WinXP 207.191.247.136 (SPEAKEASY.NET):
CEDAR RAPIDS, IOWA, US. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 42 751685117f
NEW none[none] none:none
none|none none none

T:15:37:00 WinXP 109.54.36.58 (JWS.COM):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:15:46:00 WinXP 2.192.240.134 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
3 lines Yeah : 1.3
profile none summary
tarball 38 of 42 0d1eb4df79
NEW none[none] none:none
none|none none none

T:15:55:00 WinXP 119.243.38.103 (MESH.AD.JP):
NEC BIGLOBE LTD,
TOKYO, TOKYO, JP. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 41 e92ed9f79c
NEW none[none] none:none
none|none none none

16:03:00 WinXP 109.54.36.58 (JWS.COM):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:16:49:00 WinXP 4.159.162.126 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MINNEAPOLIS, MINNESOTA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:17:30:00 WinXP 187.160.167.217 (NIC-R2-R1-MTY.NIC.MX):
NETWORK INFORMATION CENTER MEXICO,
MX. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none 7eb0381690
NEW none[none] none:none
none|none none none

17:38:00 WinXP 187.160.167.217 (NIC-R2-R1-MTY.NIC.MX):
NETWORK INFORMATION CENTER MEXICO,
MX. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball none 7eb0381690
NEW none[none] none:none
none|none none none

T:17:58:00 WinXP 70.165.19.215 (COX.NET):
COX COMMUNICATIONS,
OKLAHOMA CITY, OKLAHOMA, US. (DSL) 83.133.119.197:65520 DE:proxim.ircgalaxy.pl
US:microsoft.com
EU:vbnjhg.com
EU:ivestgrpp.ru
US:mta5.am0.yahoodns.net
:proxy3.zos-v.ru
US:mx1.hotmail.com
RU:mx-corp.yandex.ru
US:mx0.gmx.com
:webmail.mailmonstruo.com
US:eforwardct.name-services.com
BR:mx-psi.terra.com.br
BR:mx3.bol.com.br
BR:smtp.zipmail.com.br
:ASPMX.L.GOOGLE.com
HK:imsmx1.netvigator.com
US:mx2.hotmail.com
FR:mx.noos.fr
EU:91.207.6.35:80 135 pcap raw alerts
ruleset irc
http
http
http
http
170 lines Yeah : 1.8
profile none summary
tarball 39 of 42
none
none
17 of 43 220c0b183d
NEW
31beec024d
NEW
40a82f045f
NEW
e3a3dd9f16
NEW none[none]
none [none]
none [none]
none [none] none:none
none:none
none:none
none:none
none|none
none|none
none|none
none|none none
none
none
none none
none
none
none

18:09:00 WinXP 211.76.71.81 (UBBN.NET):
UNION BROADBAND NETWORK,
TAIPEI, T'AI-PEI, TW. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 43 75a358c05d
NEW none[none] none:none
none|none none none

T:18:34:00 Win2K-f 70.60.191.151 (RR.COM):
ROAD RUNNER HOLDCO LLC,
MEMPHIS, TENNESSEE, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:19:22:00 Win2K-f 211.75.191.142 (HINET.NET):
HSINCHU CHANG YI BAU SI COMMUNITY,
TAIPEI, T'AI-PEI, TW. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
37 of 40 5d445c59d8
NEW
8a54950abb
NEW 892e12db7b [0]
f6b9e43917[0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=64
embedded dns
lines=91 trace
trace

T:20:42:00 WinXP 180.218.86.20 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

20:44:00 WinXP 89.214.97.22 (-):
GPRS COSTUMERS,
LISBON, LISBOA, PT. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none 4a6d061190
NEW none[none] none:none
none|none none none

T:21:12:00 WinXP 202.70.246.104 (ONINET.NE.JP):
OKAYAMA NETWORK INC,
OKAYAMA, OKAYAMA, JP. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none c75c73f3c7
NEW none[none] none:none
none|none none none

T:22:10:00 WinXP 219.127.53.121 (WAKWAK.NE.JP):
XEPHION(NTT-ME CORPORATION),
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
13 lines Yeah : 0.8
profile none summary
tarball 31 of 32 741e3b03b3
NEW none[0] none:none
none|none lines=61 trace

T:22:53:00 WinXP 88.29.6.109 (RIMA-TDE.NET):
TELEFONICA MOVILES ESPANA (NCC#2007041930),
MADRID, MADRID, ES. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:23:01:00 WinXP 223.19.239.10 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace