Score: 1.0 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 199.59.149.232, 199.59.150.9, 199.59.150.41, 199.59.148.87 C & C List: 199.255.189.60 Peer Coord. List: Resource List: Observed Start: 01/12/2013 21:19:13.975 PST Gen. Time: 01/13/2013 00:44:25.399 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 199.59.149.232 (2) (21:23:25.281 PST-21:23:55.284 PST) event=1:2013036 (2) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 54624<-80 (21:23:25.281 PST-21:23:55.284 PST) 199.59.150.9 (8) (21:20:05.802 PST-21:26:04.361 PST) event=1:2013036 (8) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 36800<-80 (21:24:03.730 PST-21:24:33.734 PST) 2: 51961<-80 (21:21:03.692 PST-21:21:33.697 PST) 2: 55854<-80 (21:25:34.361 PST-21:26:04.361 PST) 2: 54217<-80 (21:20:05.802 PST-21:20:35.807 PST) 199.59.150.41 (3) (21:21:53.845 PST-21:22:23.848 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 46775<-80 (21:21:53.845 PST-21:22:23.848 PST) 59389<-80 (21:24:55.407 PST) 199.59.148.87 (4) (21:19:13.975 PST-21:23:02.701 PST) event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 37672<-80 (21:22:32.700 PST-21:23:02.701 PST) 2: 56770<-80 (21:19:13.975 PST-21:19:43.975 PST) C and C TRAFFIC 199.255.189.60 (00:44:25.399 PST) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/best-cab-san-francisco?fsid=nvBk1EULThN0CwZYQ-S0iA&filtered_start=10] MAC_Src: 00:21:5A:08:BB:0C 37953->80 (00:44:25.399 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358054353.975 1358054764.362 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 199.59.149.232, 199.59.150.9, 199.59.150.41, 199.59.148.87, 199.59.148.20 C & C List: 199.255.189.60 Peer Coord. List: Resource List: Observed Start: 01/13/2013 01:36:31.228 PST Gen. Time: 01/13/2013 11:38:06.673 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 199.59.149.232 (01:38:44.886 PST) event=1:2013036 {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 56517<-80 (01:38:44.886 PST) 199.59.150.9 (4) (01:39:37.879 PST-01:40:49.368 PST) event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 35146<-80 (01:39:37.879 PST) 46322<-80 (01:42:57.257 PST) 2: 58775<-80 (01:40:19.364 PST-01:40:49.368 PST) 199.59.150.41 (5) (01:38:06.300 PST-01:44:56.459 PST) event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 46228<-80 (01:43:31.708 PST) 2: 43530<-80 (01:44:26.453 PST-01:44:56.459 PST) 2: 34955<-80 (01:38:06.300 PST-01:38:36.306 PST) 199.59.148.87 (4) (01:36:31.228 PST-01:37:44.307 PST) event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 48471<-80 (01:36:31.228 PST) 49911<-80 (01:36:35.210 PST) 2: 32968<-80 (01:37:14.305 PST-01:37:44.307 PST) 199.59.148.20 (3) (01:41:10.792 PST-01:41:40.793 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 56622<-80 (01:41:10.792 PST-01:41:40.793 PST) 56269<-80 (01:41:49.898 PST) C and C TRAFFIC 199.255.189.60 (11:38:06.673 PST) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/500-club-san-francisco?fsid=gGkuEn5pzPfh3DmypRmMnA&filtered_start=10] MAC_Src: 00:21:5A:08:BB:0C 52260->80 (11:38:06.673 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358069791.228 1358070296.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================