Score: 1.0 (>= 0.8) Infected Target: 192.168.1.186 Infector List: Egg Source List: 89.208.34.81 C & C List: 188.247.135.32 Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:46:45.518 PST Gen. Time: 11/29/2011 05:46:49.033 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 89.208.34.81 (2) (05:46:45.518 PST) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1303<-80 (05:46:45.518 PST) ------------------------- event=1:2007671 {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 1303<-80 (05:46:45.518 PST) C and C TRAFFIC 188.247.135.32 (05:46:49.033 PST) event=1:2013519 {tcp} E4[rb] (experimental) ET TROJAN Driveby Loader Request sn.php, [/sn.php?c=213F6185B9299540C8D58CA2176D24E25EC1422AD38099034C74D2A1528BCFE2CEB71B0D447AC8FAB2D845D9878DFCE45CA4B00549D4F1A10E3D2] MAC_Src: 00:30:48:30:03:AF 1304->80 (05:46:49.033 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322574405.518 1322574405.519 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.186' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.186 Infector List: Egg Source List: 89.208.34.81, 188.247.135.27 C & C List: 188.247.135.32 (4) Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:46:45.518 PST Gen. Time: 11/29/2011 05:50:40.579 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 89.208.34.81 (5) (05:46:45.518 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1313<-80 (05:47:25.473 PST) ------------------------- event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1303<-80 (05:46:45.518 PST) ------------------------- event=1:2007671 (2) {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 1303<-80 (05:46:45.518 PST) 1313<-80 (05:47:25.473 PST) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 1313<-80 (05:47:25.473 PST) 188.247.135.27 (3) (05:47:06.469 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1309<-80 (05:47:06.471 PST) ------------------------- event=1:2007671 {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 1309<-80 (05:47:06.469 PST) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 1309<-80 (05:47:06.471 PST) C and C TRAFFIC 188.247.135.32 (4) (05:46:49.033 PST) event=1:2013519 (4) {tcp} E4[rb] (experimental) ET TROJAN Driveby Loader Request sn.php, [/sn.php?c=213F6185B9299540C8D58CA2176D24E25EC1422AD38099034C74D2A1528BCFE2CEB71B0D447AC8FAB2D845D9878DFCE45CA4B00549D4F1A10E3D2] MAC_Src: 00:30:48:30:03:AF 1304->80 (05:46:49.033 PST) 1306->80 (05:47:00.364 PST) 1310->80 (05:47:09.638 PST) 1312->80 (05:47:21.030 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322574405.518 1322574405.519 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.186' ============================== SEPARATOR ================================