Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
T:01:20:00 | WinXP | 173.81.255.162 (SUDDENLINK.NET): SUDDENLINK COMMUNICATIONS, TYLER, TEXAS, US. (100Mbps) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | 7517bf43d1 NEW |
none[none] | none:none |
none|none | none | none |
T:02:33:00 | WinXP | 31.63.180.233 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | 9ebcc2e373 NEW |
none[none] | none:none |
none|none | none | none |
T:05:07:00 | WinXP | 202.142.160.35 (MULTI.NET.PK): MULTINETBROADBAND, LAHORE, PUNJAB, PK. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
none none |
70a78a9c0e NEW f64cd919b7 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
T:07:57:00 | WinXP | 67.197.144.50 (COMPORIUM.NET): COMPORIUM COMMUNICATIONS, ROCK HILL, SOUTH CAROLINA, US. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | 81140ffade NEW |
none[none] | none:none |
none|none | none | none |
T:08:12:00 | WinXP | 39.116.227.46 (-): . |
114.112.255.81:65520 | DE:proxim.ircgalaxy.pl US:microsoft.com :orplicity.com KR:carmaxquotes.com 117.135.138.171:88 EU:141.136.27.220:80 |
135 | pcap | raw alerts ruleset |
irc http 151 lines |
Yeah : 1.8 profile |
none | summary tarball |
33 of 42 none 39 of 42 |
69f59a0454 NEW dad8e00feb NEW f4c93e7909 NEW |
none[none] none [none] none [none] |
none:none none:none none:none |
none|none none|none none|none |
none none none |
none none none |
T:10:26:00 | WinXP | 117.235.110.19 (10/24.BSNL.IN): NIB (NATIONAL INTERNET BACKBONE), NEW DELHI, DELHI, IN. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 6 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
T:12:11:00 | WinXP | 2.196.44.130 (-): . |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 | 9276456bf8 NEW |
none[none] | none:none |
none|none | none | none |
T:12:35:00 | WinXP | 90.150.245.162 (PERMONLINE.RU): DYNAMIC DISTRIBUTION IP'S FOR BROADBAND SERVICES, MOSCOW, MOSCOW CITY, RU. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | 94227c2434 NEW |
none[none] | none:none |
none|none | none | none |
12:40:00 | WinXP | 90.150.245.162 (PERMONLINE.RU): DYNAMIC DISTRIBUTION IP'S FOR BROADBAND SERVICES, MOSCOW, MOSCOW CITY, RU. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | 94227c2434 NEW |
none[none] | none:none |
none|none | none | none |
T:12:44:00 | WinXP | 173.81.184.49 (SUDDENLINK.NET): SUDDENLINK COMMUNICATIONS, TYLER, TEXAS, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 79 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
T:14:03:00 | WinXP | 75.110.107.12 (SUDDENLINK.NET): SUDDENLINK COMMUNICATIONS, ROCKY MOUNT, NORTH CAROLINA, US. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
34 of 34 | d20f157117 NEW |
738f555183 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
T:15:24:00 | WinXP | 76.181.153.104 (RR.COM): ROAD RUNNER HOLDCO LLC, CHILLICOTHE, OHIO, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
T:15:42:00 | WinXP | 100.42.148.108 (-): . |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 42 | ff90c1ff00 NEW |
none[none] | none:none |
none|none | none | none |
17:23:00 | Win2K-f | 212.102.15.66 (-): INTERNET SERVICE PROVIDER, RIYADH, AR RIYAD, SA. (DSL) |
n/a | :www.maxmind.com :getmyip.co.uk :www.getmyip.org US:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
2 of 37 | d60e538e72 NEW |
none[3] | none:none |
UPX| | none | trace |