|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:36:00 | Win2K-f | 220.128.222.76 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TAIPEI, T'AI-PEI, TW. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 none |
2bc8f15054 NEW 964911406f NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:00:43:00 | Win2K-f | 220.216.62.78 (THN.NE.JP): TOKAI CORPORATION, SHIZUOKA, SHIZUOKA, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 99 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 40 40 of 41 |
6a6aaa5b73 NEW 8bde6dd126 NEW |
63889c9976 [0] 885c68f500[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=42 lines=64 embedded dns |
trace trace |
| 01:04:00 | WinXP | 116.203.216.207 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:02:43:00 | WinXP | 31.18.136.198 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
42 of 43 | 5f186aa322 NEW |
none[none] | none:none |
none|none | none | none |
| T:03:09:00 | WinXP | 46.203.72.137 (-): . |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 44 | 994930c79a NEW |
none[none] | none:none |
none|none | none | none |
| T:03:15:00 | WinXP | 114.164.166.138 (OCN.NE.JP): OPEN COMPUTER NETWORK, JP. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
shell ftp 15 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 40 | 5285741560 NEW |
60590b8b67 [0] | ASM:Graph |
none|none | lines=59 | trace | |
| T:03:25:00 | WinXP | 123.192.180.205 (KBRONET.COM.TW): TUNG HO MULTIMEDIA CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:03:26:00 | WinXP | 188.193.76.218 (SUPERKABEL.DE): KABEL-DEUTSCHLAND-CUSTOMER-SERVICES, DE. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 | 2acefaf1dc NEW |
none[none] | none:none |
none|none | none | none |
| T:04:24:00 | WinXP | 76.191.20.229 (SPEAKEASY.NET): SAN FRANCISCO, CALIFORNIA, US. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
| T:05:37:00 | WinXP | 186.88.54.140 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:05:43:00 | WinXP | 88.134.125.96 (SUPERKABEL.DE): KABEL-DEUTSCHLAND-CUSTOMER-SERVICES, KOBLENZ, RHEINLAND-PFALZ, DE. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none | |
| 06:37:00 | Win2K-f | 118.141.133.193 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | :www.maxmind.com EU:getmyip.co.uk US:checkip.dyndns.org US:208.43.124.51:80 |
445 | pcap | raw alerts ruleset |
http 9 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:06:45:00 | Win2K-f | 118.141.133.193 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | :www.maxmind.com EU:getmyip.co.uk EU:checkip.dyndns.org DE:131.220.6.26:80 US:208.43.124.51:80 |
445 | pcap | raw alerts ruleset |
http 11 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:06:57:00 | WinXP | 79.121.45.235 (KABELNET.HU): VIDANET CABLETELEVISION PROVIDER LTD, HU. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 43 | bdfc299d04 NEW |
none[none] | none:none |
none|none | none | none |
| T:07:05:00 | Win2K-f | 122.146.240.15 (SPARQNET.NET): NEW CENTRY INFOCOM TECH. CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:08:26:00 | WinXP | 70.62.193.198 (RR.COM): ROAD RUNNER HOLDCO LLC, MEDINA, OHIO, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1002 lines |
Yeah : 1.3 profile |
none | summary tarball |
32 of 41 | 43b8f21924 NEW |
none[3] | none:none |
none|none | none | trace | |
| T:09:15:00 | WinXP | 46.119.250.165 (-): . |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 43 | ca3e3b13f3 NEW |
none[none] | none:none |
none|none | none | none |
| T:09:43:00 | WinXP | 109.52.54.220 (JWS.COM): EU-ZZ, UK. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:09:59:00 | WinXP | 46.211.224.96 (-): . |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:10:41:00 | WinXP | 109.191.36.108 (STERLINGSTUDENTS.NET): EU-ZZ, UK. (DSL) |
n/a | DE:moscow-advokat.ru DE:82.98.86.164:6667 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
38 of 43 | af614537c1 NEW |
none[none] | none:none |
none|none | none | none |
| T:12:32:00 | WinXP | 61.150.5.66 (163DATA.COM.CN): XI'AN DATA BRANCH XIAN CITY SHAANXI PROVINCE, XIAN, SHAANXI, CN. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 41 of 43 |
5799ab6538 NEW ddbe111920 NEW |
2713679411 [0] none [none] |
ASM:Graph none:none |
tElock| none|none |
lines=64 embedded dns none |
trace none |
| T:12:58:00 | WinXP | 68.189.248.17 (CHARTER.COM): CHARTER COMMUNICATIONS, PEPPERELL, MASSACHUSETTS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:13:19:00 | WinXP | 188.214.220.43 (TIM.RO): JUMP NETWORK SERVICES S.R.L, RO. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
38 of 42 | 8a2553433c NEW |
none[none] | none:none |
none|none | none | none |
| T:13:47:00 | WinXP | 93.102.224.41 (REV.OPTIMUS.PT): OPTIMUS PORTUGAL, PT. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | ceda94eae1 NEW |
none[none] | none:none |
none|none | none | none |
| T:14:47:00 | WinXP | 173.17.92.205 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, HUTCHINSON, MINNESOTA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 59 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 8 of 33 |
53bfe15e91 NEW b7082104e4 NEW |
1473091351 [0] c5b49e7b82[0] |
ASM:Graph ASM:Graph |
tElock| tElock| |
lines=75 embedded dns lines=41 |
trace trace |
| T:15:12:00 | WinXP | 67.197.133.150 (COMPORIUM.NET): COMPORIUM COMMUNICATIONS, ROCK HILL, SOUTH CAROLINA, US. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:15:41:00 | WinXP | 12.231.85.192 (NEXBAND.COM): NEXBAND INC, CHICKAMAUGA, GEORGIA, US. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 42 | 7a3dc969d4 NEW |
none[none] | none:none |
none|none | none | none |
| T:15:41:00 | WinXP | 207.191.249.197 (SPEAKEASY.NET): CEDAR RAPIDS, IOWA, US. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | 1096ba143e NEW |
none[none] | none:none |
none|none | none | none |
| 15:58:00 | Win2K-f | 190.5.61.21 (TECHTELNET.NET): AR. (DSL) |
n/a | :www.maxmind.com :www.getmyip.org EU:getmyip.co.uk US:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 12 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | dc331fb791 NEW |
none[3] | none:none |
UPX| | none | trace |
| T:16:27:00 | WinXP | 31.42.162.69 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
37 of 43 | ca3e3b13f3 NEW |
none[none] | none:none |
none|none | none | none |
| T:16:57:00 | WinXP | 46.109.247.18 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 | 9ca75f8961 NEW |
none[none] | none:none |
none|none | none | none |
| T:17:09:00 | WinXP | 24.51.152.62 (-): . |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | 7d87813024 NEW |
none[none] | none:none |
none|none | none | none |
| T:18:24:00 | Win2K-f | 50.81.71.165 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| 19:18:00 | Win2K-f | 202.129.196.138 (WLS.NET.IN): WIRELESS SOLUTION INDIA PVT LTD, IN. (DSL) |
n/a | :www.maxmind.com :www.getmyip.org EU:getmyip.co.uk EU:checkip.dyndns.org 174.36.207.186:80 EU:78.40.35.130:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
2 of 37 | 71afca1665 NEW |
none[3] | none:none |
StarForce| | none | trace |
| T:19:26:00 | Win2K-f | 202.129.196.138 (WLS.NET.IN): WIRELESS SOLUTION INDIA PVT LTD, IN. (DSL) |
n/a | :www.maxmind.com :www.getmyip.org US:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
2 of 37 | 71afca1665 NEW |
none[3] | none:none |
StarForce| | none | trace |
| T:19:34:00 | WinXP | 67.219.71.163 (CABLEROCKET.NET): AVENUE-BROADBAND-VINCENNES, BELLFLOWER, CALIFORNIA, US. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 42 | bcb3ec60f2 NEW |
none[none] | none:none |
none|none | none | none |
| T:19:34:00 | Win2K-f | 68.189.248.16 (CHARTER.COM): CHARTER COMMUNICATIONS, PEPPERELL, MASSACHUSETTS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 77 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:19:45:00 | Win2K-f | 211.5.9.230 (DION.NE.JP): DION (KDDI CORPORATION), HACHIOJI, TOKYO, JP. (DIAL) |
n/a | 135 | pcap | raw alerts ruleset |
other 18 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:20:30:00 | WinXP | 27.54.7.170 (-): . |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 | 9276456bf8 NEW |
none[none] | none:none |
none|none | none | none |
| T:21:53:00 | WinXP | 84.240.220.80 (MAIL.CBC-GROUP.KZ): PROVIDER LOCAL REGISTRY, KZ. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
41 of 41 | e92ed9f79c NEW |
none[none] | none:none |
none|none | none | none |
| 22:40:00 | WinXP | 46.109.112.177 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 43 | 123c0e2b72 NEW |
none[none] | none:none |
none|none | none | none |