Score:            1.1 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  199.59.150.9, 199.59.150.41, 199.59.148.87, 199.59.148.20
C & C List:       199.255.189.160, 69.10.35.82, 72.51.47.21
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   01/10/2013 11:15:59.861 PST
Gen. Time:        01/11/2013 04:19:45.733 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    199.59.150.9 (9) (11:15:59.861 PST-11:24:45.218 PST)
       event=1:2013036 (9) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 53662<-80 (11:24:15.210 PST-11:24:45.218 PST)
          2: 42992<-80 (11:22:25.359 PST-11:22:55.356 PST)
          2: 50500<-80 (11:15:59.861 PST-11:16:29.864 PST)
          46862<-80 (11:20:37.305 PST)
          2: 59909<-80 (11:19:31.674 PST-11:20:01.679 PST)
       
    199.59.150.41 (3) (11:21:23.134 PST)
       event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          44474<-80 (11:21:23.134 PST)
          60656<-80 (11:25:55.031 PST)
          34383<-80 (11:25:10.845 PST)
       
    199.59.148.87 (11:16:53.220 PST)
       event=1:2013036 {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          43620<-80 (11:16:53.220 PST)
       
    199.59.148.20 (4) (11:17:38.860 PST-11:18:08.867 PST)
       event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 50691<-80 (11:17:38.860 PST-11:18:08.867 PST)
          60376<-80 (11:23:09.448 PST)
          59770<-80 (11:18:42.465 PST)
       
C and C TRAFFIC
    199.255.189.160 (04:19:45.733 PST)
       event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/half-gallery-new-york?start=0&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:BB:0C
          38960->80 (04:19:45.733 PST)
       
C and C TRAFFIC (RBN)
    69.10.35.82 (02:54:37.017 PST)
       event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C
          34635->80 (02:54:37.017 PST)
       
    72.51.47.21 (12:55:42.961 PST)
       event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C
          60825->80 (12:55:42.961 PST)
       
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1357845359.861 1357845885.219 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================