Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

25 April 2012
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:18:00 Win2K-f 211.75.159.211 (KENNY.COM.TW):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:01:35:00 Win2K-f 4.138.6.170 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
ASHEBORO, NORTH CAROLINA, US. (DIAL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
129 lines Yeah : 1.3
profile none summary
tarball 39 of 44
39 of 44 90053e3e0c
NEW
a777a6a42d
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

02:02:00 WinXP 101.15.255.91 (-):
. n/a DE:moscow-advokat.ru
DE:82.98.86.164:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 048b720afe
NEW none[none] none:none
none|none none none

T:02:04:00 Win2K-f 210.0.207.190 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) n/a 135 pcap raw alerts
ruleset other
1029 lines Yeah : 1.3
profile none summary
tarball 37 of 42 73ea935efa
NEW none[none] none:none
none|none none none

T:02:44:00 WinXP 2.192.89.127 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:04:28:00 WinXP 94.242.20.122 (-):
RNET NETWORK,
MOSCOW, MOSCOW CITY, RU. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:04:54:00 WinXP 95.68.21.231 (-):
ADDRESS POOL FOR LTC-HOME CUSTOMERS,
RIGA, RIGA, LV. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 d8040f84d4
NEW d683995e84 [0] ASM:Graph
PolyEnE| lines=73 trace

T:05:12:00 Win2K-f 68.67.113.134 (BLUEBIRDWIRELESS.COM):
BLUEBIRD WIRELESS BROADBAND SERVICES L.L.C,
CARTERSVILLE, GEORGIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:05:26:00 Win2K-f 27.98.0.92 (-):
. n/a US:microsoft.com 135 pcap raw alerts
ruleset other
99 lines Yeah : 1.3
profile none summary
tarball 39 of 40
40 of 41 6a6aaa5b73
NEW
8bde6dd126
NEW 63889c9976 [0]
885c68f500[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=42
lines=64
embedded dns trace
trace

T:05:47:00 WinXP 223.19.255.60 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:06:23:00 WinXP 49.125.101.27 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 712bcf9f8a
NEW none[none] none:none
none|none none none

T:06:43:00 Win2K-f 175.112.215.240 (-):
. 114.112.255.81:65520 US:microsoft.com
:proxim.ircgalaxy.pl
EU:tyui89.com
:www.uufeed.com
:pk.laurenwicker.com
US:securitymastercard.net
US:images01.tzimg.com
:domdex.com
EU:141.136.16.20:80 135 pcap raw alerts
ruleset irc
http
141 lines Yeah : 1.8
profile none summary
tarball none
37 of 43
33 of 42
none
39 of 42 3570a1a357
NEW
69f32b85f1
NEW
69f59a0454
NEW
8fd94dbad5
NEW
f4c93e7909
NEW none[none]
none [none]
none [none]
none [none]
none [none] none:none
none:none
none:none
none:none
none:none
none|none
none|none
none|none
none|none
none|none none
none
none
none
none none
none
none
none
none

T:07:21:00 Win2K-f 66.166.121.174 (COVAD.NET):
COVAD COMMUNICATIONS CO,
LOS ANGELES, CALIFORNIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:07:22:00 Win2K-f 24.249.202.54 (COX.NET):
COX COMMUNICATIONS,
SAN DIEGO, CALIFORNIA, US. (DSL) 69.22.162.40:80 :freestocke.blogspot.com
:www.blogger.com
US:scripts.chitika.net
:img2.blogblog.com
:img1.blogblog.com
US:microsoft.com 135 pcap raw alerts
ruleset http
70 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:08:12:00 WinXP 46.109.39.43 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 41 9d38d43309
NEW none[none] none:none
none|none none none

T:09:20:00 WinXP 151.80.227.192 (51-151.NET24.IT):
IUNET-BNET,
PERUGIA, UMBRIA, IT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none d4a3f7a998
NEW none[none] none:none
none|none none none

T:10:31:00 Win2K-f 220.135.3.87 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
57ce4acac2
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:37:00 Win2K-f 111.90.87.188 (NKNO.J-CNET.JP):
CITY TV NAKANO LIMITED,
JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
130 lines Yeah : 1.3
profile none summary
tarball 32 of 36
34 of 36 0b951c2832
NEW
e4ed4df0f0
NEW 5fe761661a [0]
de471fc380[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:10:39:00 WinXP 27.2.154.61 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 37 of 43 ca3e3b13f3
NEW none[none] none:none
none|none none none

12:02:00 WinXP 202.70.232.207 (ONINET.NE.JP):
OKAYAMA NETWORK INC,
OKAYAMA, OKAYAMA, JP. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none c75c73f3c7
NEW none[none] none:none
none|none none none

T:14:14:00 WinXP 89.204.240.150 (O2.IE):
O2 IRELAND MOBILE PHONE OPERATOR,
DUBLIN, DUBLIN, IE. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 01c4a6b3eb
NEW dd524b0259 [0] ASM:Graph
PolyEnE| lines=68 trace

T:15:30:00 WinXP 46.117.123.213 (-):
. n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace

T:16:52:00 WinXP 178.167.153.211 (FINEBLANK.COM):
EU-ZZ,
UK. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

17:23:00 WinXP 70.45.245.189 (METROCAST.NET):
SAN JUAN CABLE LLC,
SAN JUAN, PUERTO RICO, PR. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none 0c38af69f4
NEW none[none] none:none
none|none none none

T:17:42:00 WinXP 24.49.155.217 (COOSAHS.NET):
COOSA CABLE CO. INC,
PELL CITY, ALABAMA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
115 lines Yeah : 1.3
profile none summary
tarball 38 of 43
38 of 41 31000127c2
NEW
c6f4f8e31a
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:19:46:00 Win2K-f 68.114.87.151 (CHARTER.COM):
CHARTER COMMUNICATIONS,
WORCESTER, MASSACHUSETTS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:20:59:00 WinXP 202.164.211.196 (-):
METRONET BANGLADESH LIMITED FIBER OPTIC BASED METROPOLITAN DATA,
DHAKA, DHAKA, BD. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
111 lines Yeah : 1.3
profile none summary
tarball 40 of 42
38 of 42 28682ab74c
NEW
599fe92b8e
NEW none[none]
none [none] none:none
none:none
none|none
none|none none
none none
none

T:22:28:00 Win2K-f 61.218.149.12 (HINET.NET):
CHEN-JIN-SHI-TC-NET,
T'AI-CHUNG, T'AI-WAN, TW. (100Mbps) n/a 135 pcap raw alerts
ruleset other
10 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:22:38:00 WinXP 93.177.240.245 (ALDEMS.LV):
BALTKOM,
RIGA, RIGA, LV. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 42 bcb3ec60f2
NEW none[none] none:none
none|none none none

T:22:54:00 WinXP 50.27.216.150 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
NEW none[0] none:none
PolyEnE| lines=68 trace