Clustering and Batch Analysis of APT1 sampleset

March 4, 2013 in Batch Analysis, Compromise Detection, Malware Analysis

Part 1, Part 2, Part 3

As I mentioned in my previous post, I was toying around with various samplesets (e.g. zero access, APT1, etc.) and since the APT1 sampleset is all over the news, I took a stab at it and sandboxed the samples + attempted to cluster the results to see if I any patterns emerge…

The sampleset – batch analysis

Encryption

Some of the samples use DES and the following passwords:

  • Hello@)!0
  • !b=z&7?cc,MQ
  • 1b=z7/lx+WK!
  • !b=z&7?cc,MQ>

File names / locations:

  • %USERPROFILE%\Application Data\Adobe8.0.0\update.exe
  • %USERPROFILE%\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe
  • %USERPROFILE%\Application Data\Adobe\reader_sl.exe
  • %USERPROFILE%\Application Data\Help\svchost.exe
  • %USERPROFILE%\Local Settings\Application Data\Microsoft\svchost.exe
  • %USERPROFILE%\Local Settings\Application Data\Microsoft\wuauclt.exe
  • %USERPROFILE%\Local Settings\spoolsvr.exe
  • %USERPROFILE%\Local Settings\Temp\AcroRD32.exe
  • %USERPROFILE%\Local Settings\Temp\AdobeARM.exe
  • %USERPROFILE%\LOCALS~1\Temp\17DC75.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17DC85.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17DD6F.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17DD9E.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17DDEC.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17E7CF.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17EE48.dmp
  • %USERPROFILE%\LOCALS~1\Temp\AdobeUpdate.exe
  • %USERPROFILE%\LOCALS~1\Temp\AdobeUpdater.exe
  • %USERPROFILE%\LOCALS~1\Temp\BP Makes Two Gas Discoveries in Egypt’s Nile Delta.doc
  • %USERPROFILE%\LOCALS~1\Temp\ctfmon.exe
  • %USERPROFILE%\LOCALS~1\Temp\ctfmon.exe\svchost.exe
  • %USERPROFILE%\LOCALS~1\Temp\em.exe
  • %USERPROFILE%\LOCALS~1\Temp\Halliburton to Present at Dahlman Rose & Co. Ultimate Oil Services And E&P Conference.pdf
  • %USERPROFILE%\LOCALS~1\Temp\iTunesHelper.exe
  • %USERPROFILE%\LOCALS~1\Temp\Material Type Ore 20160605.pdf
  • %USERPROFILE%\LOCALS~1\Temp\Open letter of Dow Corning Corp.pdf
  • %USERPROFILE%\LOCALS~1\Temp\POWER_GEN_2012.pdf
  • %USERPROFILE%\LOCALS~1\Temp\runinfo.exe
  • %USERPROFILE%\LOCALS~1\Temp\svchost.exe
  • %USERPROFILE%\LOCALS~1\Temp\Top Stock Alerts for Day Traders – Facebook, Freeport-McMoRan Copper & Gold, Fastenal, Research In Motion, EnCana, and Dollar General.doc
  • %USERPROFILE%\LOCALS~1\Temp\US hesitant in condemning North Korean launch.pdf
  • %USERPROFILE%\LOCALS~1\Temp\WINWORD.EXE
  • %USERPROFILE%\Start Menu\Programs\Startup\adobe_sl.lnk
  • %USERPROFILE%\Start Menu\Programs\Startup\AdobeRe.exe
  • %USERPROFILE%\Start Menu\Programs\Startup\ctfmon.exe
  • %USERPROFILE%\Templates\adobe_sl.exe
  • c:\WINDOWS\ntshrui.dll
  • C:\WINDOWS\ntshrui.dll1
  • C:\WINDOWS\svchost.exe
  • C:\WINDOWS\System32\Nwsapagent.dll
  • C:\WINDOWS\system\ersvc.dll
  • c:\WINDOWS\system\ersvc.dll

Mutexes:

  • !@ADS@#$
  • 1234
  • 1qaz@WSX
  • COPYRIGHTMM2011V2
  • fire
  • Geman.do
  • Global\AdobeReaderX
  • GLOBAL\ADR32
  • GLOBAL\ADR64
  • GLOBAL\MSFT64
  • Globxxxxxxxxssssseeeeeeal\ADReeeerrttyyyy64
  • hackersuck
  • ijnrfv
  • letusgohtppmmv1.0
  • letusgohtppmmv2.0.0.1

Services:

  • .Net CLR (Microsoft .Net Framework COM+ Support)
  • DevFS (Device File System)
  • DevFS (Device File System)
  • DevSec (Rpc Device Management)
  • InfMon (Infrared Monitor)
  • Nwsapagent (Gateway Service for Netware)
  • RasAuto (Remote Access Auto Connection Manager)
  • tcpguard (tcpguard)

Connections (note, may contain clean IPs/URLs):

  • 10.166.1.182
  • 127.0.0.1
  • 140.116.70.8
  • 143.89.35.19
  • 202.105.39.39
  • 202.39.61.136
  • 202.6.235.83
  • 203.200.205.245
  • 204.111.73.150
  • 205.159.83.91
  • 208.239.156.123
  • 209.124.51.194
  • 209.124.51.219
  • 209.151.145.185
  • 209.161.249.125
  • 209.208.114.83
  • 209.233.16.84
  • 209.253.17.229
  • 211.232.57.235
  • 212.130.19.154
  • 216.15.210.68
  • 218.232.105.200
  • 218.232.66.12
  • 218.233.206.2
  • 218.234.17.30
  • 24.73.192.154
  • 60.248.52.95
  • 61.219.67.1
  • 64.80.153.108
  • 65.105.157.228
  • 65.110.1.32
  • 65.114.195.226
  • 65.89.173.68
  • 66.151.16.30
  • 66.155.114.145
  • 66.170.3.43
  • 66.228.132.53
  • 68.17.104.162
  • 68.96.31.136
  • 69.20.5.219
  • 69.25.50.10
  • 69.28.168.10
  • 69.74.43.87
  • 69.90.123.6
  • 69.90.18.22
  • 69.90.18.23
  • 69.90.65.240
  • 70.62.232.98
  • 74.86.197.56
  • 75.145.139.18
  • admin.datastorage01.org
  • AdobeFlash.info.tm
  • cas.ibooks.tk
  • cas.m-e.org.ru
  • code.mcafeepaying.com
  • Colville.com
  • conference.ddns.us
  • ctcs.bigdepression.net
  • ctx.comrepair.net
  • dev.teamattire.com
  • documents.downloadsite.me
  • eclipsecti.infobusinessus.org
  • exactearth.info.tm
  • fasa.arrowservice.net
  • fasa.bigish.net
  • fasa.newsonet.net
  • flash.aoldaily.com
  • flash.aunewsonline.com
  • flash.cnndaily.com
  • flash.mcafeepaying.com
  • flash.usnewssite.com
  • fni.bigish.net
  • help.purpledaily.com
  • hint.happyforever.com
  • hojutsu.com
  • japan.yahoodaily.com
  • jimnaugle.com
  • johnford985.appspot.com
  • ks.aoldaily.com
  • ks.cnndaily.com
  • ks.jaimeastorga.mx
  • ks.manguvaljak.ee
  • ks.petrotdl.com.ar
  • ks.utworld.ch
  • media.finanstalk.ru
  • meeting.toh.info
  • moto.purpledaily.com
  • moto1.newsonet.net
  • moto2.earthsolution.org
  • news.canadatvsite.com
  • news.micyuisyahooapis.com
  • news.msnhome.org
  • olmusic100.com
  • portal.itsaol.com
  • public.ddns.us
  • qhun-mons.businessformars.com
  • report.crabdance.com
  • safety.canadatvsite.com
  • share.canoedaily.com
  • software.myftp.info
  • sports.canoedaily.com
  • stratos.aoldaily.com
  • stratos.mcafeepaying.com
  • tcw.homier.com
  • thecrownsgolf.org
  • time.mediaxsds.net
  • ttl.tfxdccssl.net
  • un.linuxd.org
  • update.dnepr.com
  • update.sektori.org
  • update.slowblog.com
  • us.gnpes.org
  • vop.earthsolution.org
  • wikileaks.ddns.us
  • www.bigish.net
  • www.bluecoate.com
  • www.businessformars.com
  • www.competrip.com
  • www.cvba.com
  • www.deebeedesigns.ca
  • www.doversolutions.co.in
  • www.drgeorges.com
  • www.dsds.co.kr
  • www.fbrshop.com
  • www.freelanceindy.com
  • www.gobroadreach.com
  • www.heliospartners.com
  • www.jiangmin.com.tw
  • www.kayauto.net
  • www.keenathomas.com
  • www.microsoft.com
  • www.mountainvalley.americanunfinished.com
  • www.mwa.net
  • www.newsesport.com
  • www.olmusic100.com
  • www.omegalogos.org
  • www.pastorsrest.com
  • www.pcs157.com
  • www.rbaparts.com
  • www.smilecare.com
  • www.spmiller.org
  • www.uszzcs.com
  • www.vwrm.com
  • www.woodagency.com
  • zh.lksoftvc.net

URLs and URL-like patterns (from static analysis; may contain errors)

  • 2.earthsolution.org
  • AdobeFlash.info.tm
  • www.mevatec.com
  • Colville.com
  • americanunfinished.com
  • aoldaily.com
  • appspot.com
  • aunewsonline.com
  • bigdepression.net
  • bluecoate.com
  • businessformars.com
  • canadatvsite.com
  • canoedaily.com
  • cnndaily.com
  • colville.com
  • com.tw
  • competrip.com
  • crabdance.com
  • cvba.com
  • datastorage01.org
  • ddns.us
  • deebeedesigns.ca
  • dnepr.com
  • doversolutions.co.in
  • drgeorges.com
  • dsds.co.kr
  • earthsolution.org
  • fbrshop.com
  • finanstalk.ru
  • freelanceindy.com
  • gnpes.org
  • gobroadreach.com
  • happyforever.com
  • hojutsu.com
  • homier.com
  • ibooks.tk
  • info.tm
  • itsaol.com
  • jimnaugle.com
  • kayauto.net
  • keenathomas.com
  • lksoftvc.net
  • mcafeepaying.com
  • mediaxsds.net
  • microsoft.com
  • micyuisyahooapis.com
  • msnhome.org
  • mwa.net
  • newsesport.com
  • newsonet.net
  • omegalogos.org
  • org.ru
  • pastorsrest.com
  • pcs157.com
  • purpledaily.com
  • rbaparts.com
  • sektori.org
  • slowblog.com
  • smilecare.com
  • spmiller.org
  • teamattire.com
  • tfxdccssl.net
  • thecrownsgolf.org
  • toh.info
  • usnewssite.com
  • uszzcs.com
  • vwrm.com
  • woodagency.com
  • yahoodaily.com
  • Hojutsu.com
  • Colville.com
  • Hojutsu.com
  • admin.datastorage01.org
  • cas.ibooks.tk
  • conference.ddns.us
  • ctcs.bigdepression.net
  • dev.teamattire.com
  • fasa.arrowservice.net
  • fasa.newsonet.net
  • fni.bigish.net
  • japan.yahoodaily.com
  • jimnaugle.com
  • media.finanstalk.ru
  • meeting.toh.info
  • moto.purpledaily.com
  • moto2.earthsolution.org
  • news.canadatvsite.com
  • news.micyuisyahooapis.com
  • news.msnhome.org
  • public.ddns.us
  • safety.canadatvsite.com
  • share.canoedaily.com
  • thecrownsgolf.org
  • time.mediaxsds.net
  • ttl.tfxdccssl.net
  • un.linuxd.org
  • update.dnepr.com
  • update.sektori.org
  • update.slowblog.com
  • us.gnpes.org
  • wikileaks.ddns.us
  • www.BusinessForMars.com
  • www.bigish.net
  • www.bluecoate.com
  • www.competrip.com
  • www.cvba.com
  • www.deebeedesigns.ca
  • www.doversolutions.co.in
  • www.drgeorges.com
  • www.dsds.co.kr
  • www.fbrshop.com
  • www.freelanceindy.com
  • www.gobroadreach.com
  • www.kayauto.net
  • www.keenathomas.com
  • www.microsoft.com
  • www.mountainvalley.americanunfinished.com
  • www.mwa.net
  • www.omegalogos.org
  • www.pastorsrest.com
  • www.rbaparts.com
  • www.smilecare.com
  • www.spmiller.org
  • www.vwrm.com
  • www.woodagency.com
  • zh.lksoftvc.net
  • K4Pu.ht
  • Olmusic100.com
  • Sdv.gf
  • Sh.sd
  • americanunfinished.com
  • aoldaily.com
  • appspot.com
  • aunewsonline.com
  • bigdepression.net
  • bluecoate.com
  • businessformars.com
  • canadatvsite.com
  • canoedaily.com
  • cnndaily.com
  • colville.com
  • com.tw
  • competrip.com
  • crabdance.com
  • cvba.com
  • datastorage01.org
  • ddns.us
  • deebeedesigns.ca
  • dnepr.com
  • doversolutions.co.in
  • drgeorges.com
  • dsds.co.kr
  • earthsolution.org
  • fbrshop.com
  • finanstalk.ru
  • freelanceindy.com
  • gnpes.org
  • gobroadreach.com
  • happyforever.com
  • hojutsu.com
  • homier.com
  • ibooks.tk
  • info.tm
  • itsaol.com
  • jimnaugle.com
  • kayauto.net
  • keenathomas.com
  • lksoftvc.net
  • mcafeepaying.com
  • mediaxsds.net
  • microsoft.com
  • micyuisyahooapis.com
  • msnhome.org
  • mwa.net
  • newsesport.com
  • newsonet.net
  • omegalogos.org
  • org.ru
  • pastorsrest.com
  • pcs157.com
  • purpledaily.com
  • rbaparts.com
  • sektori.org
  • slowblog.com
  • smilecare.com
  • spmiller.org
  • teamattire.com
  • tfxdccssl.net
  • thecrownsgolf.org
  • toh.info
  • usnewssite.com
  • uszzcs.com
  • vwrm.com
  • woodagency.com
  • yahoodaily.com
  • X:\command.com
  • admin.datastorage01.org
  • adobeflash.info.tm
  • asa.bigish.net
  • aspjk07@hotmail.com
  • att.infosupports.com
  • augle.com
  • bigdepression.net
  • bluecoate.com
  • businessus.org
  • canadatvsite.com
  • cas.ibooks.tk
  • cas.m-e.org.ru
  • code.mcafeepaying.com
  • colville.com
  • command.com
  • competrip.com
  • conference.ddns.us
  • content.ie
  • crz.dnsweb.org
  • ctcs.bigdepression.net
  • ctcs.earthsolution.org
  • ctx.comrepair.net
  • deebeedesigns.ca
  • dev.teamattire.com
  • dns.progammerli.com
  • dove.blackcake.net
  • drgeorges.com
  • e.canoedaily.com
  • eclipsecti.infobusinessus.org
  • eds1.infosupports.com
  • erence.ddns.us
  • essformars.com
  • exactearth.info.tm
  • fasa.arrowservice.net
  • fasa.bigish.net
  • fasa.newsonet.net
  • fbrshop.com
  • fetch.py
  • flash.aoldaily.com
  • flash.aunewsonline.com
  • flash.cnndaily.com
  • flash.mcafeepaying.com
  • flash.usnewssite.com
  • fni.bigish.net
  • freelanceindy.com
  • gateway.messenger.hotmail.com
  • gobroadreach.com
  • gro.sepng.su
  • h.lk
  • h:mm:ss.tt
  • help.purpledaily.com
  • hint.happyforever.com
  • hojutsu.co
  • hojutsu.com
  • hotmail.com
  • safety.canadatvsite.com
  • www.microsoft.com
  • admin.datastorage01.org
  • adobeflash.info.tm
  • cas.ibooks.tk
  • cas.m-e.org.ru
  • colville.com
  • conference.ddns.us
  • dev.teamattire.com
  • hint.happyforever.com
  • hojutsu.com
  • japan.yahoodaily.com
  • jimnaugle.com
  • media.finanstalk.ru
  • meeting.toh.info
  • news.canadatvsite.com
  • news.micyuisyahooapis.com
  • news.msnhome.org
  • portal.itsaol.com
  • public.ddns.us
  • report.crabdance.com
  • safety.canadatvsite.com
  • share.canoedaily.com
  • sports.canoedaily.com
  • tcw.homier.com
  • thecrownsgolf.org
  • time.mediaxsds.net
  • ttl.tfxdccssl.net
  • update.dnepr.com
  • update.sektori.org
  • update.slowblog.com
  • us.gnpes.org
  • wikileaks.ddns.us
  • www.bluecoate.com
  • www.businessformars.com
  • www.competrip.com
  • www.cvba.com
  • www.deebeedesigns.ca
  • www.doversolutions.co.in
  • www.drgeorges.com
  • www.dsds.co.kr
  • www.fbrshop.com
  • www.freelanceindy.com
  • www.gobroadreach.com
  • www.jiangmin.com.tw
  • www.kayauto.net
  • www.keenathomas.com
  • www.microsoft.com
  • www.mountainvalley.americanunfinished.com
  • www.mwa.net
  • www.newsesport.com
  • www.omegalogos.org
  • www.pastorsrest.com
  • www.pcs157.com
  • www.rbaparts.com
  • www.smilecare.com
  • www.spmiller.org
  • www.uszzcs.com
  • www.vwrm.com
  • www.woodagency.com
  • zh.lksoftvc.net
  • johnford985.appspot.com/fetch.py
  • code.mcafeepaying.com
  • ctcs.bigdepression.net
  • flash.aoldaily.com
  • flash.aunewsonline.com
  • flash.cnndaily.com
  • flash.mcafeepaying.com
  • flash.usnewssite.com
  • johnford985.appspot.com
  • ks.cnndaily.com
  • moto.purpledaily.com
  • moto1.newsonet.net
  • moto2.earthsolution.org
  • stratos.aoldaily.com
  • stratos.mcafeepaying.com
  • ic.ddns.us
  • ice.net
  • ille.com
  • ily.com
  • ing.toh.info
  • japan.yahoodaily.com
  • jimnaugle.com
  • johnford985.appspot.com
  • k.ca
  • kayauto.net
  • keenathomas.com
  • ks.aoldaily.com
  • ks.cnndaily.com
  • ks.jaimeastorga.mx
  • ks.manguvaljak.ee
  • ks.petrotdl.com.ar
  • ks.utworld.ch
  • m.ms
  • media.finanstalk.ru
  • meeting.toh.info
  • messenger.hotmail.com
  • microsoft.com
  • micyuisyahooapis.com
  • moc.yliadnnc.sk
  • moto.purpledaily.com
  • moto1.newsonet.net
  • moto2.earthsolution.org
  • mountainvalley.americanunfinished.com
  • msn.com
  • msnhome.org
  • mwa.net
  • n.datastorage01.org
  • n.linuxd.org
  • n.yahoodaily.com
  • news.canadatvsite.com
  • news.micyuisyahooapis.com
  • news.msnhome.org
  • nexus.passport.com
  • ni.bigish.net
  • nic.safalife.com
  • ntdetect.com
  • olmusic100.com
  • omegalogos.org
  • owservice.ne
  • pastorsrest.com
  • portal.itsaol.com
  • public.ddns.us
  • purpledaily.com
  • qhun-mons.businessformars.com
  • qusc12.infosupports.com
  • rbaparts.com
  • report.crabdance.com
  • rownsgolf.org
  • s.org
  • safety.canadatvsite.com
  • share.canoedaily.com
  • smilecare.com
  • sonet.net
  • sports.canoedaily.com
  • sra.blackcake.net
  • sra.infosupports.com
  • ssus.org
  • stratos.aoldaily.com
  • stratos.mcafeepaying.com
  • tcw.homier.com
  • te.dnepr.com
  • teamattire.com
  • thecrownsgolf.org
  • time.mediaxsds.net
  • tsu.com
  • ttl.tfxdccssl.net
  • ty.canadatvsite.com
  • un.linuxd.org
  • update.dnepr.com
  • update.mcafeepaying.com
  • update.sektori.org
  • update.slowblog.com
  • us.gnpes.org
  • usc12.blackcake.net
  • vop.earthsolution.org
  • vwrm.com
  • w.com
  • us.gn
  • wikileaks.ddns.us
  • woodagency.com
  • ww.bigish.net
  • www.BusinessForMars.com
  • www.bigish.net
  • www.bluecoate.com
  • www.businessformars.com
  • www.competrip.com
  • www.cvba.com
  • www.deebeedesigns.ca
  • www.doversolutions.co.in
  • www.drgeorges.com
  • www.dsds.co.kr
  • www.fbrshop.com
  • www.freelanceindy.com
  • www.gobroadreach.com
  • www.heliospartners.com
  • www.holdent.com.au
  • www.inkscape.org
  • www.jiangmin.com.tw
  • www.kayauto.net
  • www.keenathomas.com
  • www.microsoft.com
  • www.mountainvalley.americanunfinished.com
  • www.mwa.ne
  • www.mwa.net
  • www.newsesport.com
  • www.olmusic100.com
  • www.omegalogos.org
  • www.pastorsrest.com
  • www.pcs157.com
  • www.rbaparts.com
  • www.smilecare.com
  • www.spmiller.org
  • www.uszzcs.com
  • www.vwrm.com
  • www.woodagency.com
  • zh.lksoftvc.net

HTTP Requests:

  • CONNECT  HTTP/1.0
  • CONNECT /index.asp HTTP/1.1
  • GET  HTTP/1.1
  • GET /1.asp?rands=FXMJVXGOJJ&acc=&str=select id from tab_online where regcode = ‘FXMJVXGOJJ’ HTTP/1.0
  • GET /197.1.16.3_7.html HTTP/1.1
  • GET /2011/n325423.shtml?pvid=fAAAACIkAOyJMGjxiYadwRyN9buY2MAeOtQPGgD7e0CsZAFTwA8txDliAAA= HTTP/1.0
  • GET /2651.asp HTTP/1.1
  • GET /3491.asp HTTP/1.1
  • GET /4823.asp HTTP/1.1
  • GET /4981.asp HTTP/1.1
  • GET /5310.asp HTTP/1.1
  • GET /5712.html HTTP/1.1
  • GET /6212.html HTTP/1.1
  • GET /6958.html HTTP/1.1
  • GET /_borders/top.htm HTTP/1.1
  • GET /A2/front/lm/mini/noborder/?AQB=1&ndh=1&t=480&lv=VDipXNKF&pageName=About&ss=ipWHkqSl&g=Council&cid=225&v1=c25&hp=N&tal=&AQE=1 HTTP/1.0
  • GET /aboutus_ohs.html HTTP/1.1
  • GET /adobe.html HTTP/1.1
  • GET /api/get_attention_num/adfshow?slot=7cLLvm4e&p=F&may=128&g=4363&n=0&i=Home HTTP/1.0
  • GET /aspnet_client/system_web/1_0_3705_0/SmartNav.jpg HTTP/1.1
  • GET /attachments/C262-240.jpg HTTP/1.1
  • GET /bbs/db/1.asp?rands=KKIJLONGAP&acc=&str=select id from tab_online where regcode = ‘KKIJLONGAP’ order by id asc HTTP/1.0
  • GET /bbs/db/1.asp?rands=SEXGJLSSXM&acc=&str=select id from tab_online where regcode = ‘SEXGJLSSXM’ order by id asc HTTP/1.0
  • GET /BerwickFire/rental.html HTTP/1.1
  • GET /css/about.htm HTTP/1.1
  • GET /css/style.html HTTP/1.1
  • GET /Default.aspx?INDEX=CGPEHQURTR HTTP/1.1
  • GET /Default.aspx?INDEX=EIGHIZHOMM HTTP/1.1
  • GET /Default.aspx?INDEX=EYZALCJEKE HTTP/1.1
  • GET /Default.aspx?INDEX=GIOJJREGBY HTTP/1.1
  • GET /Default.aspx?INDEX=IHPSYRANKA HTTP/1.1
  • GET /Default.aspx?INDEX=IPESEDUTED HTTP/1.1
  • GET /Default.aspx?INDEX=JBVUQETDVA HTTP/1.1
  • GET /Default.aspx?INDEX=MAJVUXJDAQ HTTP/1.1
  • GET /Default.aspx?INDEX=QFBMPJCWAL HTTP/1.1
  • GET /Default.aspx?INDEX=XMDOFYNHDY HTTP/1.1
  • GET /default.htm HTTP/1.1
  • GET /default.html HTTP/1.1
  • GET /download.htm HTTP/1.1
  • GET /download/confere.html HTTP/1.1
  • GET /download/device_ad.asp?device_t=2928269924&key=dxrqdgct&device_id=ad&cv=dxrqdgctnynmgjjfn HTTP/1.0
  • GET /downloadsoft.htm HTTP/1.1
  • GET /fax.html HTTP/1.1
  • GET /file/yahootemp.html HTTP/1.1
  • GET /Gallery/Winterfest/2.jpg HTTP/1.1
  • GET /html/proe_tcp.html HTTP/1.1
  • GET /images/1.asp?rands=HOWBTFQLOZ&acc=&str=select id from tab_online where regcode = ‘HOWBTFQLOZ’ order by id asc HTTP/1.0
  • GET /images/_vti_img/index.asp HTTP/1.1
  • GET /images/bs.gif HTTP/1.1
  • GET /images/btn_info.jpg HTTP/1.1
  • GET /images/button.jpg HTTP/1.1
  • GET /images/colt_defense.jpg HTTP/1.1
  • GET /images/db/1.asp?rands=BWFIMNAJEE&acc=&str=select id from tab_online where regcode = ‘BWFIMNAJEE’ order by id asc HTTP/1.0
  • GET /images/device_index.asp?device_t=5962704463&key=odnnmvgr&device_id=index&cv=odnnmvgrmftvujsyg HTTP/1.0
  • GET /images/error.jpg HTTP/1.1
  • GET /images/head_left.jpg HTTP/1.1
  • GET /images/icons/3224?meth=gc&tid=2005614&cqe=3884550&inif=tLu3v8eD3Lu+vqjHy8PI1MvMwtTCytTLycnct7uosceUkZzXgNy1qarHz9TL3LK+qbTHy8+fnw==&syun=250 HTTP/1.1
  • GET /images/index_0_02.jpg HTTP/1.1
  • GET /images/leftnav_prog_bg.jpg HTTP/1.1
  • GET /images/li.gif HTTP/1.1
  • GET /images/logo.png HTTP/1.1
  • GET /images/reach1.jpg HTTP/1.1
  • GET /images/record.asp?device_t=3134688572&key=ywbyftdd&device_id=index&cv=ywbyftddoirafvbak&result=no%20command%0D%0A%0D%0ANext%3ASun%20Feb%2024%2009%3A50%3A15%202013%0Adelay%3A3600%20sec%0D%0A HTTP/1.0
  • GET /images/title.png HTTP/1.1
  • GET /index.htm HTTP/1.1
  • GET /index.html HTTP/1.1
  • GET /index.html HTTP/1.1
  • GET /index/default.htm HTTP/1.1
  • GET /index01.htm HTTP/1.1
  • GET /info/2013.html?1361695580 HTTP/1.0
  • GET /info/2013.html?1361695600 HTTP/1.0
  • GET /info/sh1/search.asp HTTP/1.1
  • GET /info/sh3/search.asp HTTP/1.1
  • GET /java/careers.html HTTP/1.1
  • GET /loa/database3/sun.html?a=1317&b=10043&typ=ntWVDtQM&user=home_page|homepage_2nd_banner_820x90&pagei=/8LfwOjw&border=0&local=yes&psi=170&f=1&form=&h=&i=100 HTTP/1.0
  • GET /logo.html HTTP/1.1
  • GET /logs/login.asp HTTP/1.1
  • GET /M&A_alliances.htm HTTP/1.1
  • GET /main/1.asp?rands=TGPJQNYBQY&acc=&str=select id from tab_online where regcode = ‘TGPJQNYBQY’ order by id asc HTTP/1.0
  • GET /marq.htm HTTP/1.1
  • GET /NET/kappa.jpg HTTP/1.1
  • GET /order.htm HTTP/1.1
  • GET /Ouo4f045.asp HTTP/1.1
  • GET /pop.htm HTTP/1.1
  • GET /postinfo.html?1361694906 HTTP/1.0
  • GET /postinfo.html HTTP/1.1
  • GET /pp/core/cgi/wor.asp?category=qiu&ace=i9t2&newText=&amer=160&eur=&mm=love HTTP/1.0
  • GET /public.html HTTP/1.1
  • GET /report/news.html HTTP/1.1
  • GET /Resource/device_Tr.asp?device_t=1626586307&key=wuagysqk&device_id=Tr&cv=wuagysqkptijnsayv HTTP/1.0
  • GET /Resource/record.asp?device_t=2620185844&key=majccsyr&device_id=Tr&cv=majccsyrufwyqrdkg&result=no%20command%0D%0A%0D%0ANext%3ASun%20Feb%2024%2009%3A57%3A53%202013%0Adelay%3A3600%20sec%0D%0A HTTP/1.0
  • GET /Rossini.jpg HTTP/1.1
  • GET /s/asp?XAAAANoRA_U9K_o8YmGncEcjfW7mNjAHjrUDxoA8sgB_SAA=p=1 HTTP/1.0
  • GET /safe/1.asp?rands=LYWWLWYPSW&acc=&str=select id from tab_online where regcode = ‘LYWWLWYPSW’ order by id asc HTTP/1.0
  • GET /saler.gif HTTP/1.1
  • GET /staff.htm HTTP/1.1
  • GET /study.htm HTTP/1.1
  • GET /sun/moto.htm HTTP/1.1
  • GET /top.htm HTTP/1.1
  • GET /uc/myshow/blog/misc/gif/show.asp?a=mmRCP0L&p=2Fregion2F&u=n5vh8rmrnlopo1ec&b=vY6HjJ2C&n=0&c=233&x=400&y=4153&e=&wt=30q00dn00ei76hc9 HTTP/1.0
  • GET /update.jpg HTTP/1.1
  • GET /update.jpg HTTP/1.1
  • GET /update.png HTTP/1.1
  • GET /uwire/index.html HTTP/1.1
  • GET /windows.html HTTP/1.1
  • GET /word/display.asp HTTP/1.1
  • GET /worlda.html HTTP/1.1
  • GET /worldb.html HTTP/1.1
  • GET /Y/ HTTP/1.1
  • GET Default.asp HTTP/1.1
  • GET Default.asp?uid=86893&do=friend&view=41&_lgmode=pri&from=bkT7i2 HTTP/1.1
  • GET Default.asp?uid=86893&do=friend&view=toms HTTP/1.1
  • GET index.html HTTP/1.1
  • GET  HTTP/1.1
  • POST /fetch.py HTTP/1.1
  • POST 404error.asp HTTP/1.1
  • POST aspnet_client/report.asp HTTP/1.1
  • POST aspnet_client/system_web/1_0_3705_0/addCats.asp HTTP/1.1
  • POST index.asp HTTP/1.1

User Agents:

  • 08:52:09+[HOSTNAME]
  • 08:52:27+[HOSTNAME]
  • 10:03:44+[HOSTNAME]
  • 10:04:02+[HOSTNAME]
  • 5.1 04:15 [HOSTNAME]\[USERNAME]
  • 5.1 04:19 [HOSTNAME]\[USERNAME]
  • 5.1 04:45 [HOSTNAME]\[USERNAME]
  • 5.1 04:46 [HOSTNAME]\[USERNAME]
  • 5.1 04:47 [HOSTNAME]\[USERNAME]
  • 5.1 07:43 [HOSTNAME]\[USERNAME]
  • 5.1 09:35 [HOSTNAME]\[USERNAME]
  • 5.1 09:36 [HOSTNAME]\[USERNAME]
  • 5.1 09:38 [HOSTNAME]\[USERNAME]
  • 5.1 09:39 [HOSTNAME]\[USERNAME]
  • Google+page
  • HTTP 1.1
  • HTTP Mozilla/5.0(compatible+MSIE
  • IPHONE8.5(host:[HOSTNAME],ip:[IP]
  • IPHONE8.5(host:[HOSTNAME],ip:[IP]ct:Sun Feb 24 08:46:20 2013
  • IPHONE8.5(host:[HOSTNAME],ip:[IP]ct:Sun Feb 24 08:46:40 2013
  • Internet SurfBear
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer Exelon [HOSTNAME]
  • Mozilla/4.0 (compatible;
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32–[HOSTNAME]
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32;
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32;Ali;
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32;Fly;
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32;Google;
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14.52 from
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727
  • Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1
  • Mozilla/4.0 (compatible; MSIE 8.0; Win32
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.BMWCN
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.BMWUS
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.NSF
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.004:48
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:36
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:37
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:47
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:48
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:07
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:13
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:27
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:50
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.010:19
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0
  • Mozilla/4.0 (compatible; MSIE7.0; Windows NT 5.1
  • Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0
  • Mozilla/4.0
  • Mozilla/5.0 (compatible; MSIE 7.1; Windows NT 5.1; SV1
  • Mozilla/5.0 (compatible; MSIE 8.0; Win32
  • Mozilla/5.0
  • Win32
  • [HOSTNAME]+Mozilla/4.0 (compatible; MSIE 8.0; Win32
  • [HOSTNAME]
  • yahoo html

Delays in ms

  • 100
  • 1000
  • 2000
  • 3000
  • 4000
  • 5000
  • 6000
  • 10000
  • 30000
  • 60000
  • 100000
  • 120000
  • 127000
  • 300000
  • 600000
  • 900000
  • 1500000
  • 1620000
  • 174000
  • 1740000
  • 1800000
  • 2100000

Compilation timestamps:

  • 2001-07-17 00:22:56 Tuesday 995329376
  • 2003-08-06 18:34:23 Wednesday 1060194863
  • 2003-10-16 03:41:02 Thursday 1066275662
  • 2004-01-23 23:39:42 Friday 1074901182
  • 2004-05-15 01:06:23 Saturday 1084583183
  • 2004-07-07 02:17:12 Wednesday 1089166632
  • 2004-08-04 06:02:53 Wednesday 1091599373
  • 2004-08-04 06:10:04 Wednesday 1091599804
  • 2004-08-04 06:14:22 Wednesday 1091600062
  • 2004-08-04 06:14:38 Wednesday 1091600078
  • 2004-08-04 07:56:01 Wednesday 1091606161
  • 2004-08-04 07:56:07 Wednesday 1091606167
  • 2004-08-04 07:56:21 Wednesday 1091606181
  • 2004-08-04 07:56:23 Wednesday 1091606183
  • 2004-08-04 07:56:26 Wednesday 1091606186
  • 2004-08-04 07:56:30 Wednesday 1091606190
  • 2004-08-04 07:56:36 Wednesday 1091606196
  • 2004-08-04 07:56:37 Wednesday 1091606197
  • 2004-08-04 07:56:39 Wednesday 1091606199
  • 2004-08-04 07:56:40 Wednesday 1091606200
  • 2004-08-04 07:56:42 Wednesday 1091606202
  • 2004-08-04 07:56:44 Wednesday 1091606204
  • 2004-08-04 07:56:58 Wednesday 1091606218
  • 2004-08-04 07:57:08 Wednesday 1091606228
  • 2004-08-04 07:57:38 Wednesday 1091606258
  • 2004-08-04 07:59:14 Wednesday 1091606354
  • 2006-08-03 12:45:02 Thursday 1154609102
  • 2006-09-13 18:20:18 Wednesday 1158171618
  • 2006-09-14 02:28:46 Thursday 1158200926
  • 2007-06-29 15:18:22 Friday 1183130302
  • 2007-07-25 17:44:33 Wednesday 1185385473
  • 2007-08-08 03:16:50 Wednesday 1186543010
  • 2007-09-17 09:21:03 Monday 1190020863
  • 2007-11-18 23:50:13 Sunday 1195429813
  • 2008-03-12 12:39:30 Wednesday 1205325570
  • 2008-04-13 19:14:55 Sunday 1208114095
  • 2008-06-17 01:20:04 Tuesday 1213665604
  • 2008-07-30 03:25:13 Wednesday 1217388313
  • 2008-08-22 00:43:16 Friday 1219365796
  • 2008-08-27 08:41:19 Wednesday 1219826479
  • 2008-09-16 08:40:03 Tuesday 1221554403
  • 2008-09-16 08:42:05 Tuesday 1221554525
  • 2008-09-16 09:20:31 Tuesday 1221556831
  • 2008-10-22 00:12:21 Wednesday 1224634341
  • 2008-10-27 02:18:16 Monday 1225073896
  • 2008-10-27 08:31:43 Monday 1225096303
  • 2008-10-27 13:48:37 Monday 1225115317
  • 2008-11-10 08:29:48 Monday 1226305788
  • 2008-11-10 08:30:00 Monday 1226305800
  • 2008-11-21 07:46:32 Friday 1227253592
  • 2009-01-07 08:09:33 Wednesday 1231315773
  • 2009-01-15 03:30:11 Thursday 1231990211
  • 2009-02-05 07:14:01 Thursday 1233818041
  • 2009-02-05 07:16:28 Thursday 1233818188
  • 2009-02-05 07:20:22 Thursday 1233818422
  • 2009-02-17 09:40:38 Tuesday 1234863638
  • 2009-03-02 09:52:20 Monday 1235987540
  • 2009-03-06 14:10:18 Friday 1236348618
  • 2009-03-16 13:30:51 Monday 1237210251
  • 2009-03-17 03:34:24 Tuesday 1237260864
  • 2009-03-17 13:21:25 Tuesday 1237296085
  • 2009-03-25 13:11:56 Wednesday 1237986716
  • 2009-04-12 09:14:38 Sunday 1239527678
  • 2009-05-14 17:12:40 Thursday 1242321160
  • 2009-05-26 07:37:57 Tuesday 1243323477
  • 2009-06-08 10:17:38 Monday 1244456258
  • 2009-07-08 13:30:46 Wednesday 1247059846
  • 2009-07-16 15:04:29 Thursday 1247756669
  • 2009-07-20 08:33:01 Monday 1248078781
  • 2009-07-20 09:02:46 Monday 1248080566
  • 2009-07-25 03:44:04 Saturday 1248493444
  • 2009-07-29 14:34:24 Wednesday 1248878064
  • 2009-07-30 09:20:04 Thursday 1248945604
  • 2009-08-03 08:29:29 Monday 1249288169
  • 2009-08-11 08:38:40 Tuesday 1249979920
  • 2009-08-16 11:05:43 Sunday 1250420743
  • 2009-08-24 13:16:23 Monday 1251119783
  • 2009-08-28 02:17:30 Friday 1251425850
  • 2009-11-11 06:33:02 Wednesday 1257921182
  • 2009-11-17 22:13:19 Tuesday 1258495999
  • 2009-12-01 00:40:09 Tuesday 1259628009
  • 2009-12-21 01:39:02 Monday 1261359542
  • 2010-01-15 17:20:56 Friday 1263576056
  • 2010-02-03 08:22:33 Wednesday 1265185353
  • 2010-02-03 08:22:50 Wednesday 1265185370
  • 2010-02-09 08:29:43 Tuesday 1265704183
  • 2010-02-11 03:27:04 Thursday 1265858824
  • 2010-02-11 06:44:46 Thursday 1265870686
  • 2010-02-25 00:49:53 Thursday 1267058993
  • 2010-03-15 06:27:58 Monday 1268634478
  • 2010-04-12 09:09:29 Monday 1271063369
  • 2010-04-14 17:18:20 Wednesday 1271265500
  • 2010-04-20 03:39:27 Tuesday 1271734767
  • 2010-04-23 07:51:28 Friday 1272009088
  • 2010-05-20 07:01:21 Thursday 1274338881
  • 2010-06-23 01:24:31 Wednesday 1277256271
  • 2010-06-25 09:26:47 Friday 1277458007
  • 2010-06-29 00:31:41 Tuesday 1277771501
  • 2010-08-23 02:17:20 Monday 1282529840
  • 2010-09-19 08:34:11 Sunday 1284885251
  • 2010-09-27 02:06:31 Monday 1285553191
  • 2010-09-28 01:00:25 Tuesday 1285635625
  • 2010-09-28 08:09:41 Tuesday 1285661381
  • 2010-10-19 08:15:54 Tuesday 1287476154
  • 2010-10-21 06:51:09 Thursday 1287643869
  • 2010-10-29 06:50:40 Friday 1288335040
  • 2010-10-29 06:51:08 Friday 1288335068
  • 2010-11-02 08:35:56 Tuesday 1288686956
  • 2010-11-04 06:07:11 Thursday 1288850831
  • 2010-11-06 08:08:37 Saturday 1289030917
  • 2010-11-17 13:37:00 Wednesday 1290001020
  • 2010-11-18 01:54:57 Thursday 1290045297
  • 2010-12-02 08:05:26 Thursday 1291277126
  • 2010-12-16 03:14:07 Thursday 1292469247
  • 2010-12-16 03:16:48 Thursday 1292469408
  • 2010-12-18 08:10:11 Saturday 1292659811
  • 2010-12-22 08:02:25 Wednesday 1293004945
  • 2011-01-11 02:12:48 Tuesday 1294711968
  • 2011-01-11 02:24:30 Tuesday 1294712670
  • 2011-01-11 03:22:02 Tuesday 1294716122
  • 2011-03-02 07:40:24 Wednesday 1299051624
  • 2011-03-03 13:41:14 Thursday 1299159674
  • 2011-03-07 09:42:59 Monday 1299490979
  • 2011-03-08 02:36:50 Tuesday 1299551810
  • 2011-03-16 19:26:23 Wednesday 1300303583
  • 2011-03-22 12:59:55 Tuesday 1300798795
  • 2011-03-23 14:34:10 Wednesday 1300890850
  • 2011-03-23 14:36:19 Wednesday 1300890979
  • 2011-03-28 13:35:35 Monday 1301319335
  • 2011-03-29 08:40:16 Tuesday 1301388016
  • 2011-04-02 09:07:51 Saturday 1301735271
  • 2011-04-08 08:04:50 Friday 1302249890
  • 2011-04-20 13:13:08 Wednesday 1303305188
  • 2011-04-21 07:16:51 Thursday 1303370211
  • 2011-04-21 07:51:21 Thursday 1303372281
  • 2011-04-26 01:53:58 Tuesday 1303782838
  • 2011-04-28 01:22:03 Thursday 1303953723
  • 2011-05-17 07:45:35 Tuesday 1305618335
  • 2011-05-17 12:37:22 Tuesday 1305635842
  • 2011-05-20 01:14:53 Friday 1305854093
  • 2011-05-30 08:29:29 Monday 1306744169
  • 2011-06-28 22:39:19 Tuesday 1309300759
  • 2011-07-11 03:38:22 Monday 1310355502
  • 2011-07-18 03:10:56 Monday 1310958656
  • 2011-07-19 01:55:13 Tuesday 1311040513
  • 2011-07-28 04:50:57 Thursday 1311828657
  • 2011-07-28 14:49:46 Thursday 1311864586
  • 2011-07-29 07:10:31 Friday 1311923431
  • 2011-08-09 08:15:29 Tuesday 1312877729
  • 2011-08-11 13:15:49 Thursday 1313068549
  • 2011-08-19 02:34:16 Friday 1313721256
  • 2011-08-19 03:07:37 Friday 1313723257
  • 2011-09-20 03:40:51 Tuesday 1316490051
  • 2011-09-20 03:50:48 Tuesday 1316490648
  • 2011-09-25 13:42:51 Sunday 1316958171
  • 2011-09-25 13:43:28 Sunday 1316958208
  • 2011-09-27 13:07:55 Tuesday 1317128875
  • 2011-09-27 13:09:16 Tuesday 1317128956
  • 2011-10-10 14:16:57 Monday 1318256217
  • 2011-10-11 13:02:38 Tuesday 1318338158
  • 2011-10-12 01:58:10 Wednesday 1318384690
  • 2011-10-13 08:47:13 Thursday 1318495633
  • 2011-10-14 08:42:16 Friday 1318581736
  • 2011-10-14 11:58:04 Friday 1318593484
  • 2011-10-18 00:58:17 Tuesday 1318899497
  • 2011-10-19 09:16:10 Wednesday 1319015770
  • 2011-10-19 09:17:10 Wednesday 1319015830
  • 2011-10-19 09:19:09 Wednesday 1319015949
  • 2011-10-24 08:19:05 Monday 1319444345
  • 2011-11-01 02:43:26 Tuesday 1320115406
  • 2011-11-05 09:27:34 Saturday 1320485254
  • 2011-11-07 14:59:20 Monday 1320677960
  • 2011-11-17 07:22:44 Thursday 1321514564
  • 2011-11-21 12:36:14 Monday 1321878974
  • 2011-11-21 12:36:51 Monday 1321879011
  • 2011-11-22 01:15:22 Tuesday 1321924522
  • 2011-11-28 12:32:07 Monday 1322483527
  • 2011-12-12 03:28:15 Monday 1323660495
  • 2011-12-20 02:23:38 Tuesday 1324347818
  • 2012-01-19 00:50:11 Thursday 1326934211
  • 2012-01-20 03:14:28 Friday 1327029268
  • 2012-02-09 00:47:28 Thursday 1328748448
  • 2012-02-09 00:47:52 Thursday 1328748472
  • 2012-02-16 08:22:06 Thursday 1329380526
  • 2012-02-17 14:55:21 Friday 1329490521
  • 2012-02-23 07:20:31 Thursday 1329981631
  • 2012-02-28 11:48:43 Tuesday 1330429723
  • 2012-02-28 15:35:51 Tuesday 1330443351
  • 2012-03-02 06:27:21 Friday 1330669641
  • 2012-03-02 07:20:27 Friday 1330672827
  • 2012-03-02 08:45:11 Friday 1330677911
  • 2012-03-07 08:41:30 Wednesday 1331109690
  • 2012-03-12 01:34:56 Monday 1331516096
  • 2012-03-13 02:21:54 Tuesday 1331605314
  • 2012-03-13 03:47:57 Tuesday 1331610477
  • 2012-03-16 07:10:50 Friday 1331881850
  • 2012-03-20 09:24:33 Tuesday 1332235473
  • 2012-03-22 08:45:38 Thursday 1332405938
  • 2012-03-28 15:39:00 Wednesday 1332949140
  • 2012-04-12 15:02:26 Thursday 1334242946
  • 2012-04-17 08:29:00 Tuesday 1334651340
  • 2012-04-17 08:30:01 Tuesday 1334651401
  • 2012-04-17 09:32:54 Tuesday 1334655174
  • 2012-04-24 08:24:45 Tuesday 1335255885
  • 2012-05-07 03:19:17 Monday 1336360757
  • 2012-05-14 14:16:53 Monday 1337005013
  • 2012-05-28 08:12:40 Monday 1338192760
  • 2012-05-29 14:39:47 Tuesday 1338302387
  • 2012-06-04 12:57:35 Monday 1338814655
  • 2012-06-09 13:19:49 Saturday 1339247989
  • 2012-06-09 13:19:53 Saturday 1339247993
  • 2012-06-11 12:37:20 Monday 1339418240
  • 2012-06-26 03:30:05 Tuesday 1340681405
  • 2012-08-08 23:27:53 Wednesday 1344468473
  • 2012-08-10 02:10:53 Friday 1344564653
  • 2012-08-16 07:53:11 Thursday 1345103591
  • 2012-08-20 12:56:12 Monday 1345467372
  • 2012-08-20 12:59:08 Monday 1345467548
  • 2012-08-20 14:06:56 Monday 1345471616
  • 2012-08-20 15:16:12 Monday 1345475772
  • 2012-08-21 13:46:15 Tuesday 1345556775
  • 2012-08-22 15:50:16 Wednesday 1345650616
  • 2012-08-28 07:34:32 Tuesday 1346139272
  • 2012-08-28 13:40:13 Tuesday 1346161213
  • 2012-08-30 13:06:09 Thursday 1346331969
  • 2012-09-06 15:34:30 Thursday 1346945670
  • 2012-09-10 14:25:34 Monday 1347287134
  • 2012-11-07 14:12:48 Wednesday 1352297568
  • 2012-11-13 14:55:39 Tuesday 1352818539
  • 2012-11-14 07:58:27 Wednesday 1352879907
  • 2012-11-16 07:35:22 Friday 1353051322
  • 2012-12-06 13:09:40 Thursday 1354799380
  • 2012-12-25 13:07:50 Tuesday 1356440870

 

The sampleset – clustering

Quite frankly, there is not so much to write about it here.

I do not find obvious distribution or significant spikes of specific patterns and the results are not very presentable – to provide a few specific examples – out of 285 samples:

The following samples use DES:

  • 0CF9E999C574EC89595263446978DC9F
  • 24259AE8B0018B0CE9992FB1D9B69E2A
  • 468FF2C12CFFC7E5B2FE0EE6BB3B239E
  • 476FEA8761A03BEF16E322996C2F6666
  • 7AECB34616245EB6B2906358151BE55B
  • 7F1A4BC267ACE340A5AA7A0B79CBF349
  • 8E8622C393D7E832D39E620EAD5D3B49
  • 929802A27737CEBC59D19DA724FDF30A
  • C04C796EF126AD7429BE7D55720FE392
  • CF9C2D5A8FBDD1C5ADC20CFC5E663C21
  • D0D5A20C5A6C4FDDAB4D43B85632B6A9
  • D34E357461C55D90C52309C1FF952B4C
  • DD21D1EA2146861A4219B1CBDAEFE59B

The following files run runinfo.exe:

  • 09531F851EF74A7238685FD287A395BD
  • 0CA6E2AD69826C8E3287FC8576112814
  • C3E5603A38E700274D1AB30CE93D08B9

The following samples use mutex !@ADS@#$

  • 6B3D19CC86D82B06F5DB3AE9D5BA8A5F
  • 831A67DC75E2D4505180888747BC8EA9

The following samples connect to 69.28.168.10:443

  • 1F2EB7B090018D975E6D9B40868C94CA
  • D9FBF759F527AF373E34673DC3ACA462

The conclusion?

Diplomatically speaking – my clustering efforts are far from being actionable at this stage :-).

Sandboxing samples provides a good data for toying around, but w/o some normalization of this data and w/o ability to establish links between smaller clusters, it’s hard to draw any significant conclusion.

Sad, but watch this space 🙂

Share this :)

Comments are closed.