Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

03 February 2012
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:44:00 WinXP 118.109.218.43 (MESH.AD.JP):
NEC BIGLOBE LTD,
YOKOHAMA, KANAGAWA, JP. (DSL) 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 41 e92ed9f79c
NEW 		none[none] none:none
 none|none none none
T:01:28:00 WinXP 184.167.105.131 (-):
. 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
01:29:00 WinXP 87.9.21.214 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
MILANO, LOMBARDIA, IT. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		37 of 43 0d34cbe94e
NEW 		none[none] none:none
 none|none none none
T:01:43:00 WinXP 110.12.71.127 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 		83.133.119.197:65520 DE:proxim.ircgalaxy.pl
US:microsoft.com
EU:ghyt54.com
EU:poilka09.com
:touchmytralala9856.com
:rewfkg0ret876.com
184.173.252.243:443
184.173.252.246:443
EU:188.247.135.69:80
CN:222.88.205.195:443 		135 pcap raw alerts
ruleset 		irc
http
309 lines 		Yeah : 1.8
profile 		none summary
tarball 		28 of 32
38 of 43
23 of 43
17 of 43		 9276c8b36b
NEW
acb3cb2acf
NEW
c5458d90cf
NEW
e3a3dd9f16
NEW 		none[0]
none [none]
none [none]
none [none] 		none:none
none:none
none:none
none:none
 Armadillo|
none|none
none|none
none|none 		lines=90
none
none
none 		trace
none
none
none
T:01:45:00 Win2K-f 219.71.239.189 (GIGA.NET.TW):
HOSHIN MULTIMEDIA CENTER INC,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
57ce4acac2
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
T:01:56:00 WinXP 118.87.216.2 (HTOJ.J-CNET.JP):
JCN-HTMNET,
JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
127 lines 		Yeah : 1.3
profile 		none summary
tarball 		32 of 36
34 of 36		 0b951c2832
NEW
e4ed4df0f0
NEW 		5fe761661a [0]
de471fc380[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=91
lines=64
embedded dns 		trace
trace
T:02:20:00 WinXP 87.51.149.52 (DSL.TELE.DK):
TDC-TELEDANMARK-BREDBAANDSADSL-NET,
COPENHAGEN, KOBENHAVN, DK. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:03:14:00 WinXP 178.37.134.219 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		39 of 41 d8040f84d4
NEW 		d683995e84 [0] ASM:Graph
 PolyEnE| lines=73 trace
03:47:00 Win2K-f 122.170.9.100 (122.AIRTELBROADBAND.IN):
ABTS-WEST-DSL-MUM,
MUMBAI, MAHARASHTRA, IN. (DSL) 		n/a US:www.maxmind.com
:www.getmyip.org
US:checkip.dyndns.org
DE:131.220.6.26:80 		445 pcap raw alerts
ruleset 		http
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		2 of 37 223d8089f8
NEW 		none[3] none:none
 StarForce| none trace
T:04:29:00 WinXP 118.232.30.79 (KBRONET.COM.TW):
TUNG HO MULTIMEDIA CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:04:46:00 WinXP 78.129.132.93 (-):
SOFTWARE_SOL_INC,
LONDON, ENGLAND, UK. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 1a2c0e6130
NEW 		none[0] none:none
 none|none lines=60 trace
T:04:52:00 Win2K-f 116.83.200.81 (INFOWEB.NE.JP):
INFOWEB(FUJITSU LTD.),
JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
111 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 41
40 of 41		 03eb887daa
NEW
1179d0de83
NEW 		71e224b041 [0]
ab96b69318[0] 		ASM:Graph
ASM:Graph
 Armadillo|
tElock| 		lines=91
lines=64
embedded dns 		trace
trace
T:05:01:00 WinXP 219.85.14.13 (SO-NET.NET.TW):
SONY NETWORK TAIWAN LIMITED,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a :jsthomes.com
TR:adiyamanlicigkoftecim.com
**:akordketrzyn.ugu.pl
TR:akcainsaat.com
TR:akdari.com
US:alsharqpaper.net
:apadanapub.com
182.50.134.1:80
TR:89.19.29.176:80 		445 pcap raw alerts
ruleset 		shell
ftp
http
36 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 43 bacba64ff7
NEW 		none[none] none:none
 none|none none none
T:05:03:00 WinXP 67.14.210.39 (MAGTEL.COM):
WORLD LYNX,
BOONEVILLE, KENTUCKY, US. (DSL) 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 42 ff90c1ff00
NEW 		none[none] none:none
 none|none none none
T:05:38:00 WinXP 122.123.168.24 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a :jsthomes.com
TR:adiyamanlicigkoftecim.com
**:akordketrzyn.ugu.pl
TR:akcainsaat.com
TR:akdari.com
US:alsharqpaper.net
:apadanapub.com 		445 pcap raw alerts
ruleset 		http
25 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:06:29:00 WinXP 2.192.108.92 (-):
. 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none 558ccb2e99
NEW 		none[none] none:none
 none|none none none
T:06:44:00 WinXP 203.98.104.96 (-):
M/S ORTEL COMMUNICATIONS LTD PLOT C1 CHANDRASEKHARPUR,
BHUBANESHWAR, ORISSA, IN. (DSL) 		n/a :jsthomes.com
TR:adiyamanlicigkoftecim.com
**:akordketrzyn.ugu.pl
TR:akcainsaat.com
TR:akdari.com
US:alsharqpaper.net
:apadanapub.com 		445 pcap raw alerts
ruleset 		http
25 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:06:44:00 Win2K-f 220.218.33.62 (UCOM.NE.JP):
N-OS,
TOKYO, TOKYO, JP. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
99 lines 		Yeah : 1.3
profile 		none summary
tarball 		39 of 40
40 of 41		 6a6aaa5b73
NEW
8bde6dd126
NEW 		63889c9976 [0]
885c68f500[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=42
lines=64
embedded dns 		trace
trace
T:07:11:00 WinXP 180.218.39.236 (-):
. 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 eda3b7766c
NEW 		7556343561 [0] ASM:Graph
 PolyEnE| lines=68 trace
T:07:35:00 WinXP 111.80.113.140 (HINET.NET):
MOBILE BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		34 of 34 d20f157117
NEW 		738f555183 [0] ASM:Graph
 PolyEnE| lines=68 trace
T:08:05:00 Win2K-f 49.132.123.218 (-):
. 		n/a   135 pcap raw alerts
ruleset 		other
151 lines 		Yeah : 1.3
profile 		none summary
tarball 		41 of 44 99f212a9df
NEW 		none[none] none:none
 none|none none none
T:08:08:00 WinXP 2.134.211.18 (-):
. 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		38 of 41 9276456bf8
NEW 		none[none] none:none
 none|none none none
T:08:57:00 WinXP 109.52.157.79 (JWS.COM):
EU-ZZ,
UK. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:09:13:00 WinXP 195.174.156.37 (-):
TURKSAT UYDU HABERLESME KABLO TV VE ISLETME A.S,
ANKARA, ANKARA, TR. (DSL) 		n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		38 of 43 af614537c1
NEW 		none[none] none:none
 none|none none none
T:09:25:00 WinXP 193.106.163.92 (IPAPER.COM):
BLOCK FOR PI ASSIGNMENTS,
UK. (DSL) 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		42 of 43 cd0c8dc071
NEW 		none[none] none:none
 none|none none none
T:09:31:00 WinXP 92.251.214.34 (NETWORK-IE.NET):
PROVIDER LOCAL REGISTRY,
IE. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		41 of 43 fb486908b0
NEW 		none[none] none:none
 none|none none none
T:09:47:00 WinXP 89.204.231.88 (O2.IE):
O2 IRELAND MOBILE PHONE OPERATOR,
DUBLIN, DUBLIN, IE. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.14.161:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		40 of 41 01c4a6b3eb
NEW 		dd524b0259 [0] ASM:Graph
 PolyEnE| lines=68 trace
T:12:42:00 WinXP 62.40.57.164 (O2.IE):
O2 IRELAND MOBILE PHONE OPERATOR,
DUBLIN, DUBLIN, IE. (DSL) 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:13:01:00 Win2K-f 24.76.93.226 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
WINNIPEG, MANITOBA, CA. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
158 lines 		Yeah : 1.3
profile 		none summary
tarball 		37 of 41 51a03793ab
NEW 		429f7618d3 [0] ASM:Graph
 none|none lines=546 trace
T:13:01:00 WinXP 98.103.24.169 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
117 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 43
39 of 42		 29ea64989a
NEW
48bfa789c7
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:13:25:00 WinXP 216.82.194.176 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS CORPUS CHRISTI HUB,
CORPUS CHRISTI, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		38 of 41
38 of 41		 d031b42d3f
NEW
fa14802705
NEW 		none[none]
none [none] 		none:none
none:none
 none|none
none|none 		none
none 		none
none
T:13:39:00 WinXP 178.17.124.146 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 43 c8d42bea74
NEW 		none[none] none:none
 none|none none none
T:14:27:00 WinXP 190.241.207.209 (-):
CABLE VISION,
SAN JOSE, SAN JOSE, CR. (DSL) 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		39 of 42 0cee797e1f
NEW 		none[none] none:none
 none|none none none
T:14:33:00 WinXP 93.156.133.59 (CM-93-156-61-10.TELECABLE.ES):
TELECABLE,
ES. (DSL) 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none 594ef5c172
NEW 		none[none] none:none
 none|none none none
T:15:59:00 Win2K-f 70.63.52.230 (RR.COM):
ROAD RUNNER HOLDCO LLC,
INDIANAPOLIS, INDIANA, US. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
1037 lines 		Yeah : 1.3
profile 		none summary
tarball 		none 6f341b6716
NEW 		none[none] none:none
 none|none none none
16:00:00 Win2K-f 94.156.247.68 (NETERRA.NET):
NETERRAIP,
BG. (DSL) 		n/a US:www.maxmind.com
EU:checkip.dyndns.org
:www.getmyip.org
EU:getmyip.co.uk
DE:131.220.6.26:80
EU:91.198.22.70:80 		445 pcap raw alerts
ruleset 		http
11 lines 		Yeah : 0.8
profile 		none summary
tarball 		4 of 37 8ce32ded17
NEW 		none[3] none:none
 Armadillo| none trace
T:16:05:00 WinXP 208.65.246.66 (295.CA):
3757277 CANADA INC. (OA 295.CA),
HAMILTON, ONTARIO, CA. (DIAL) 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
3 lines 		Yeah : 1.3
profile 		none summary
tarball 		42 of 43 2c94e3fd00
NEW 		none[none] none:none
 none|none none none
T:16:09:00 Win2K-f 94.156.247.68 (NETERRA.NET):
NETERRAIP,
BG. (DSL) 		n/a US:www.maxmind.com
US:checkip.dyndns.org
DE:131.220.6.26:80 		445 pcap raw alerts
ruleset 		http
6 lines 		Yeah : 0.8
profile 		none summary
tarball 		4 of 37 8ce32ded17
NEW 		none[3] none:none
 Armadillo| none trace
T:17:42:00 Win2K-f 70.184.173.241 (COX.NET):
COX COMMUNICATIONS,
GLOUCESTER, VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 33		 53bfe15e91
NEW
a08f3b74a4
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace
18:20:00 WinXP 217.202.32.143 (-):
TELECOM ITALIA MOBILE,
ROME, LAZIO, IT. (DSL) 		213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 43 c8d42bea74
NEW 		none[none] none:none
 none|none none none
T:19:40:00 Win2K-f 61.150.5.66 (163DATA.COM.CN):
XI'AN DATA BRANCH XIAN CITY SHAANXI PROVINCE,
XIAN, SHAANXI, CN. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
110 lines 		Yeah : 1.3
profile 		none summary
tarball 		40 of 41
41 of 43		 5799ab6538
NEW
ddbe111920
NEW 		2713679411 [0]
none [none] 		ASM:Graph
none:none
 tElock|
none|none 		lines=64
embedded dns
none 		trace
none
T:19:50:00 WinXP 89.204.199.155 (O2.IE):
O2 IRELAND MOBILE PHONE OPERATOR,
DUBLIN, DUBLIN, IE. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		26 of 28 7d99b0e910
NEW 		none[0] none:none
 PolyEnE| lines=68 trace
T:21:42:00 WinXP 4.143.240.183 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
BRIDGEVIEW, ILLINOIS, US. (DIAL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
89 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
8 of 33		 53bfe15e91
NEW
b7082104e4
NEW 		1473091351 [0]
c5b49e7b82[0] 		ASM:Graph
ASM:Graph
 tElock|
tElock| 		lines=75
embedded dns
lines=41 		trace
trace
T:23:16:00 Win2K-f 12.73.13.102 (ATT.NET):
AT&T WORLDNET SERVICES,
PORTLAND, OREGON, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
258 lines 		Yeah : 1.3
profile 		none summary
tarball 		33 of 33
0 of 32		 53bfe15e91
NEW
73f1082158
NEW 		1473091351 [0]
none [0] 		ASM:Graph
none:none
 tElock|
Armadillo| 		lines=75
embedded dns
lines=90 		trace
trace