|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:01:53:00 | WinXP | 37.192.158.27 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
41 of 42 | 22340630ac NEW |
none[none] | none:none |
none|none | none | none |
| T:03:09:00 | WinXP | 66.234.192.8 (ASTOUND.NET): ASTOUND BROADBAND, WALNUT CREEK, CALIFORNIA, US. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 42 | bcb3ec60f2 NEW |
none[none] | none:none |
none|none | none | none |
| 06:27:00 | Win2K-f | 114.25.101.160 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:www.ask.com :gzlspr.org :layhl.com :vjmlhbgxaq.info :vwcfrecig.net :qwejw.info :tlnlr.net US:dfvjvg.biz :ffzzlzqph.org US:rumfft.biz :wgfieg.net US:glxpyk.biz US:padnehimiak.biz :bhduonr.org US:ybtkmhnemu.biz :ekaobbcswu.info :hdkcvajt.org US:ybuwlffr.biz US:uaxxxurbblp.biz US:xxqphx.biz :wxzeivc.org :cspgxri.com :vgwie.com :omwjojuz.net :cyjix.org :cfmpyfmqy.com US:hfxizy.biz :mxtjkpgp.com US:fygmdckh.biz :alqggp.com US:bwsegqjvr.biz US:149.20.56.32:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 6 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:06:37:00 | WinXP | 24.155.204.98 (GRANDENETWORKS.NET): GRANDE COMMUNICATIONS CORPUS CHRISTI HUB, CORPUS CHRISTI, TEXAS, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
d031b42d3f NEW fa14802705 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:09:53:00 | WinXP | 66.234.192.8 (ASTOUND.NET): ASTOUND BROADBAND, WALNUT CREEK, CALIFORNIA, US. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 42 | bcb3ec60f2 NEW |
none[none] | none:none |
none|none | none | none |
| 12:37:00 | Win2K-f | 2.94.222.23 (-): . |
n/a | :www.google.com :iyknoogun.info :hxwmxl.net :uhflbk.org :gcqshz.net :uchqotcewro.net :cczers.com :jriyzgesbe.net :abfnb.org US:xhtrmnr.biz US:ntxgpiku.biz US:dhgbwtg.biz US:trafficconverter.biz :qgkvib.info US:hfxizy.biz :mxtjkpgp.com US:afsjwcrhqz.biz :kasdnu.info :pacah.org :rnctrrzk.info :ogvjzuil.info :dpqgqr.net US:ssmvubfee.biz :dlsfi.com :dqlryksoc.org :jvxqitlrz.info :uwbdsovf.org :cnjbviie.info US:kdoddufypl.biz :pjodfphrr.info :wwnwa.info :inbcyzjzkc.org :ohplu.org :hdkcvajt.org :aunzuigq.org US:fclizxruj.biz :ewfkxhh.info :srjxnofqp.net US:wkzprjev.biz :ffzzlzqph.org :bhduonr.org :qxscdzojewp.org :aghnkel.info :uprpdnclvz.info US:fuahxgxx.biz :hjdobhp.net :dtzejwm.com US:nchqbvmb.biz :xosepnva.org :durcdbjpr.org US:mdvzxefo.biz :wxrxdwh.com US:ahyez.biz US:cdhsampmw.biz :pjdqaehbkfl.org :omwjojuz.net US:vtaohf.biz :rvsjnoqoy.net :tlnlr.net US:jprfce.biz :miifiiwzmhq.org :mqbts.net US:149.20.56.32:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 12:56:00 | Win2K-f | 201.187.92.28 (-): . |
n/a | :www.maxmind.com :getmyip.co.uk :www.getmyip.org US:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | 917c085aca NEW |
none[3] | none:none |
Armadillo| | none | trace |
| T:14:22:00 | Win2K-f | 200.232.163.65 (STERLINGSTUDENTS.NET): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | EE:www.starman.ee FI:www.if.ee KR:theforums.bbsindex.com LT:phonewire.dnip.net GB:phonelogin.dnip.net KR:koopa.dnip.net :cx10man.weedns.com GB:fx010413.whyI.org :gynoman.weedns.com :c010x1.co.cc :commgr.co.cc US:g.0x20.biz :telephone.dd.blueline.be |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 15:42:00 | Win2K-f | 181.46.37.64 (-): . |
n/a | US:www.ask.com :htwhb.info :aayriepb.net :ftjrntym.org :huuzdgoru.org :bicgdjxefb.net :dpqgqr.net US:qmnawzvedd.biz :mxtjkpgp.com US:bxhsijmtr.biz :dinoxtjgb.info :mteghccaow.net :jvxqitlrz.info :ohplu.org :hynoztmxmln.net :gqvakijkanq.net US:ssmvubfee.biz :tjhmocynzuj.com :dghnjhpwdf.net :wnklary.org :stktd.info :wgmtp.info :uinmbdrb.org :eqzjntmhc.com :wilrncg.com :gaedentq.com :uchqotcewro.net :zskbvouye.net :bthruxslx.org :ftgknrlpery.net :xbjsuozs.com :wxzeivc.org :uzsay.info US:xxqphx.biz :bhduonr.org US:dhgbwtg.biz :ybylkdiauj.net US:uaxxxurbblp.biz US:lcdvnha.biz :apynnvcrulf.com :anruum.org US:nbypp.biz :vwcfrecig.net US:gsobzrv.biz :tjfng.net :brztbihiedq.info :dhrbjh.com US:dqmgxavtf.biz US:rstthkz.biz :ekaobbcswu.info :kasdnu.info US:npghwggpqv.biz :olcgqc.net :pjjam.net :uhflbk.org :uzgffmgoasc.info :fapgdhjey.info :cqpscwm.info :rzyjk.com :cyjix.org :mebza.net US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:15:53:00 | WinXP | 46.117.120.39 (-): . |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| T:17:32:00 | WinXP | 122.52.36.244 (PLDT.NET): IPG, MANILA, MANILA, PH. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | 67db574df4 NEW |
none[none] | none:none |
none|none | none | none |
| T:17:57:00 | WinXP | 72.48.163.159 (GRANDENETWORKS.NET): GRANDE COMMUNICATIONS LANTANA, ARGYLE, TEXAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 41 38 of 41 |
d031b42d3f NEW fa14802705 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:19:47:00 | Win2K-f | 200.29.136.130 (CHILESAT.NET): TELMEX SERVICIOS EMPRESARIALES S.A, SANTIAGO, REGION METROPOLITANA, CL. (100Mbps) |
n/a | :cx10man.weedns.com EE:www.starman.ee FI:www.if.ee :fx010413.whyI.org :gynoman.weedns.com :c010x1.co.cc :commgr.co.cc TW:g.0x20.biz :telephone.dd.blueline.be :phonewire.dd.blueline.be :phonelogin.dd.blueline.be JP:ufospace.etowns.net FI:194.215.38.135:80 |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 21:52:00 | Win2K-f | 5.53.18.104 (-): . |
n/a | :www.google.com US:fwdqjwq.biz :hlggun.net :mhsyzhx.com :jqarqzh.net US:wqyzw.biz :jvzuiza.net :kvilollb.org :ffotaxoefqi.info :qcsltbnduk.info :tdklj.com :dyhwymu.net :mhlkaa.net US:dmiie.biz :exgbsmig.net US:nqjwykr.biz US:imtfew.biz US:ywkvhie.biz :aetxebvry.net :dwuaxk.net :lumhz.com US:149.20.56.32:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:23:40:00 | WinXP | 110.93.111.59 (CABLENET.NE.JP): CABLENET SAITAMA CO. LTD, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 39 of 41 |
5bbb57c115 NEW 75ac189d9e NEW |
03e5cb3c4a [0] 705dbaa801[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |