Score: 0.8 (>= 0.8) Infected Target: 192.168.1.144 Infector List: 160.80.101.106 Egg Source List: 160.80.101.106 C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:09:35.536 PDT Gen. Time: 07/17/2012 02:09:35.782 PDT INBOUND SCAN EXPLOIT 160.80.101.106 (4) (02:09:35.536 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-1271 (02:09:35.536 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-1271 (02:09:35.536 PDT) ------------------------- event=1:2299913 (2) {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-1271 (02:09:35.536 PDT-02:09:35.536 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 160.80.101.106 (02:09:35.782 PDT) event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->2009 (02:09:35.782 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342516175.536 1342516175.537 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.144' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.144 Infector List: 160.80.101.106 Egg Source List: 160.80.101.106 C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:09:35.536 PDT Gen. Time: 07/17/2012 02:12:53.612 PDT INBOUND SCAN EXPLOIT 160.80.101.106 (4) (02:09:35.536 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-1271 (02:09:35.536 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-1271 (02:09:35.536 PDT) ------------------------- event=1:2299913 (2) {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-1271 (02:09:35.536 PDT-02:09:35.536 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 160.80.101.106 (4) (02:09:35.782 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1031<-2009 (02:09:36.005 PDT) ------------------------- event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->2009 (02:09:35.782 PDT) ------------------------- event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-2009 (02:09:36.004 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 1031<-2009 (02:09:36.005 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 213.155.14.161 (2) (02:09:39.064 PDT) event=1:9920003 {tcp} E8[std] BotHunter MTC confirmed botnet control server on standard port, [] MAC_Src: 00:30:48:30:03:AF 1037->80 (02:09:39.064 PDT) ------------------------- event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:30:48:30:03:AF 1037->80 (02:09:39.064 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342516175.536 1342516175.537 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.144' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.144 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:24:23.425 PDT Gen. Time: 07/17/2012 11:24:23.425 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 89.145.131.32 (11:24:23.425 PDT) event=1:9930023 {tcp} E8[unk] BotHunter Malware propagation attack source on non-standard port, [] MAC_Src: 00:30:48:30:03:AF 445->1525 (11:24:23.425 PDT) DECLARE BOT tcpslice 1342549463.425 1342549463.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.144' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.144 Infector List: 89.145.131.32 Egg Source List: 89.145.131.32 C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:24:23.425 PDT Gen. Time: 07/17/2012 11:28:12.431 PDT INBOUND SCAN EXPLOIT 89.145.131.32 (4) (11:24:25.065 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-1525 (11:24:25.065 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-1525 (11:24:25.065 PDT) ------------------------- event=1:2299913 (2) {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-1525 (11:24:25.065 PDT-11:24:25.065 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.145.131.32 (4) (11:24:25.402 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1031<-3596 (11:24:25.671 PDT) ------------------------- event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->3596 (11:24:25.402 PDT) ------------------------- event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-3596 (11:24:25.670 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 1031<-3596 (11:24:25.671 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 89.145.131.32 (11:24:23.425 PDT) event=1:9930023 {tcp} E8[unk] BotHunter Malware propagation attack source on non-standard port, [] MAC_Src: 00:30:48:30:03:AF 445->1525 (11:24:23.425 PDT) DECLARE BOT tcpslice 1342549463.425 1342549465.066 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.144' ============================== SEPARATOR ================================