Score: 1.0 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 199.59.150.9, 199.59.149.232, 199.59.150.41, 199.59.148.87, 199.59.148.20 C & C List: 199.255.189.160 (2), 199.255.189.60 (4) Peer Coord. List: Resource List: Observed Start: 01/08/2013 16:10:42.212 PST Gen. Time: 01/09/2013 06:08:49.343 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 199.59.150.9 (9) (16:10:42.212 PST-21:54:54.425 PST) event=1:2013036 (9) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 45881<-80 (21:52:50.450 PST-21:53:20.451 PST) 2: 53901<-80 (16:10:42.212 PST-16:11:12.210 PST) 2: 51834<-80 (21:54:24.420 PST-21:54:54.425 PST) 36175<-80 (16:18:38.366 PST) 2: 34086<-80 (16:20:21.210 PST-16:20:51.215 PST) 199.59.149.232 (4) (16:16:55.092 PST-16:20:07.219 PST) event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 58945<-80 (16:16:55.092 PST-16:17:25.093 PST) 2: 36152<-80 (16:19:37.219 PST-16:20:07.219 PST) 199.59.150.41 (3) (16:13:28.847 PST-16:14:58.286 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 48937<-80 (16:13:28.847 PST) 2: 60219<-80 (16:14:28.288 PST-16:14:58.286 PST) 199.59.148.87 (5) (16:16:08.510 PST-16:18:21.753 PST) event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 44815<-80 (16:16:08.510 PST-16:16:38.496 PST) 48322<-80 (21:52:25.827 PST) 2: 54309<-80 (16:17:51.753 PST-16:18:21.753 PST) 199.59.148.20 (3) (16:15:09.739 PST-21:54:05.876 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 34984<-80 (21:53:35.871 PST-21:54:05.876 PST) 39406<-80 (16:15:09.739 PST) C and C TRAFFIC 199.255.189.160 (2) (05:40:13.415 PST) event=1:2012801 (2) {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/shalimar-san-francisco-2?start=400&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:BB:0C 59419->80 (05:40:13.415 PST) 59419->80 (05:40:13.449 PST) 199.255.189.60 (4) (21:52:14.787 PST) event=1:2012801 (4) {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/jeffreys-toys-san-francisco?start=40&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:BB:0C 49896->80 (21:52:14.787 PST) 49896->80 (21:52:14.835 PST) 58368->80 (05:16:27.916 PST) 58368->80 (05:16:27.971 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357690242.212 1357710894.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 199.59.149.232, 199.59.150.9, 199.59.150.41, 199.59.148.87, 199.59.148.20 C & C List: 199.255.189.160, 207.58.187.146 (2), 217.107.34.83 Peer Coord. List: Resource List: Observed Start: 01/09/2013 12:37:49.473 PST Gen. Time: 01/09/2013 18:12:22.715 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 199.59.149.232 (4) (12:41:18.007 PST) event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 36829<-80 (12:47:00.932 PST) 54963<-80 (12:41:48.035 PST) 49258<-80 (12:41:18.007 PST) 36132<-80 (12:46:11.765 PST) 199.59.150.9 (5) (12:37:49.473 PST-12:48:14.514 PST) event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 42271<-80 (12:47:44.510 PST-12:48:14.514 PST) 45113<-80 (12:49:17.957 PST) 2: 58720<-80 (12:37:49.473 PST-12:38:19.473 PST) 199.59.150.41 (2) (12:38:42.494 PST) event=1:2013036 (2) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 48837<-80 (12:38:42.494 PST) 37397<-80 (12:42:13.776 PST) 199.59.148.87 (3) (12:43:46.511 PST-12:44:16.514 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 49879<-80 (12:48:37.848 PST) 2: 49866<-80 (12:43:46.511 PST-12:44:16.514 PST) 199.59.148.20 (3) (12:42:57.146 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 39741<-80 (12:42:57.146 PST) 46525<-80 (12:44:26.298 PST) 56977<-80 (12:45:28.713 PST) C and C TRAFFIC 199.255.189.160 (18:12:22.715 PST) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/rutherford-and-chekene-san-francisco-4?start=0&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:BB:0C 58362->80 (18:12:22.715 PST) C and C TRAFFIC (RBN) 207.58.187.146 (2) (16:22:48.505 PST) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 47851->80 (16:22:48.505 PST) 55451->80 (17:46:54.647 PST) 217.107.34.83 (16:51:57.374 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 45786->80 (16:51:57.374 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357763869.473 1357764494.515 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================