|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:41:00 | WinXP | 141.136.95.200 (TERMBILLING.COM): VARIOUS REGISTRIES, UK. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 42 | a4140e4032 NEW |
none[none] | none:none |
none|none | none | none |
| 01:22:00 | WinXP | 141.136.95.200 (TERMBILLING.COM): VARIOUS REGISTRIES, UK. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 42 | a4140e4032 NEW |
none[none] | none:none |
none|none | none | none |
| T:05:03:00 | WinXP | 94.52.71.104 (-): NEW COM TELECOMUNICATII SA, BUCHAREST, BUCURESTI, RO. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| 05:27:00 | Win2K-f | 113.160.178.170 (LOCALHOST): VIETNAM POST AND TELECOM CORPORATION, VN. (DSL) |
n/a | US:www.yahoo.com :aanmtl.com US:knkavvxf.biz :srvbgh.com :anbwqojn.net :shuhxstyk.org :nbcwugk.net :zzalnxdsn.org :vojua.org :fqosvywt.org :sabbilhg.info :zhjtfggzdz.net :tberbwrt.org US:xpxptycc.biz :uhtoyayeixg.org :usgxm.org US:aizlvwtqi.biz :bdykqu.net :rhmbcjiam.info :zeckyrguwil.net :bcddawagyzz.net :offipgk.com :tanaiggf.com :krcnffb.com :jhvnrac.org US:awjsqrt.biz :crbupq.com US:rrvtiiuing.biz US:zmtjsc.biz :ozptz.net :eayaddetsb.net :bdtbccigq.net US:nwnya.biz US:rfudzrc.biz :uekviply.com :mrskbb.com :jjudhibx.com :oxboacw.org :tmkdmxfxyc.com :ipfpjlwgevu.info :hnzoqozssg.com :iayhngvdbko.net :qreitpwemr.org :dmxlk.org :fvzvvhy.com :ckevynw.info :actraemnc.com :qowhpawq.com :egxwhp.org :biivupeq.com :zcxojyspd.info :nootzfkfj.info :mclsfla.info :vhaqimweewt.net :mmfykrngfmn.net :hxwureqe.com :bcjwmfr.org :wbzruno.net US:wleocs.biz :bccwjnez.org :ojgwgotu.com US:149.20.56.32:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:05:41:00 | WinXP | 89.145.131.32 (-): HOME ETHERNET NETWORK, RU. (DSL) |
n/a | DE:citi-bank.ru :albat.somee.com **:boemaclasic.ro TH:www2.bpp.go.th :caetanojrecruz.adv.br DE:buyukfirsat.bu.funpic.org GB:www.bsnlondon.co.uk GR:dincermakinasanayi.com.tr |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | 94227c2434 NEW |
none[none] | none:none |
none|none | none | none |
| T:10:08:00 | WinXP | 69.170.235.114 (BRIGHTOK.NET): CHICKASAW TELEPHONE, WEST PALM BEACH, FLORIDA, US. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| 10:12:00 | Win2K-f | 95.24.113.49 (CORBINA.RU): INVESTELEKTROSVIAZ LTD, MOSCOW, MOSCOW CITY, RU. (DSL) |
n/a | US:204.152.184.139:80 EE:62.65.192.24:80 |
445 | pcap | raw alerts ruleset |
http 16 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 13:46:00 | Win2K-f | 200.27.136.101 (WEB2WIN-COST-GW.FIRSTCOM.CL): CLARO CHILE S.A, SANTIAGO, REGION METROPOLITANA, CL. (DSL) |
n/a | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:14:53:00 | WinXP | 70.60.132.174 (RR.COM): ROAD RUNNER HOLDCO LLC, COLUMBUS, OHIO, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| 17:10:00 | Win2K-f | 185.9.157.225 (-): . |
n/a | :www.maxmind.com :www.getmyip.org EU:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
2 of 37 | 223d8089f8 NEW |
none[3] | none:none |
StarForce| | none | trace |
| T:18:04:00 | WinXP | 70.184.171.55 (COX.NET): COX COMMUNICATIONS, VIRGINIA BEACH, VIRGINIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| 18:29:00 | Win2K-f | 118.104.163.196 (R-118-104-126-10.COMMUFA.JP): CHUBU TELECOMMUNICATIONS CO. INC, TOKYO, TOKYO, JP. (DSL) |
n/a | :xkmxxu.info :lbaznrllmti.net :uiooar.com :tzibmpiun.com US:yzmwknrf.biz :qxyxpkp.com :ranfevurd.org US:ecdpivm.biz :gswykepwpm.com :zoirreupxx.net :tpmyfow.net :gluimlcht.org :ytwxuflzoh.net :ozgfduyned.com :lyrefsrpnmw.net :uscwaldx.net :fczwzsbn.org :ossxx.org :koxqeace.net US:oniuwicytv.biz US:149.20.56.32:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 20:16:00 | Win2K-f | 122.52.11.3 (PLDT.NET): IPG, PH. (DSL) |
n/a | EE:www.starman.ee EE:www.online.if.ee FI:www.if.ee FI:194.215.38.135:80 EE:195.50.195.10:443 US:204.152.184.139:80 EE:62.65.192.24:80 |
445 | pcap | raw alerts ruleset |
http 7 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:21:37:00 | WinXP | 220.108.85.18 (PLALA.OR.JP): NTT PLALA INC, OSAKA, OSAKA, JP. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru US:kidos-bank.ru |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | d02d99bb62 NEW |
none[none] | none:none |
none|none | none | none |