Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 77.75.77.11 Peer Coord. List: Resource List: Observed Start: 01/09/2013 08:16:58.173 PST Gen. Time: 01/09/2013 08:17:04.683 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 77.75.77.11 (08:17:04.683 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->54022 (08:17:04.683 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 77.75.77.11 (08:17:04.516 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54022 (08:17:04.516 PST) 66.249.74.120 (08:16:58.173 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45375 (08:16:58.173 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357748218.173 1357748218.174 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 77.75.77.11 (2) Peer Coord. List: Resource List: Observed Start: 01/09/2013 08:16:58.173 PST Gen. Time: 01/09/2013 08:38:54.210 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 77.75.77.11 (2) (08:17:04.683 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->54022 (08:17:04.683 PST-08:17:04.683 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 77.75.77.11 (08:17:04.516 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54022 (08:17:04.516 PST) 66.249.74.120 (11) (08:16:58.173 PST) event=1:552123 (11) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45375 (08:16:58.173 PST) 80->51142 (08:17:58.423 PST) 80->50921 (08:18:13.477 PST) 80->65251 (08:19:29.415 PST) 80->64618 (08:20:44.967 PST) 80->45113 (08:22:00.544 PST) 80->62802 (08:25:47.828 PST) 80->40736 (08:29:35.790 PST) 80->52110 (08:30:53.249 PST) 80->54560 (08:32:10.548 PST) 80->49347 (08:34:45.387 PST) 157.55.32.97 (08:26:17.496 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34230 (08:26:17.496 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357748218.173 1357748224.684 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================