Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  199.59.150.9, 199.59.149.232, 199.59.150.41, 199.59.148.87, 199.59.148.20
C & C List:       199.255.189.60
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   01/08/2013 16:10:42.212 PST
Gen. Time:        01/08/2013 21:52:14.787 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    199.59.150.9 (5) (16:10:42.212 PST-16:20:51.215 PST)
       event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 53901<-80 (16:10:42.212 PST-16:11:12.210 PST)
          36175<-80 (16:18:38.366 PST)
          2: 34086<-80 (16:20:21.210 PST-16:20:51.215 PST)
       
    199.59.149.232 (4) (16:16:55.092 PST-16:20:07.219 PST)
       event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 58945<-80 (16:16:55.092 PST-16:17:25.093 PST)
          2: 36152<-80 (16:19:37.219 PST-16:20:07.219 PST)
       
    199.59.150.41 (3) (16:13:28.847 PST-16:14:58.286 PST)
       event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          48937<-80 (16:13:28.847 PST)
          2: 60219<-80 (16:14:28.288 PST-16:14:58.286 PST)
       
    199.59.148.87 (4) (16:16:08.510 PST-16:18:21.753 PST)
       event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 44815<-80 (16:16:08.510 PST-16:16:38.496 PST)
          2: 54309<-80 (16:17:51.753 PST-16:18:21.753 PST)
       
    199.59.148.20 (16:15:09.739 PST)
       event=1:2013036 {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          39406<-80 (16:15:09.739 PST)
       
C and C TRAFFIC
    199.255.189.60 (21:52:14.787 PST)
       event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/jeffreys-toys-san-francisco?start=40&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:BB:0C
          49896->80 (21:52:14.787 PST)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1357690242.212 1357690851.216 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================