|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| 01:09:00 | Win2K-f | 78.106.181.160 (CORBINA.RU): BROADBAND CUSTOMERS IN MOSCOW, MOSCOW, MOSCOW CITY, RU. (DSL) |
n/a | EE:www.starman.ee FI:194.215.38.135:80 EE:62.65.192.24:80 |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 01:14:00 | Win2K-f | 114.27.85.153 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | EE:www.starman.ee EE:www.online.if.ee FI:194.215.38.135:80 EE:195.50.195.10:443 EE:62.65.192.24:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 01:19:00 | Win2K-f | 82.91.29.216 (BUSINESS.TELECOMITALIA.IT): TELECOM ITALIA S.P.A, COMO, LOMBARDIA, IT. (DSL) |
n/a | EE:www.starman.ee FI:194.215.38.135:80 EE:62.65.192.24:80 |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 01:39:00 | Win2K-f | 36.3.143.162 (-): . |
n/a | EE:www.starman.ee FI:www.if.ee FI:194.215.38.135:80 US:204.152.184.139:80 EE:62.65.192.25:80 |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 01:48:00 | Win2K-f | 118.166.59.228 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:www.w3.org :qpgntejc.org :lfusdzkg.info US:uifmhnvguw.biz :kgikjylvsb.info :neypryrb.net US:oupzvbjb.biz :bqulvhv.com :qfmoubyg.org :pagwwccp.net :mblhuod.org :caltf.info US:tasiiokwbt.biz US:adxccxj.biz :uweumkndpym.com :nhbny.com :gzwal.net :yyhgbf.com :qucspftof.net :mttsk.org :jvtsbt.com :bixnusjb.info :sufjla.com US:fquzfkbd.biz US:vqpmz.biz :nfjema.com :vtbltlnz.org :tsxzhooqk.net :ntiqikntijx.org :cnbnvvyuzwl.info :lpvkuut.org :kqzztqfvab.org US:wogviz.biz :xzoohso.org :wrpgqppz.com :cfxdm.net :fwbavv.com :nzgkozvetc.com :zzbxlwxpazu.net :gasrgasj.info :egpym.net :xwpryujuo.com US:jmslen.biz :qjbqrb.org :gpglark.info :ghltmsunsy.info :hyftspkd.net :wdbhju.org :spfol.net :tjjicxfs.com :imgquwe.info :tbtboai.org :ocyinmgqol.org US:qdkffrxt.biz :fwijenhgibu.info :sbayjfgakpl.net :fnehguuihcg.org :iaevchrbzft.org :lupuh.org :kcshdzekcuc.info :mrpyfiqrqdk.info US:vsezhm.biz :hqapdpomyb.org :kqicxbn.net US:yjajseeydsh.biz :pzwkoruerja.info US:igqathwa.biz :clzlkqsrz.org :cpbdu.net :tnuicdmeoi.info US:toick.biz :wkvxdzjo.net US:jtgzl.biz :dxxzqo.org :ovksinfo.org :kccrevrc.net US:149.20.56.32:80 US:149.20.56.34:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
http 20 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 02:40:00 | Win2K-f | 94.84.202.244 (-): EUROPRINT SRL, IT. (100Mbps) |
n/a | EE:www.starman.ee FI:www.if.ee FI:194.215.38.135:80 US:204.152.184.139:80 |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 02:44:00 | Win2K-f | 2.93.48.89 (-): . |
n/a | EE:www.starman.ee EE:www.online.if.ee FI:www.if.ee FI:194.215.38.135:80 EE:195.50.195.10:443 |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 04:35:00 | Win2K-f | 187.45.227.202 (VELOXZONE.COM.BR): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | US:www.w3.org :vtbltlnz.org :zrifdy.net :viytuntqtg.org :jkmoerxzsly.info US:igqathwa.biz US:ddzpsmd.biz :udflbjunq.com :gttwi.com :wrjgqqvg.info :nubry.com :tnuicdmeoi.info :fjyyqmjn.org :ekfvmnlg.org :yfhbodqqsm.net :lpvkuut.org :tsxzhooqk.net :iflbyrpi.com :bqgyw.org :sqsgcftllw.org :zwopsyrl.com :svsumyao.com :cfljcak.net :trhzcjjyv.net :mhafsow.org :ngleaxdadbq.org :slltrk.com :bfvbdoqbq.info :swezdvm.com :vemdefyuw.com :baxsalarbr.info US:uifmhnvguw.biz :pztggmp.com US:fquzfkbd.biz US:fazlhiwo.biz :mttsk.org :gbfhhheylub.net US:wogviz.biz :cpbdu.net US:vqpmz.biz :bixnusjb.info US:pqzbufonn.biz :gxodog.com US:qebti.biz :wttmxhzdm.info :zfziftp.org :ntiqikntijx.org :qucspftof.net :hyftspkd.net :assbiitsbi.net :bqulvhv.com :kgikjylvsb.info :lyleyqnp.com US:yjajseeydsh.biz :vqzgzbivevt.net :lkfdqsviu.com :snlyqblu.org :rawtgfh.net US:qdkffrxt.biz US:yrxnu.biz :mprusncvxfb.net :jnukiybjaow.info US:tasiiokwbt.biz :caltf.info :mvgpzuoi.com :hhzmashmey.org :bdqvfrwrqr.net :uixfd.net :hqapdpomyb.org :xvdgyecpl.info :edjtruulaiz.com US:128.30.52.37:80 US:149.20.56.32:80 FI:194.215.38.135:80 US:204.152.184.139:80 EE:62.65.192.24:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:06:48:00 | WinXP | 93.157.153.1 (HISPEED.PL): USLUGI INTERNETOWE MAJESTIC, WARSAW, WARSZAWA, PL. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru CA:jewellerybazaar.net BR:casaebar.com.br :canossadhule.in :cansesiasknefesi.com DE:how2gethazanat.ho.funpic.de :www.evishop.de :chihuahuaupinghome.com |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | 76d2a5a1ef NEW |
none[none] | none:none |
none|none | none | none |
| 07:15:00 | Win2K-f | 59.99.145.119 (10/24.BSNL.IN): NIB (NATIONAL INTERNET BACKBONE), NEW DELHI, DELHI, IN. (DSL) |
n/a | EE:www.starman.ee FI:194.215.38.135:80 EE:195.50.195.10:443 EE:62.65.192.24:80 |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:07:18:00 | WinXP | 93.157.153.1 (HISPEED.PL): USLUGI INTERNETOWE MAJESTIC, WARSAW, WARSZAWA, PL. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru CA:jewellerybazaar.net BR:casaebar.com.br :canossadhule.in :cansesiasknefesi.com DE:how2gethazanat.ho.funpic.de :www.evishop.de :chihuahuaupinghome.com IN:dehaspas.com TR:devdijital.com US:sobrenaturalbr.net BR:direitopublico.com.br US:kidos-bank.ru |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | 76d2a5a1ef NEW |
none[none] | none:none |
none|none | none | none |
| 14:08:00 | Win2K-f | 96.25.201.76 (CLEARWIRE-DNS.NET): CLEARWIRE US LLC, PORTLAND, TEXAS, US. (DSL) |
n/a | CN:www.baidu.com :evhqnguqlw.com :zsrwqb.org :pzwkoruerja.info :ruycf.net :lnylu.info :lfoeiqh.net :gttwi.com :bixnusjb.info US:fquzfkbd.biz :sulkbrvyndc.net :ggzfkfvv.com :clzlkqsrz.org :qjadlijrxp.info :imgquwe.info US:pqzbufonn.biz :pysqfzb.org :gpglark.info :ssqhub.org US:ivsjbhwcbjc.biz :wotzx.net :iwzrmqaj.net :bqgyw.org US:ddzpsmd.biz :cpbdu.net :svsumyao.com :yotwpyiqkky.org US:jmslen.biz :ngleaxdadbq.org :ghsklylps.info :iaevchrbzft.org US:149.20.56.32:80 US:204.152.184.139:80 CN:220.181.111.147:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 15:51:00 | Win2K-f | 220.132.198.210 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | :www.maxmind.com :getmyip.co.uk :www.getmyip.org US:checkip.dyndns.org 174.36.207.186:80 US:204.152.184.139:80 |
139 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| T:16:43:00 | WinXP | 93.157.157.142 (HISPEED.PL): USLUGI INTERNETOWE MAJESTIC, PL. (DSL) |
213.155.14.161:80 | DE:citi-bank.ru CA:jewellerybazaar.net BR:casaebar.com.br :canossadhule.in :cansesiasknefesi.com DE:how2gethazanat.ho.funpic.de :www.evishop.de :chihuahuaupinghome.com IN:dehaspas.com TR:devdijital.com US:sobrenaturalbr.net |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 43 | ca3e3b13f3 NEW |
none[none] | none:none |
none|none | none | none |
| T:17:15:00 | Win2K-f | 211.155.29.6 (SRT.COM.CN): GUANGZHOU CSTEL COMPANY, GUANGZHOU, GUANGDONG, CN. (DSL) |
n/a | FI:www.if.ee EE:www.starman.ee US:microsoft.com FI:194.215.38.135:80 EE:62.65.192.24:80 |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 17:28:00 | Win2K-f | 181.17.140.165 (-): . |
n/a | :www.maxmind.com DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 19:32:00 | Win2K-f | 85.119.147.42 (TURPION.RU): ACNET, RU. (DSL) |
n/a | :www.maxmind.com US:checkip.dyndns.org :getmyip.co.uk :www.getmyip.org 174.36.207.186:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| 19:36:00 | Win2K-f | 108.175.232.44 (-): . |
n/a | EE:www.starman.ee FI:www.if.ee FI:194.215.38.135:80 EE:62.65.192.24:80 EE:62.65.192.25:80 |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 20:50:00 | Win2K-f | 121.126.192.131 (BLUEMOUNTAINSOFT.COM): HAIONNET, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
n/a | EE:www.starman.ee FI:www.if.ee FI:194.215.38.135:80 US:204.152.184.139:80 EE:62.65.192.24:80 |
445 | pcap | raw alerts ruleset |
other 0 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
| 21:06:00 | Win2K-f | 115.31.183.221 (BEENETS.COM): BB BROADBAND CO. LTD, TH. (DSL) |
n/a | EE:www.online.if.ee EE:www.starman.ee FI:194.215.38.135:80 EE:195.50.195.10:443 EE:62.65.192.24:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |