Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

08 April 2012
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:15:00 WinXP 96.8.188.216 (GVTC.COM):
GUADALUPE VALLEY TELEPHONE COOPERATIVE INC,
NEW BRAUNFELS, TEXAS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball 39 of 41
39 of 40 9bdd2c95b1
NEW
cd456ac095
NEW d1bbd693ba [0]
d75caee680[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

01:27:00 Win2K-f 121.242.205.182 (VSNL.NET.IN):
INTERNET SERVICE PROVIDER,
NEW DELHI, DELHI, IN. (DSL) n/a :www.maxmind.com
:www.getmyip.org
:getmyip.co.uk
US:checkip.dyndns.org
DE:131.220.6.26:80 445 pcap raw alerts
ruleset http
12 lines Yeah : 0.8
profile none summary
tarball 4 of 37 8ce32ded17
NEW none[3] none:none
Armadillo| none trace

T:02:47:00 WinXP 87.110.128.40 (-):
ADDRESS POOL FOR LTC-HOME CUSTOMERS,
RIGA, RIGA, LV. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 43 123c0e2b72
NEW none[none] none:none
none|none none none

T:02:53:00 WinXP 109.184.89.111 (STERLINGSTUDENTS.NET):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:02:58:00 Win2K-f 68.114.61.35 (CHARTER.COM):
CHARTER COMMUNICATIONS,
BARRE, VERMONT, US. (DSL) n/a 135 pcap raw alerts
ruleset other
10 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:03:51:00 WinXP 49.205.166.170 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 42 b0b19b1573
NEW none[none] none:none
none|none none none

T:07:22:00 WinXP 141.136.93.134 (TERMBILLING.COM):
VARIOUS REGISTRIES,
UK. (DSL) n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 048b720afe
NEW none[none] none:none
none|none none none

T:07:35:00 WinXP 180.34.107.189 (OCN.NE.JP):
NTT COMMUNICATIONS CORPORATION,
JP. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:08:30:00 Win2K-f 61.216.175.210 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) 66.41.211.152:3921 US:h4cknet.ksah4ck.net
PL:84.10.107.153:80
PL:84.10.56.156:80
AT:84.112.201.238:80
AT:84.113.42.220:80
AT:84.114.248.221:80
AT:84.116.88.75:80
GB:84.12.153.8:80
LT:84.15.200.247:80
DE:84.162.170.86:80
DE:84.164.217.198:80
DE:84.167.8.182:80
RU:84.17.246.231:80
DE:84.170.54.165:80
NO:84.215.136.49:80
SE:84.217.233.29:80
SE:84.218.183.32:80
IT:84.220.24.141:80
DE:84.61.26.132:80
DE:84.63.72.115:80
GB:84.65.169.96:80
GB:84.66.119.99:80 135 pcap raw alerts
ruleset irc
437 lines Yeah : 1.8
profile none summary
tarball 37 of 43 87a18de10f
NEW none[none] none:none
none|none none none

08:45:00 WinXP 117.20.156.20 (-):
STARHUB HSPA,
SINGAPORE, SINGAPORE, SG. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 38 of 41 9276456bf8
NEW none[none] none:none
none|none none none

T:09:34:00 WinXP 151.28.108.152 (28-151.LIBERO.IT):
FREE INTERNET DIAL-UP SERVICES,
ROME, LAZIO, IT. (DIAL) n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 3a6b23d123
NEW none[none] none:none
none|none none none

T:09:58:00 WinXP 31.42.162.69 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 37 of 43 ca3e3b13f3
NEW none[none] none:none
none|none none none

T:10:16:00 Win2K-f 118.83.1.13 (HTOJ.J-CNET.JP):
JCN-HTMNET,
HACHIOJI, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
122 lines Yeah : 1.3
profile none summary
tarball 32 of 36
34 of 36 0b951c2832
NEW
e4ed4df0f0
NEW 5fe761661a [0]
de471fc380[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:10:42:00 Win2K-f 118.83.42.154 (HTOJ.J-CNET.JP):
JCN-HTMNET,
JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
95 lines Yeah : 1.3
profile none summary
tarball 31 of 32
2 of 32 607b60ad51
NEW
e5c7bce70e
NEW none[4]
e5c7bce70e[1] none:none
ASM:Graph
tElock|
Armadillo| none
lines=81 trace
trace

T:13:11:00 WinXP 24.121.209.120 (NPGCO.COM):
CABLEVISION OF BULLHEAD,
BULLHEAD CITY, ARIZONA, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 42 of 43 0ab0d85629
NEW none[none] none:none
none|none none none

T:13:21:00 Win2K-f 4.137.14.250 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
WEDOWEE, ALABAMA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
164 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:13:43:00 WinXP 111.88.41.129 (HOSTS-WORLDCALL.NET.PK):
WORLDCALL TELECOM LTD,
PK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 43 d4793d547e
NEW none[none] none:none
none|none none none

T:13:48:00 WinXP 67.219.71.163 (CABLEROCKET.NET):
AVENUE-BROADBAND-VINCENNES,
BELLFLOWER, CALIFORNIA, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 42 bcb3ec60f2
NEW none[none] none:none
none|none none none

T:15:33:00 WinXP 88.134.11.207 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
LANDAU, RHEINLAND-PFALZ, DE. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:16:22:00 WinXP 24.30.157.95 (RR.COM):
ROAD RUNNER HOLDCO LLC,
SAN DIEGO, CALIFORNIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:17:13:00 WinXP 210.166.48.34 (MEGAEGG.NE.JP):
ENERGIA COMMUNICATIONS INC,
JP. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 43 of 43 debeecd50c
NEW none[none] none:none
none|none none none

T:17:47:00 WinXP 109.86.105.169 (JWS.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 39 of 40 5e8ccc4190
NEW 8d5f86583f [0] ASM:Graph
PolyEnE| lines=68 trace

T:18:47:00 WinXP 220.144.116.250 (MESH.AD.JP):
NEC CORPORATION,
TOKYO, TOKYO, JP. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 41 of 41 e92ed9f79c
NEW none[none] none:none
none|none none none

T:20:02:00 WinXP 112.206.98.181 (PLDT.NET):
IPG,
PH. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

21:26:00 WinXP 113.19.8.174 (VSNL.NET.IN):
INTERNET SERVICE PROVIDER,
CHENNAI, TAMIL NADU, IN. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 39 of 42 0cee797e1f
NEW none[none] none:none
none|none none none

T:22:03:00 WinXP 117.254.10.147 (STERLINGSTUDENTS.NET):
NIB (NATIONAL INTERNET BACKBONE),
NEW DELHI, DELHI, IN. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 43 d4793d547e
NEW none[none] none:none
none|none none none

T:22:46:00 Win2K-f 61.216.4.88 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball 40 of 41
40 of 41 10c560fc02
NEW
1b8d146832
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:23:52:00 Win2K-f 211.75.159.211 (KENNY.COM.TW):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 18 of 35
0 of 33 218ce30f5c
NEW
57ce4acac2
NEW none[3]
none [0] none:none
none:none
none|none
Armadillo| none
lines=90 trace
trace

T:23:54:00 Win2K-f 98.101.143.183 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 18 of 35
0 of 33 218ce30f5c
NEW
a08f3b74a4
NEW none[3]
none [0] none:none
none:none
none|none
Armadillo| none
lines=90 trace
trace