Score: 0.8 (>= 0.8) Infected Target: 192.168.1.185 Infector List: 130.193.131.240 Egg Source List: 146.185.246.122 C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:39:45.855 PST Gen. Time: 11/29/2011 02:39:51.285 PST INBOUND SCAN EXPLOIT 130.193.131.240 (02:39:45.855 PST) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:30:48:30:03:AE 445<-7666 (02:39:45.855 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 146.185.246.122 (02:39:51.285 PST) event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [/rt.exe] MAC_Src: 00:30:48:30:03:AF 1028->80 (02:39:51.285 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322563185.855 1322563185.856 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.185' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.185 Infector List: 130.193.131.240, 146.185.246.122 Egg Source List: 146.185.246.122 C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:39:45.855 PST Gen. Time: 11/29/2011 02:42:11.439 PST INBOUND SCAN EXPLOIT 130.193.131.240 (02:39:45.855 PST) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:30:48:30:03:AE 445<-7666 (02:39:45.855 PST) 146.185.246.122 (02:39:52.604 PST) event=1:2648 {tcp} E2[rb] GPL SHELLCODE x86 NOOP, [] MAC_Dst: 00:30:48:30:03:AE 1028<-80 (02:39:52.604 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 146.185.246.122 (5) (02:39:51.285 PST-02:39:52.378 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1028<-80 (02:39:51.923 PST) ------------------------- event=1:2007671 {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 1028<-80 (02:39:51.923 PST) ------------------------- event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [/rt.exe] MAC_Src: 00:30:48:30:03:AF 1028->80 (02:39:51.285 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 2: 1028<-80 (02:39:51.923 PST-02:39:52.378 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 60.190.217.55 (2) (02:40:10.233 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:30:48:30:03:AF 1030->3321 (02:40:10.233 PST) ------------------------- event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:30:48:30:03:AF 1030->3321 (02:40:10.233 PST) tcpslice 1322563185.855 1322563192.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.185' ============================== SEPARATOR ================================