Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

07 February 2012
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:23:00 WinXP 64.253.106.19 (COPPER.COM):
IGLOU INTERNET SERVICES,
LOUISVILLE, KENTUCKY, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
100 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=64
embedded dns trace
trace

T:00:54:00 WinXP 178.151.167.106 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:01:50:00 WinXP 117.20.168.22 (-):
STARHUB HSPA,
SINGAPORE, SINGAPORE, SG. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:02:16:00 WinXP 2.134.3.81 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 42 bcb3ec60f2
NEW none[none] none:none
none|none none none

T:02:41:00 WinXP 94.235.217.109 (-):
WARID TELECOM GEORGIA LTD,
GE. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

T:03:01:00 WinXP 207.144.15.229 (CSTEL.NET):
COM-SOUTH,
KATHLEEN, GEORGIA, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball none 4357a05f13
NEW none[none] none:none
none|none none none

T:04:31:00 WinXP 31.207.223.48 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none 18069de9ed
NEW none[none] none:none
none|none none none

T:05:11:00 WinXP 113.19.9.21 (VSNL.NET.IN):
INTERNET SERVICE PROVIDER,
CHENNAI, TAMIL NADU, IN. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 42 0cee797e1f
NEW none[none] none:none
none|none none none

T:05:14:00 WinXP 49.132.224.171 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball 41 of 44
41 of 44 99f212a9df
NEW
9fa81e360b
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:06:42:00 WinXP 180.177.76.210 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 41 139d9f24db
NEW none[none] none:none
none|none none none

T:06:57:00 WinXP 219.85.237.173 (SO-NET.NET.TW):
SONY NETWORK TAIWAN LIMITED,
TAIPEI, T'AI-PEI, TW. (DSL) n/a :jsthomes.com
TR:adiyamanlicigkoftecim.com
**:akordketrzyn.ugu.pl
TR:akcainsaat.com
182.50.134.1:80
TR:89.19.29.176:80
TR:89.19.30.180:80 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 43 bacba64ff7
NEW none[none] none:none
none|none none none

T:07:15:00 WinXP 80.117.76.205 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
VICENZA, VENETO, IT. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:07:45:00 WinXP 31.19.152.148 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 38 of 41 c754b885bc
NEW none[none] none:none
none|none none none

T:07:50:00 WinXP 109.86.130.69 (JWS.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru
DK:bem.dk
:banboon.com 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 57d9829b6a
NEW none[none] none:none
none|none none none

T:07:56:00 Win2K-f 75.37.173.251 (SBCGLOBAL.NET):
JASON LEE,
PLANO, TEXAS, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:08:38:00 WinXP 87.105.141.173 (NET.PL):
DYNAMIC BROADBAND SERVICES,
WROCLAW, DOLNOSLASKIE, PL. (DSL) n/a :jsthomes.com
TR:adiyamanlicigkoftecim.com
**:akordketrzyn.ugu.pl
TR:akcainsaat.com
TR:akdari.com
US:alsharqpaper.net
:apadanapub.com
182.50.134.1:80
TR:89.19.29.176:80
TR:89.19.30.180:80 445 pcap raw alerts
ruleset http
21 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:09:05:00 WinXP 106.66.234.16 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:09:23:00 Win2K-f 68.189.248.17 (CHARTER.COM):
CHARTER COMMUNICATIONS,
PEPPERELL, MASSACHUSETTS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:44:00 WinXP 77.64.158.195 (PRIMACOM.NET):
PRIMACOM-HEADENDS,
CHEMNITZ, SACHSEN, DE. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 39 of 43 53bd956572
NEW none[none] none:none
none|none none none

T:11:37:00 WinXP 31.162.21.152 (-):
. n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 32 of 32 488d27fe97
NEW none[none] none:none
none|none none none

T:12:06:00 Win2K-f 4.152.165.63 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
NASHVILLE, TENNESSEE, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:14:22:00 WinXP 31.42.162.69 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 37 of 43 ca3e3b13f3
NEW none[none] none:none
none|none none none

T:15:03:00 WinXP 164.132.128.90 (-):
IUNET S.P.A,
ROME, LAZIO, IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 37 of 41 ae0b85768e
NEW none[none] none:none
none|none none none

T:15:39:00 WinXP 93.102.130.69 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
PT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

15:58:00 WinXP 217.203.140.232 (-):
TELECOM ITALIA MOBILE,
IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 38 of 42 0d1eb4df79
NEW none[none] none:none
none|none none none

T:16:10:00 WinXP 77.21.2.67 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
BERLIN, BERLIN, DE. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball none 84764a1a77
NEW none[none] none:none
none|none none none

T:17:04:00 WinXP 4.225.174.244 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
WHITNEY, TEXAS, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
87 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:18:12:00 Win2K-f 118.83.46.116 (HTOJ.J-CNET.JP):
JCN-HTMNET,
JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
123 lines Yeah : 1.3
profile none summary
tarball none
none 3f22951423
NEW
b0b073d141
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:19:17:00 WinXP 173.19.214.228 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
IOWA CITY, IOWA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
60 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:19:48:00 Win2K-f 1.247.138.126 (-):
. 91.226.212.159:65520 EU:proxima.ircgalaxy.pl
US:microsoft.com
EU:ghyt54.com
184.173.252.243:443
184.173.252.246:443
EU:188.247.135.95:80 135 pcap raw alerts
ruleset irc
http
128 lines Yeah : 1.8
profile none summary
tarball 31 of 33
31 of 33
21 of 43
17 of 43 168aab35a3
NEW
667f0c59f3
NEW
941c3fa895
NEW
e3a3dd9f16
NEW 60b730b97e [0]
8fe2be2095[0]
none [none]
none [none] ASM:Graph
ASM:Graph
none:none
none:none
tElock|
Armadillo|
none|none
none|none lines=120
embedded dns
lines=91
none
none trace
trace
none
none

T:20:49:00 Win2K-f 4.225.215.169 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
DENVER, COLORADO, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
162 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:21:59:00 WinXP 126.241.37.165 (BBTEC.NET):
JAPAN NATION-WIDE NETWORK OF SOFTBANK BB CORP,
TOKYO, TOKYO, JP. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 42 bcb3ec60f2
NEW none[none] none:none
none|none none none

T:22:38:00 Win2K-f 58.107.231.142 (OPTUSNET.COM.AU):
OPTUS INTERNET - RETAIL,
MELBOURNE, VICTORIA, AU. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball none
none 3bcfbacdfc
NEW
90cf11b441
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:22:38:00 WinXP 31.42.162.69 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 37 of 43 ca3e3b13f3
NEW none[none] none:none
none|none none none

T:23:13:00 Win2K-f 75.37.173.251 (SBCGLOBAL.NET):
JASON LEE,
PLANO, TEXAS, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace