|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| 00:19:00 | Win2K-f | 98.87.167.241 (BELLSOUTH.NET): BELLSOUTH.NET INC, ATLANTA, GEORGIA, US. (DSL) |
n/a | CN:www.baidu.com :egkpuyvhogd.info :irvmlqs.org :nxmxtopm.info US:druinrs.biz :smcwn.com US:yqilyyzcztr.biz US:tgehuntgi.biz US:hpfzuena.biz :yufkjtvl.info :dvdlcbgtk.info :aiaoo.com :jgusbvvar.net :bqhfswzcehj.net :awgvguypkdv.info :zpqaebyo.org :jqbemubjjs.net :wqwfwakx.com :qekwihxxpz.net :idcsxykn.org :xctljjjutss.com :dalhlkwhho.net US:yoweb.biz :hoxxfuivmth.com US:jfgnx.biz US:qotcqarjvk.biz US:lpjrhzdk.biz :chvhqyjeuks.org :qmpshbwn.net :vvsjekk.net US:evymnbws.biz 122.112.32.142:80 US:149.20.56.32:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 16 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:00:59:00 | WinXP | 122.52.37.196 (PLDT.NET): IPG, MANILA, MANILA, PH. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru :parex-bank.ru |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | 67db574df4 NEW |
none[none] | none:none |
none|none | none | none |
| T:01:27:00 | WinXP | 122.52.37.196 (PLDT.NET): IPG, MANILA, MANILA, PH. (DSL) |
n/a | DE:citi-bank.ru :parex-bank.ru |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 | 67db574df4 NEW |
none[none] | none:none |
none|none | none | none |
| 03:25:00 | Win2K-f | 189.103.146.150 (VIRTUA.COM.BR): COMITE GESTOR DA INTERNET NO BRASIL, SãO PAULO, SAO PAULO, BR. (DSL) |
n/a | US:www.ask.com :jwtinv.net :bqhfswzcehj.net :dlbcco.info :tqtiznlp.net :zdxjo.com :znmsjtlqva.com :yeekce.net :fcgilipdr.com US:evymnbws.biz :qowiazfdo.org :xrcbt.com US:knmhm.biz :rixpjopw.info :fnxwgu.com :qlwkxlsv.com :uwthpsrry.com :drjlqiant.net US:jfgnx.biz :chvhqyjeuks.org :dftvnorumn.info :emihuzriyq.info :ashhmxk.info :elmundmod.org :pdqljzgyymw.net :lrfnxxrw.net :azbac.info :xmtubwlxbbu.info :mtvscsbn.info :cvtiwgjvden.com :mmihwr.org :kkwrmozvw.info US:qwatkyfeyo.biz :lojjjw.com :vqtohposa.info :zqepymak.com :hhagn.info US:ajyczt.biz :ncfduanuhua.org :vyerxywqrp.org :exeffrdns.net US:149.20.56.32:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 04:35:00 | Win2K-f | 185.9.158.26 (-): . |
n/a | :www.maxmind.com :www.getmyip.org :getmyip.co.uk US:checkip.dyndns.org 174.36.207.186:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
2 of 37 | 223d8089f8 NEW |
none[3] | none:none |
StarForce| | none | trace |
| 06:30:00 | Win2K-f | 79.148.124.69 (RIMA-TDE.NET): TELEFONICA DE ESPANA (NCC#2007091101), BARCELONA, CATALONIA, ES. (DSL) |
n/a | US:www.ask.com US:druinrs.biz :mysuwvhoic.com :ljpfbynsz.com US:vwxnphha.biz :qlwkxlsv.com :tqtiznlp.net :nrolrhior.org :dpgusm.org US:lbphomz.biz :igbtn.info :azbac.info :qqrkwmf.info :nlbhraq.info :aiaoo.com :apwqmuafevz.net US:qnauli.biz :tngzb.com :bqgpqce.org US:evymnbws.biz :qekwihxxpz.net :awgvguypkdv.info US:fnynqjiohf.biz :hqkqrjtnpx.org :dvdlcbgtk.info :ztarpkpo.info :hfkplap.net :jkgibxmk.net :lojjjw.com :dftvnorumn.info :hsigctwb.info US:149.20.56.32:80 US:204.152.184.139:80 |
139 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:08:43:00 | WinXP | 95.84.207.9 (OSTROV.NET): NATIONAL CABLE NETWORKS, RU. (DSL) |
n/a | PT:siliconfireware.ru :wpad RU:www.bbin.ru :www.google-analytics.com :fonts.googleapis.com :themes.googleusercontent.com :html5shiv.googlecode.com US:www.bankofmadura.com PT:195.22.26.236:80 |
445 | pcap | raw alerts ruleset |
http http 86 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | df17a625ee NEW |
none[0] | none:none |
ASPack| | lines=298 embedded dns |
trace |
| 08:47:00 | Win2K-f | 222.255.132.123 (LOCALHOST): VIETNAM DATA COMMUNICATION COMPANY, VN. (DSL) |
n/a | :www.maxmind.com :www.getmyip.org :getmyip.co.uk EU:checkip.dyndns.org DE:131.220.6.26:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 4 lines |
Yeah : 0.8 profile |
none | summary tarball |
5 of 37 | 741c93f3c1 NEW |
none[3] | none:none |
UPX| | none | trace |
| T:09:02:00 | WinXP | 109.110.132.155 (JWS.COM): EU-ZZ, UK. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru :albat.somee.com **:boemaclasic.ro TH:www2.bpp.go.th :caetanojrecruz.adv.br DE:buyukfirsat.bu.funpic.org GB:www.bsnlondon.co.uk GR:dincermakinasanayi.com.tr :parex-bank.ru |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | 94227c2434 NEW |
none[none] | none:none |
none|none | none | none |
| 10:20:00 | WinXP | 37.252.79.154 (-): . |
n/a | DE:moscow-advokat.ru DE:82.98.86.164:6667 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 | 048b720afe NEW |
none[none] | none:none |
none|none | none | none |
| T:11:36:00 | WinXP | 181.16.32.128 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| 12:40:00 | Win2K-f | 64.79.82.81 (-): . |
n/a | US:trafficconverter.biz US:www.w3.org US:lvqpn.biz :imfmohgd.net US:szbxvv.biz :kamkmdnx.org :fxcnfpzdlvd.com :pfosw.net :qzkhwpu.org :elmundmod.org :daqxpoci.com :clqoopyirt.net :ruelhbzyjjw.net US:jfgnx.biz :mtwajexmcv.org :dftvnorumn.info US:asswle.biz :oliywvqufnw.net :wgnfab.net :ljpfbynsz.com :nlbhraq.info US:devhtlsta.biz :akhwrojdx.info :fzgyxp.net :sxtold.info :nkzilvzhykq.org :dvdlcbgtk.info :aiaoo.com :euxiduv.org :wqwfwakx.com :tqtiznlp.net :pdqljzgyymw.net US:yqilyyzcztr.biz :nprgwv.org :nxmxtopm.info :vtlmummjfb.info :zrpmtfalsiy.net US:axszsppby.biz :khngitkn.info :eoyjzx.info :crezgmre.net :iewqzpuz.info US:vpkvjzn.biz :yeekce.net US:hpfzuena.biz :idcsxykn.org :dlbcco.info :minlhkie.net :hsigctwb.info :gytwtdkv.info :egkpuyvhogd.info :lojjjw.com :bqgpqce.org :ilfdnbk.net :dalhlkwhho.net :igbtn.info US:druinrs.biz :xatbjnf.info :aprmowhw.org :dbxmx.net :pkmoudjws.info :wwvodggwqrb.info US:149.20.56.32:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 17 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 15:45:00 | Win2K-f | 195.199.147.100 (SULINET.HU): BARDOS LAJOS ALTALANOS ISKOLA ES GIMNAZIUM, BUDAPEST, BUDAPEST, HU. (100Mbps) |
n/a | US:www.yahoo.com :zqepymak.com US:hnyfgfacyk.biz :nkzilvzhykq.org :mysuwvhoic.com US:ajyczt.biz :ncfduanuhua.org US:fnynqjiohf.biz :zrpmtfalsiy.net :gyrxeern.com :qrlmdhnv.info :fzgyxp.net :daqxpoci.com US:qwatkyfeyo.biz :uwthpsrry.com US:otmbtwyaj.biz US:lpjrhzdk.biz :ljpfbynsz.com :nprgwv.org :aiaoo.com :bndcmjzitrt.info US:lvqpn.biz US:axszsppby.biz :apwqmuafevz.net :jgusbvvar.net :kamkmdnx.org :llcstftc.org US:druinrs.biz US:qnauli.biz :frtrymvns.org :svddkm.net US:szbxvv.biz :qrmncvth.com :kfeaijxwjz.net US:fveaped.biz :minlhkie.net US:snilwlqjzj.biz :fipej.org :aprmowhw.org :qowiazfdo.org :qgegeqhovm.info :tqtiznlp.net :vvsjekk.net :vavompwo.com :ovzlte.com :qjujgnuttu.org :qmpshbwn.net :crezgmre.net US:vpkvjzn.biz US:lbphomz.biz :tqcclvtkvk.org :mxmjfjky.com :tngzb.com :dvdlcbgtk.info :zmgfwawns.com US:hpcphsquuf.biz US:devhtlsta.biz US:bmbkmtwa.biz :gxwjmsoiw.com :bohbi.net :bhkptqqz.net US:149.20.56.32:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:17:49:00 | WinXP | 177.143.165.173 (-): . |
213.155.14.161:80 | DE:citi-bank.ru DE:www.kelesoglugroup.com :bleublanc.net TH:kabinburi.ac.th :bilimegitim.org :juvenopolis.org.br PT:buyukkarapinar.com EU:karenoil.com |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 42 | 0d1eb4df79 NEW |
none[none] | none:none |
none|none | none | none |
| 18:50:00 | Win2K-f | 41.41.101.78 (-): . |
n/a | US:www.ask.com :vgakbmem.info :swlns.net US:rtewisd.biz :tieomukyanh.com :jfpoepa.net :ilbjve.org :tbxzpdyct.com US:ehtyef.biz :cxgfqkanq.info :tqfvqkxb.com :eyrnknyyi.com :bfosusagnv.com :quhtukfp.info :azozrzyorvx.info :mzayj.com :gthexbcczh.info :eryrz.net :tlobdd.com :anchomei.info :csvlpx.org :azrkouqnxyq.info :dilarfg.info :gwlxjh.info :kfuveksv.com :ndsxwmrbrjr.com US:zjtncvnuez.biz :wadmfon.org US:pgsxolhlel.biz US:fpgdda.biz US:outqydtb.biz US:cmfmsbizvkd.biz :wyuemu.org :viffzdjjud.net :qufau.info :kcvbtvlds.org :gvbzzgry.net :mzfaw.com :astowx.com :pvjngkjz.com :fcgcplvbtkv.com :pptaosiw.org :jnydobsnzd.info :lgudgti.com :suycrcwefg.net :iyfhgdmraxo.info US:zehowdw.biz :vejuoqpf.net :momlray.com :inooboq.info :plsqjsp.org :odwjlx.net :obvqchqr.org :lknlfyjs.com :jsszfqf.com US:jmwbyc.biz :ugheswu.com :grrifwfjcdp.net :drioweactq.com :vnhzwut.com :igiroj.org US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 19:57:00 | Win2K-f | 185.9.157.213 (-): . |
n/a | :www.maxmind.com :getmyip.co.uk :www.getmyip.org US:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
2 of 37 | 223d8089f8 NEW |
none[3] | none:none |
StarForce| | none | trace |
| T:20:54:00 | WinXP | 113.52.212.164 (-): PCBNET, POHANG, KYONGSANG-BUKTO, KR. (DSL) |
148.81.111.111:65520 | PL:proxima.ircgalaxy.pl US:microsoft.com PL:148.81.111.111:65520 |
135 | pcap | raw alerts ruleset |
irc 131 lines |
Yeah : 1.8 profile |
none | summary tarball |
40 of 41 39 of 41 |
1824c59f34 NEW caaeb70f9f NEW |
da8a48fc3a [0] fdabb272e7[0] |
ASM:Graph ASM:Graph |
tElock| Armadillo| |
lines=112 embedded dns lines=91 |
trace trace |
| 22:23:00 | Win2K-f | 117.239.70.227 (10/24.BSNL.IN): NIB (NATIONAL INTERNET BACKBONE), NEW DELHI, DELHI, IN. (DSL) |
n/a | :www.maxmind.com :getmyip.co.uk :www.getmyip.org US:checkip.dyndns.org 174.36.207.186:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |