Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

19 April 2012
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:06:00 WinXP 114.136.219.218 (HINET.NET):
MOBILE BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 41 1096ba143e
NEW none[none] none:none
none|none none none

T:00:28:00 WinXP 187.160.60.99 (NIC-R2-R1-MTY.NIC.MX):
NETWORK INFORMATION CENTER MEXICO,
MX. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 43 bbafbfe1df
NEW none[none] none:none
none|none none none

T:00:41:00 WinXP 178.91.90.92 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 43 e01ddca98c
NEW none[none] none:none
none|none none none

T:01:17:00 WinXP 61.175.243.100 (-):
QINGTIAN TV UNIVERSITY,
BEIJING, BEIJING, CN. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:01:46:00 WinXP 49.14.115.15 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 42 7a3dc969d4
NEW none[none] none:none
none|none none none

01:57:00 WinXP 180.177.177.193 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 39 of 43 ff350074e7
NEW none[none] none:none
none|none none none

T:02:47:00 WinXP 220.140.127.202 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 42 219639bd5d
NEW none[none] none:none
none|none none none

T:03:34:00 WinXP 87.9.161.103 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
MILANO, LOMBARDIA, IT. (DSL) n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 42 d1e8440870
NEW none[none] none:none
none|none none none

T:04:59:00 WinXP 188.17.93.52 (PERMONLINE.RU):
OJSC URALSVYAZINFORM,
MOSCOW, MOSCOW CITY, RU. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 32 of 32 488d27fe97
NEW none[none] none:none
none|none none none

T:05:10:00 WinXP 92.41.190.108 (THREE.CO.UK):
MOBILE BROADBAND SERVICE,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 42 7a3dc969d4
NEW none[none] none:none
none|none none none

T:05:27:00 WinXP 119.154.230.80 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
ISLAMABAD, ISLAMABAD, PK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 42 bcb3ec60f2
NEW none[none] none:none
none|none none none

T:07:48:00 WinXP 92.251.169.172 (-):
H3G IRELAND SUBSCRIBERS,
IE. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 43 of 43 24e8de6cb2
NEW none[none] none:none
none|none none none

T:07:51:00 WinXP 66.85.228.159 (WHC.NET):
WHITEHORSE COMMUNICATIONS INC,
EL PASO, TEXAS, US. (100Mbps) n/a :gg.arrancar.org
199.59.166.108:555 135 pcap raw alerts
ruleset other
187 lines Yeah : 1.3
profile none summary
tarball 41 of 41 916752f248
NEW 4e604fc8cb [0] ASM:Graph
none|none lines=546 trace

T:08:25:00 WinXP 89.149.86.84 (10-83-149-89.GLOBNET.MD):
SUNINTERNET S.R.L,
CHISINAU, CHISINAU, MD. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 36 of 41 18069de9ed
NEW none[none] none:none
none|none none none

09:38:00 WinXP 183.82.140.162 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 42 e0f614d0dd
NEW none[none] none:none
none|none none none

T:09:55:00 Win2K-f 175.115.185.6 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
37 of 40 5d445c59d8
NEW
8a54950abb
NEW 892e12db7b [0]
f6b9e43917[0] ASM:Graph
ASM:Graph
tElock|
Armadillo| lines=64
embedded dns
lines=91 trace
trace

T:10:19:00 Win2K-f 175.112.215.61 (-):
. 83.133.119.197:65520 DE:proxim.ircgalaxy.pl
US:microsoft.com
CN:zhongmail.com
EU:tyui89.com
:www.uufeed.com
US:www.gameonlinehub.com
EU:141.136.16.20:80
CN:60.190.222.242:888
DE:83.133.119.197:65520 135 pcap raw alerts
ruleset irc
http
133 lines Yeah : 1.8
profile none summary
tarball 37 of 43
33 of 42
20 of 42
16 of 40
26 of 40
39 of 42 69f32b85f1
NEW
69f59a0454
NEW
a7c4685c23
NEW
db1d691727
NEW
ed4f5c57bf
NEW
f4c93e7909
NEW none[none]
none [none]
none [none]
none [none]
none [none]
none [none] none:none
none:none
none:none
none:none
none:none
none:none
none|none
none|none
none|none
none|none
none|none
none|none none
none
none
none
none
none none
none
none
none
none
none

T:10:28:00 Win2K-f 178.167.183.182 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) n/a :pk.laurenwicker.com
US:bmwfinancinginfo.net
US:images01.tzimg.com
:domdex.com
:p8pv.alltcp.info
US:climbingrockfast.com
NL:as.casalemedia.com
:images.ddc.com
NL:cdn.optmd.com
CN:60.190.222.242:888
US:64.38.232.180:80 445 pcap raw alerts
ruleset http
32 lines Argh : 0.3
profile none summary
tarball 0 of 42 11120242b9
NEW none[none] none:none
none|none none none

10:30:00 WinXP 141.136.93.64 (TERMBILLING.COM):
VARIOUS REGISTRIES,
UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 42 a4140e4032
NEW none[none] none:none
none|none none none

T:10:35:00 Win2K-f 1.200.25.163 (-):
. 83.133.119.197:65520 US:www.edailygames.com
:games.bigfishgames.com
IE:serve.williamhill.com
:b.babylon.com
NL:scripts.chitika.net
US:cacheserve.williamhill.com
EU:tyui89.com
US:filelogo.com
NL:as.casalemedia.com
:images.ddc.com
US:activex.microsoft.com
US:codecs.microsoft.com
EU:141.136.16.20:80
US:64.38.232.180:80 445 pcap raw alerts
ruleset http
irc
98 lines Yeah : 1.3
profile none summary
tarball 0 of 41
26 of 40 b2406c562c
NEW
ed4f5c57bf
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:11:47:00 Win2K-f 66.90.145.89 (GRANDENETWORKS.NET):
GRANDE COMMUNICATIONS AUSTIN HUB,
AUSTIN, TEXAS, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 38 of 41
38 of 41 d031b42d3f
NEW
fa14802705
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:12:54:00 WinXP 81.98.88.131 (VIRGINMEDIA.NET):
NTLI,
UK. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

T:15:18:00 WinXP 123.220.217.41 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
YOKOHAMA, KANAGAWA, JP. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 0ab0d85629
NEW none[none] none:none
none|none none none

T:15:26:00 WinXP 118.6.230.211 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:16:30:00 WinXP 216.250.2.26 (JVLNET.COM):
JVLNET INTERNET SERVICES,
MERRIMAC, WISCONSIN, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 41 of 43
40 of 43 011c197b23
NEW
f893d7bbb4
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

17:18:00 WinXP 208.104.254.50 (COMPORIUM.NET):
COMPORIUM COMMUNICATIONS,
NEW YORK, NEW YORK, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

17:24:00 Win2K-f 110.234.10.130 (-):
IPVPN/INTERNET SERVICE PROVIDER,
DELHI, DELHI, IN. (DSL) n/a :www.maxmind.com
:www.getmyip.org
US:checkip.dyndns.org
174.36.207.186:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 2 of 37 223d8089f8
NEW none[3] none:none
StarForce| none trace

T:17:55:00 WinXP 221.121.243.222 (CCNW.NE.JP):
CHUBU CABLE NETWORK COMPANY INCORPORATED,
NAGOYA, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 0 of 32
33 of 33 07fabc79ef
NEW
53bfe15e91
NEW none[0]
1473091351[0] none:none
ASM:Graph
Armadillo|
tElock| lines=90
lines=75
embedded dns trace
trace

T:18:12:00 Win2K-f 67.8.181.206 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ORLANDO, FLORIDA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:20:16:00 WinXP 123.192.62.232 (KBRONET.COM.TW):
TUNG HO MULTIMEDIA CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 38 of 42 a8d332a663
NEW none[none] none:none
none|none none none

T:20:37:00 WinXP 181.0.128.103 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:20:57:00 WinXP 27.98.36.116 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=64
embedded dns trace
trace

T:23:06:00 WinXP 141.136.93.179 (TERMBILLING.COM):
VARIOUS REGISTRIES,
UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 42 a4140e4032
NEW none[none] none:none
none|none none none

T:23:54:00 WinXP 49.14.103.152 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 42 7a3dc969d4
NEW none[none] none:none
none|none none none