Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

01 February 2012
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:46:00 WinXP 46.211.48.122 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:00:49:00 Win2K-f 49.135.205.75 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 41 of 44
41 of 44 99f212a9df
NEW
9fa81e360b
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:00:51:00 WinXP 118.233.250.150 (KBRONET.COM.TW):
TUNG HO MULTIMEDIA CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:01:16:00 WinXP 119.154.95.137 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
ISLAMABAD, ISLAMABAD, PK. (DSL) n/a DE:sys.zief.pl
DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 37 of 43 6887b99ace
NEW none[none] none:none
none|none none none

T:01:49:00 WinXP 211.75.159.211 (KENNY.COM.TW):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:02:23:00 WinXP 87.0.219.213 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
IT. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 41 of 41 e92ed9f79c
NEW none[none] none:none
none|none none none

T:03:50:00 WinXP 220.216.32.101 (TNC.NE.JP):
TOKAI CORPORATION,
TOKYO, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=64
embedded dns trace
trace

T:04:01:00 WinXP 89.214.92.41 (-):
GPRS COSTUMERS,
FARO, FARO, PT. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 75a358c05d
NEW none[none] none:none
none|none none none

T:07:44:00 WinXP 112.72.162.190 (-):
HYUNDAI COMMUNICATIONS & NETWORK,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

T:07:58:00 Win2K-f 64.136.73.53 (64.IN-ADDR.ARPA):
CENTRAMEDIA INCORPORATED,
PAMPA, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
112 lines Yeah : 1.3
profile none summary
tarball 39 of 44
38 of 43 67c849c687
NEW
fcd5ed4078
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:08:29:00 WinXP 181.0.195.129 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:11:27:00 WinXP 77.254.22.67 (INETIA.PL):
INTERNETIA,
KATOWICE, SLASKIE, PL. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 42 of 43 aad01847fa
NEW none[none] none:none
none|none none none

T:13:21:00 Win2K-f 220.216.62.19 (THN.NE.JP):
TOKAI CORPORATION,
SHIZUOKA, SHIZUOKA, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=64
embedded dns trace
trace

T:13:45:00 WinXP 151.10.234.185 (-):
PIRELLI WORLDWIDE NETWORK SPA,
ROME, LAZIO, IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

T:14:04:00 WinXP 151.37.90.245 (37-151.NET24.IT):
IUNET-BNET,
NAPOLI, CAMPANIA, IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 42 80144ef00a
NEW none[none] none:none
none|none none none

T:14:09:00 WinXP 82.128.246.68 (SUOMI.NET):
OULU TELEPHONE COMPANY,
OULU, OULU, FI. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

T:14:33:00 WinXP 186.51.251.85 (-):
. n/a DE:moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 309b295182
NEW none[none] none:none
none|none none none

T:14:40:00 WinXP 111.246.68.36 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:15:00:00 WinXP 207.191.249.34 (SPEAKEASY.NET):
CEDAR RAPIDS, IOWA, US. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 41 1096ba143e
NEW none[none] none:none
none|none none none

T:15:16:00 WinXP 175.112.215.99 (-):
. 83.133.119.197:65520 DE:proxim.ircgalaxy.pl
US:microsoft.com
EU:ghyt54.com
EU:poilka09.com
:touchmytralala9856.com
:rewfkg0ret876.com
184.173.252.243:443
184.173.252.246:443
EU:188.247.135.69:80
CN:222.88.205.195:443 135 pcap raw alerts
ruleset irc
http
128 lines Yeah : 1.8
profile none summary
tarball 33 of 42
23 of 43
17 of 43
39 of 42 69f59a0454
NEW
c5458d90cf
NEW
e3a3dd9f16
NEW
f4c93e7909
NEW none[none]
none [none]
none [none]
none [none] none:none
none:none
none:none
none:none
none|none
none|none
none|none
none|none none
none
none
none none
none
none
none

T:16:42:00 WinXP 81.81.123.242 (WWW.E-COW.IT):
WIND TELECOMUNICAZIONI S.P.A,
ROME, LAZIO, IT. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:17:38:00 WinXP 190.241.207.172 (-):
CABLE VISION,
SAN JOSE, SAN JOSE, CR. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 39 of 42 0cee797e1f
NEW none[none] none:none
none|none none none

T:17:56:00 WinXP 70.60.196.66 (RR.COM):
ROAD RUNNER HOLDCO LLC,
CHARLOTTE, NORTH CAROLINA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:28:00 Win2K-f 58.146.5.26 (STARCAT.NE.JP):
KMN CORPORATION,
NAGOYA, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:43:00 Win2K-f 211.215.76.91 (HANANET.NET):
HANARO TELECOM INC,
ULSAN, ULSAN-GWANGYOKSI, KR. (DSL) 83.133.119.197:65520 DE:proxim.ircgalaxy.pl
US:microsoft.com
EU:ghyt54.com
184.173.252.243:443
184.173.252.246:443
CN:222.88.205.195:443 135 pcap raw alerts
ruleset irc
http
210 lines Yeah : 1.8
profile none summary
tarball 37 of 42
30 of 33
23 of 43
17 of 43 134fbce552
NEW
533d15b5ce
NEW
c5458d90cf
NEW
e3a3dd9f16
NEW none[none]
c67adf46e2[0]
none [none]
none [none] none:none
ASM:Graph
none:none
none:none
none|none
tElock|
none|none
none|none none
lines=126
embedded dns
none
none none
trace
none
none

T:18:49:00 WinXP 122.134.64.70 (MESH.AD.JP):
NEC BIGLOBE LTD,
SENDAI, MIYAGI, JP. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

T:18:59:00 Win2K-f 67.206.183.14 (ELTOPIA.NET):
ELTOPIA.COM LLC,
US. (DSL) n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:19:45:00 Win2K-f 207.255.219.37 (ATLANTICBB.NET):
ATLANTIC BROADBAND FINANCE LLC,
CUMBERLAND, MARYLAND, US. (DSL) n/a 135 pcap raw alerts
ruleset other
188 lines Yeah : 1.3
profile none summary
tarball 39 of 40 1db29886ac
NEW none[none] none:none
none|none none none

T:23:31:00 WinXP 24.109.223.167 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
THUNDER BAY, ONTARIO, CA. (DSL) n/a :gg.arrancar.org 135 pcap raw alerts
ruleset other
158 lines Yeah : 1.3
profile none summary
tarball 37 of 41 51a03793ab
NEW 429f7618d3 [0] ASM:Graph
none|none lines=546 trace