Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 199.59.149.232, 199.59.150.9, 199.59.150.41, 199.59.148.87, 199.59.148.20 C & C List: 199.255.189.160, 88.212.196.87 Peer Coord. List: 68.71.55.18 Resource List: Observed Start: 01/08/2013 16:10:43.031 PST Gen. Time: 01/08/2013 18:03:55.422 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 199.59.149.232 (5) (16:10:43.031 PST-16:11:13.034 PST) event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 44760<-80 (16:13:29.657 PST) 43633<-80 (16:14:29.158 PST) 37417<-80 (16:20:22.066 PST) 2: 58869<-80 (16:10:43.031 PST-16:11:13.034 PST) 199.59.150.9 (3) (16:16:09.374 PST-16:16:39.362 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 45923<-80 (16:16:09.374 PST-16:16:39.362 PST) 55630<-80 (16:21:16.534 PST) 199.59.150.41 (3) (16:15:10.586 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 49967<-80 (16:15:10.586 PST) 39011<-80 (16:21:57.793 PST) 48278<-80 (16:19:38.214 PST) 199.59.148.87 (4) (16:16:55.972 PST-16:19:09.378 PST) event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 49533<-80 (16:16:55.972 PST-16:17:25.972 PST) 2: 51101<-80 (16:18:39.378 PST-16:19:09.378 PST) 199.59.148.20 (2) (16:17:52.672 PST-16:18:22.672 PST) event=1:2013036 (2) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 41145<-80 (16:17:52.672 PST-16:18:22.672 PST) C and C TRAFFIC 199.255.189.160 (18:03:55.422 PST) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/fuzio-san-francisco-3?start=0&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:EC:40 38410->80 (18:03:55.422 PST) C and C TRAFFIC (RBN) 88.212.196.87 (16:38:25.870 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 51492->80 (16:38:25.870 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 68.71.55.18 (16:29:28.687 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:21:5A:08:EC:40 47772->80 (16:29:28.687 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357690243.031 1357690749.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 199.59.150.9, 199.59.149.232, 199.59.150.41, 199.59.148.87 C & C List: 199.255.189.160, 88.212.196.87 Peer Coord. List: 68.71.55.18 Resource List: Observed Start: 01/08/2013 18:57:29.062 PST Gen. Time: 01/08/2013 19:46:25.323 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 199.59.150.9 (3) (19:00:48.303 PST-19:01:18.305 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 38128<-80 (19:03:18.339 PST) 2: 38102<-80 (19:00:48.303 PST-19:01:18.305 PST) 199.59.149.232 (3) (18:59:08.466 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 55261<-80 (18:59:56.905 PST) 55676<-80 (19:06:08.608 PST) 51686<-80 (18:59:08.466 PST) 199.59.150.41 (8) (18:57:29.062 PST-19:05:50.583 PST) event=1:2013036 (8) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 44676<-80 (18:57:29.062 PST) 2: 45522<-80 (19:05:20.583 PST-19:05:50.583 PST) 3: 50334<-80 (19:04:14.685 PST-19:04:59.683 PST) 2: 56250<-80 (19:02:30.090 PST-19:03:00.090 PST) 199.59.148.87 (3) (18:58:17.449 PST-19:07:27.669 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 35274<-80 (18:58:17.449 PST) 2: 35304<-80 (19:06:57.662 PST-19:07:27.669 PST) C and C TRAFFIC 199.255.189.160 (19:46:25.323 PST) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/ishta-music-company-san-francisco?start=0&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:EC:40 42155->80 (19:46:25.323 PST) C and C TRAFFIC (RBN) 88.212.196.87 (19:37:08.001 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 55061->80 (19:37:08.001 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 68.71.55.18 (19:27:06.991 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:21:5A:08:EC:40 35119->80 (19:27:06.991 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357700249.062 1357700847.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================