|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| 01:33:00 | Win2K-f | 42.112.16.150 (-): . |
n/a | :www.maxmind.com US:checkip.dyndns.org 174.36.207.186:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
5 of 37 | 741c93f3c1 NEW |
none[3] | none:none |
UPX| | none | trace |
| T:01:41:00 | Win2K-f | 42.112.16.150 (-): . |
n/a | :www.maxmind.com :getmyip.co.uk :www.getmyip.org US:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 4 lines |
Yeah : 0.8 profile |
none | summary tarball |
5 of 37 40 of 43 3 of 37 |
741c93f3c1 NEW ac1d14519f NEW d9cb288f31 NEW |
none[3] none [none] 45603a001c[0] |
none:none none:none ASM:Graph |
UPX| none|none UPX| |
none none lines=174 embedded dns |
trace none trace |
| T:04:15:00 | WinXP | 5.228.51.56 (-): . |
n/a | PT:siliconfireware.ru | 445 | pcap | raw alerts ruleset |
http http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 5 of 37 40 of 43 3 of 37 29 of 29 |
048b720afe NEW 741c93f3c1 NEW ac1d14519f NEW d9cb288f31 NEW df17a625ee NEW |
none[none] none [3] none [none] 45603a001c[0] none [0] |
none:none none:none none:none ASM:Graph none:none |
none|none UPX| none|none UPX| ASPack| |
none none none lines=174 embedded dns lines=298 embedded dns |
none trace none trace trace |
| T:05:06:00 | Win2K-f | 118.221.56.86 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
148.81.111.111:65520 | PL:proxima.ircgalaxy.pl US:microsoft.com |
135 | pcap | raw alerts ruleset |
irc 137 lines |
Yeah : 1.8 profile |
none | summary tarball |
39 of 41 31 of 33 |
ab9c4b5f21 NEW d789c8d157 NEW |
5fe48b2dcc [0] 5f6572479f[0] |
ASM:Graph ASM:Graph |
Armadillo| PolyEnE| |
lines=42 lines=113 embedded dns |
trace trace |
| 05:36:00 | Win2K-f | 190.137.153.250 (NET.AR): TORANZO HECTOR, AR. (100Mbps) |
n/a | :www.maxmind.com :www.getmyip.org US:checkip.dyndns.org 174.36.207.186:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:07:05:00 | Win2K-f | 61.150.5.66 (163DATA.COM.CN): XI'AN DATA BRANCH XIAN CITY SHAANXI PROVINCE, XIAN, SHAANXI, CN. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 114 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 40 of 41 5 of 37 40 of 43 3 of 37 41 of 43 29 of 29 |
048b720afe NEW 5799ab6538 NEW 741c93f3c1 NEW ac1d14519f NEW d9cb288f31 NEW ddbe111920 NEW df17a625ee NEW |
none[none] 2713679411[0] none [3] none [none] 45603a001c[0] none [none] none [0] |
none:none ASM:Graph none:none none:none ASM:Graph none:none none:none |
none|none tElock| UPX| none|none UPX| none|none ASPack| |
none lines=64 embedded dns none none lines=174 embedded dns none lines=298 embedded dns |
none trace trace none trace none trace |
| T:09:38:00 | WinXP | 24.43.158.220 (RR.COM): ROAD RUNNER HOLDCO LLC, LOS ANGELES, CALIFORNIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 43 40 of 43 3 of 37 41 of 42 |
0968b858ed NEW ac1d14519f NEW d9cb288f31 NEW e5ed46b017 NEW |
none[none] none [none] 45603a001c[0] none [none] |
none:none none:none ASM:Graph none:none |
none|none none|none UPX| none|none |
none none lines=174 embedded dns none |
none none trace none |
| T:09:39:00 | WinXP | 89.145.131.32 (-): HOME ETHERNET NETWORK, RU. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 5 of 37 none 40 of 43 3 of 37 29 of 29 |
048b720afe NEW 741c93f3c1 NEW 94227c2434 NEW ac1d14519f NEW d9cb288f31 NEW df17a625ee NEW |
none[none] none [3] none [none] none [none] 45603a001c[0] none [0] |
none:none none:none none:none none:none ASM:Graph none:none |
none|none UPX| none|none none|none UPX| ASPack| |
none none none none lines=174 embedded dns lines=298 embedded dns |
none trace none none trace trace |
| T:10:37:00 | WinXP | 119.15.232.128 (TCOL.COM.TW): E-MAX NETWORK CORP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
| 10:38:00 | Win2K-f | 182.73.225.116 (-): . |
n/a | :www.maxmind.com US:checkip.dyndns.org 174.36.207.186:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:10:48:00 | Win2K-f | 182.73.225.116 (-): . |
n/a | :www.maxmind.com :www.getmyip.org US:checkip.dyndns.org DE:131.220.6.26:80 174.36.207.186:80 |
445 | pcap | raw alerts ruleset |
http 4 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| 12:30:00 | WinXP | 37.252.72.200 (-): . |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 42 | a4140e4032 NEW |
none[none] | none:none |
none|none | none | none |
| 14:39:00 | Win2K-f | 209.62.53.98 (THEPLANET.COM): THEPLANET.COM INTERNET SERVICES INC, DALLAS, TEXAS, US. (DSL) |
n/a | :www.maxmind.com EU:checkip.dyndns.org :www.getmyip.org :getmyip.co.uk 174.36.207.186:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:15:30:00 | Win2K-f | 71.72.41.72 (RR.COM): ROAD RUNNER HOLDCO LLC, ERIE, PENNSYLVANIA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1002 lines |
Yeah : 1.3 profile |
none | summary tarball |
41 of 43 5 of 37 40 of 43 3 of 37 none 29 of 29 |
048b720afe NEW 741c93f3c1 NEW ac1d14519f NEW d9cb288f31 NEW df0d6f0f55 NEW df17a625ee NEW |
none[none] none [3] none [none] 45603a001c[0] none [none] none [0] |
none:none none:none none:none ASM:Graph none:none none:none |
none|none UPX| none|none UPX| none|none ASPack| |
none none none lines=174 embedded dns none lines=298 embedded dns |
none trace none trace none trace |
|
| 17:11:00 | Win2K-f | 121.97.99.40 (BTI.NET.PH): BAYANTEL BROADBAND DSL - NETPREMIUM, QUEZON CITY, QUEZON CITY, PH. (DSL) |
n/a | :www.maxmind.com :www.getmyip.org :getmyip.co.uk US:checkip.dyndns.org 174.36.207.186:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:18:40:00 | WinXP | 190.209.104.5 (-): TELMEX CHILE S.A HFC, CL. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.14.161:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 43 3 of 37 |
ac1d14519f NEW d9cb288f31 NEW |
none[none] 45603a001c[0] |
none:none ASM:Graph |
none|none UPX| |
none lines=174 embedded dns |
none trace |
| 23:05:00 | Win2K-f | 113.253.6.14 (HUTCHCITY.COM): HUTCHISON GLOBAL COMMUNICATIONS, HONG KONG, HONG KONG (SAR), HK. (DSL) |
n/a | :www.maxmind.com :www.getmyip.org US:checkip.dyndns.org 174.36.207.186:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |