|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:02:32:00 | WinXP | 124.123.162.109 (BEAMCABLESYSTEM.IN): INTERNET TELEPHONY SERVICE PROVIDER, HYDERABAD, ANDHRA PRADESH, IN. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
42 of 43 | 269ce49eb2 NEW |
none[none] | none:none |
none|none | none | none |
| T:04:39:00 | WinXP | 58.107.231.142 (OPTUSNET.COM.AU): OPTUS INTERNET - RETAIL, MELBOURNE, VICTORIA, AU. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 42 39 of 43 |
3bcfbacdfc NEW 90cf11b441 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:04:57:00 | WinXP | 59.116.107.251 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:moscow-advokat.ru DE:82.98.86.164:6667 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 42 | d1d4da3d1b NEW |
none[none] | none:none |
none|none | none | none |
| T:05:34:00 | WinXP | 68.67.113.134 (BLUEBIRDWIRELESS.COM): BLUEBIRD WIRELESS BROADBAND SERVICES L.L.C, CARTERSVILLE, GEORGIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:05:51:00 | Win2K-f | 24.234.233.53 (COX.NET): COX COMMUNICATIONS INC, LAS VEGAS, NEVADA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1029 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 40 | dceb821a63 NEW |
none[3] | none:none |
none|none | none | trace | |
| T:07:54:00 | WinXP | 87.116.244.220 (TNP.PL): NETWORK OF INTERNET SERVICE PROVIDER, WARSAW, WARSZAWA, PL. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 42 | 5bc726b1d1 NEW |
none[none] | none:none |
none|none | none | none |
| T:08:27:00 | WinXP | 49.205.166.170 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 42 | b0b19b1573 NEW |
none[none] | none:none |
none|none | none | none |
| T:08:30:00 | Win2K-f | 98.103.24.169 (RR.COM): ROAD RUNNER HOLDCO LLC, HERNDON, VIRGINIA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 186 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 43 | 33b5a9737b NEW |
none[none] | none:none |
none|none | none | none | |
| T:08:33:00 | WinXP | 94.139.15.72 (BLUE-CABLE.DE): CABLE-TV BROADBAND NETWORK, BERLIN, BERLIN, DE. (DSL) |
n/a | DE:moscow-advokat.ru DE:82.98.86.164:6667 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 | 75a57521b7 NEW |
none[none] | none:none |
none|none | none | none |
| T:08:53:00 | WinXP | 87.9.160.40 (RETAIL.TELECOMITALIA.IT): TELECOM ITALIA S.P.A. TIN EASY LITE, BERGAMO, LOMBARDIA, IT. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 42 | 55974dd0b6 NEW |
none[none] | none:none |
none|none | none | none |
| 09:39:00 | WinXP | 106.67.17.132 (-): . |
213.155.14.161:80 | :ilo.brenz.pl DE:citi-bank.ru |
445 | pcap | raw alerts ruleset |
http 6 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 42 | 0e07ea080d NEW |
none[none] | none:none |
none|none | none | none |
| 09:47:00 | Win2K-f | 14.140.160.29 (-): . |
n/a | :www.maxmind.com US:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:09:57:00 | WinXP | 92.36.21.117 (SKYLINK.RU): MOSCOW CELLULAR COMMUNICATIONS, RU. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 1096ba143e NEW |
none[none] | none:none |
none|none | none | none |
| T:10:21:00 | Win2K-f | 220.135.3.87 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW 57ce4acac2 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:10:26:00 | WinXP | 77.23.111.50 (SUPERKABEL.DE): KABEL-DEUTSCHLAND-CUSTOMER-SERVICES, BERLIN, BERLIN, DE. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru DK:bem.dk :banboon.com MY:bdb.com.my TH:baulaung.org US:bazyar-arya.com :barlikinsaat.com.tr TR:basamakhalisi.com |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 43 | b3ed00d0db NEW |
none[none] | none:none |
none|none | none | none |
| T:10:27:00 | WinXP | 12.133.1.10 (ATT.NET): AT&T WORLDNET SERVICES, MIDDLETOWN, NEW JERSEY, US. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 42 | e99261ba46 NEW |
none[none] | none:none |
none|none | none | none |
| T:10:33:00 | WinXP | 95.68.5.37 (-): ADDRESS POOL FOR LTC-HOME CUSTOMERS, RIGA, RIGA, LV. (DSL) |
n/a | DE:citi-bank.ru :parex-bank.ru |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
32 of 32 | 488d27fe97 NEW |
none[none] | none:none |
none|none | none | none |
| T:11:06:00 | Win2K-f | 14.140.160.29 (-): . |
n/a | :www.maxmind.com :www.getmyip.org :getmyip.co.uk EU:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| 11:09:00 | WinXP | 77.23.111.50 (SUPERKABEL.DE): KABEL-DEUTSCHLAND-CUSTOMER-SERVICES, BERLIN, BERLIN, DE. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:11:13:00 | WinXP | 151.135.180.32 (TERMBILLING.COM): VARIOUS REGISTRIES, UK. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 42 | 81147ebc1f NEW |
none[none] | none:none |
none|none | none | none |
| T:11:21:00 | WinXP | 112.110.191.144 (-): GPRS VAS SERVICES, IN. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
41 of 41 | e92ed9f79c NEW |
none[none] | none:none |
none|none | none | none |
| T:13:00:00 | WinXP | 178.24.178.54 (FINEBLANK.COM): EU-ZZ, UK. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
42 of 42 | 0c3e031d4a NEW |
none[none] | none:none |
none|none | none | none |
| T:13:07:00 | Win2K-f | 211.124.231.250 (ZAQ.NE.JP): K CABLE TELEVISION CORPORATION INC, OSAKA, OSAKA, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 33 of 33 |
07fabc79ef NEW 53bfe15e91 NEW |
none[0] 1473091351[0] |
none:none ASM:Graph |
Armadillo| tElock| |
lines=90 lines=75 embedded dns |
trace trace |
| T:13:08:00 | WinXP | 188.255.99.234 (RIPE.NET): EUROPEAN REGIONAL REGISTRY, UK. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:13:08:00 | WinXP | 178.24.59.178 (FINEBLANK.COM): EU-ZZ, UK. (DSL) |
n/a | DE:citi-bank.ru NL:bitmove.tv TR:bitezgardenlife.com :cargomce.com :www.grupointersur.com.ar |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 42 | 425f9648c0 NEW |
none[none] | none:none |
none|none | none | none |
| T:13:41:00 | Win2K-f | 202.169.33.236 (-): BIZNET-NET-POPSERVER-BLOCK, JAKARTA, JAKARTA RAYA, ID. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:13:49:00 | WinXP | 109.125.51.57 (STERLINGSTUDENTS.NET): EU-ZZ, UK. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
| 13:57:00 | WinXP | 109.125.51.57 (STERLINGSTUDENTS.NET): EU-ZZ, UK. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
| T:14:28:00 | WinXP | 109.191.82.215 (STERLINGSTUDENTS.NET): EU-ZZ, UK. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
37 of 41 | 90bfd53712 NEW |
none[none] | none:none |
none|none | none | none |
| T:15:00:00 | Win2K-f | 70.60.10.39 (RR.COM): ROAD RUNNER HOLDCO LLC, HILLIARD, OHIO, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 10 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:16:20:00 | WinXP | 88.134.20.219 (SUPERKABEL.DE): KABEL-DEUTSCHLAND-CUSTOMER-SERVICES, BERLIN, BERLIN, DE. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
| T:16:45:00 | WinXP | 186.51.218.26 (-): . |
n/a | DE:moscow-advokat.ru DE:82.98.86.164:6667 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 | 048b720afe NEW |
none[none] | none:none |
none|none | none | none |
| T:16:45:00 | Win2K-f | 96.8.188.216 (GVTC.COM): GUADALUPE VALLEY TELEPHONE COOPERATIVE INC, NEW BRAUNFELS, TEXAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 39 of 40 |
9bdd2c95b1 NEW cd456ac095 NEW |
d1bbd693ba [0] d75caee680[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
| T:19:20:00 | WinXP | 223.143.168.94 (-): . |
n/a | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:20:07:00 | WinXP | 1.200.19.177 (-): . |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | 01c4a6b3eb NEW |
dd524b0259 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| 20:42:00 | Win2K-f | 87.117.229.140 (UKDCX.COM): VOXINET CORP, CA. (DSL) |
n/a | :www.maxmind.com US:checkip.dyndns.org :getmyip.co.uk :www.getmyip.org DE:131.220.6.26:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 4 lines |
Yeah : 0.8 profile |
none | summary tarball |
5 of 37 | 741c93f3c1 NEW |
none[3] | none:none |
UPX| | none | trace |
| T:20:51:00 | Win2K-f | 87.117.229.140 (UKDCX.COM): VOXINET CORP, CA. (DSL) |
n/a | :www.maxmind.com US:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
5 of 37 | 741c93f3c1 NEW |
none[3] | none:none |
UPX| | none | trace |
| 20:53:00 | WinXP | 1.200.19.177 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 | 01c4a6b3eb NEW |
dd524b0259 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| 21:52:00 | WinXP | 112.208.110.248 (PLDT.NET): IPG, PH. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 42 | bcb3ec60f2 NEW |
none[none] | none:none |
none|none | none | none |
| 23:10:00 | WinXP | 223.139.129.52 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | 1096ba143e NEW |
none[none] | none:none |
none|none | none | none |
| T:23:22:00 | WinXP | 46.117.221.18 (-): . |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 43 | ff350074e7 NEW |
none[none] | none:none |
none|none | none | none |
| T:23:58:00 | WinXP | 101.13.53.37 (-): . |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 43 | 9099955511 NEW |
none[none] | none:none |
none|none | none | none |