Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

15 August 2012
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:01:38:00 WinXP 91.64.44.97 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
KIEL, SCHLESWIG-HOLSTEIN, DE. (DSL) n/a DE:moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 42 of 43 1511a3f219
NEW none[none] none:none
none|none none none

T:01:50:00 WinXP 122.17.62.76 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:03:19:00 WinXP 201.173.95.187 (INTERCABLE.NET):
TELEVISION INTERNACIONAL S.A. DE C.V,
MONTERREY, NUEVO LEON, MX. (100Mbps) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none 29af3321de
NEW none[none] none:none
none|none none none

T:08:21:00 WinXP 218.236.108.63 (HANANET.NET):
HANARO TELECOM INC,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
80 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:09:10:00 WinXP 218.1.65.26 (ONLINE.SH.CN):
CHINANET SHANGHAI PROVINCE NETWORK,
SHANGHAI, SHANGHAI, CN. (DSL) n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

09:47:00 Win2K-f 186.93.168.88 (-):
. n/a :www.maxmind.com
:getmyip.co.uk
:www.getmyip.org
US:checkip.dyndns.org
DE:131.220.6.26:80
EU:91.198.22.70:80 445 pcap raw alerts
ruleset http
4 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:10:00:00 WinXP 79.207.172.70 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
MUNICH, BAYERN, DE. (DIAL) n/a ES:www.arrakis.es 135 pcap raw alerts
ruleset http
28 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:10:19:00 WinXP 67.55.131.113 (NETINS.NET):
CENTRAL SCOTT TELEPHONE,
BLAIR, NEBRASKA, US. (DSL) n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 43 of 43 6ffc4847e4
NEW none[none] none:none
none|none none none

T:11:46:00 WinXP 78.130.112.219 (REV.OPTIMUS.PT):
OPTIMUS PORTUGAL,
LISBON, LISBOA, PT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:12:23:00 WinXP 180.217.14.48 (-):
. 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball none 5efa033137
NEW none[none] none:none
none|none none none

T:14:46:00 WinXP 92.40.223.209 (THREE.CO.UK):
MOBILE BROADBAND SERVICE,
MANCHESTER, ENGLAND, UK. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 42 1a52a31be2
NEW none[none] none:none
none|none none none

T:15:31:00 WinXP 89.214.16.120 (-):
GPRS COSTUMERS,
FARO, FARO, PT. (DSL) 213.155.14.161:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 41 of 43 fb486908b0
NEW none[none] none:none
none|none none none

T:15:42:00 WinXP 74.195.178.63 (SUDDENLINK.NET):
SUDDENLINK COMMUNICATIONS,
OKMULGEE, OKLAHOMA, US. (DSL) n/a US:gg.arrancar.org
US:204.13.162.123:555 135 pcap raw alerts
ruleset other
186 lines Yeah : 1.3
profile none summary
tarball 41 of 43 0afff56a4c
NEW none[none] none:none
none|none none none

T:15:50:00 Win2K-f 50.83.48.234 (-):
. n/a 135 pcap raw alerts
ruleset other
158 lines Yeah : 1.3
profile none summary
tarball 36 of 39 2e8bb50e90
NEW none[none] none:none
none|none none none

T:16:55:00 Win2K-f 96.13.34.247 (WINDSTREAM.NET):
ALLTEL MIP CUSTOMERS - ATLANTA,
HAZLEHURST, GEORGIA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
1010 lines Yeah : 1.3
profile none summary
tarball none 3b98685df1
NEW none[none] none:none
none|none none none

T:17:18:00 Win2K-f 4.143.226.13 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
BIG ROCK, ILLINOIS, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

17:41:00 WinXP 75.110.232.162 (SUDDENLINK.NET):
SUDDENLINK COMMUNICATIONS,
LAKE CHARLES, LOUISIANA, US. (DSL) n/a DE:citi-bank.ru
DE:213.155.14.161:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 34 of 34 d20f157117
NEW 738f555183 [0] ASM:Graph
PolyEnE| lines=68 trace

T:19:52:00 WinXP 186.110.226.97 (-):
. n/a 445 pcap raw alerts
ruleset http
3 lines Yeah : 0.8
profile none summary
tarball none none none none none none none