Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.35.85 Peer Coord. List: Resource List: Observed Start: 01/15/2013 16:52:38.090 PST Gen. Time: 01/15/2013 16:52:46.388 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.35.85 (16:52:46.388 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->23857 (16:52:46.388 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.35.85 (4) (16:52:39.474 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49939 (16:52:39.474 PST) 80->12121 (16:52:41.482 PST) 80->23126 (16:52:42.758 PST) 80->63536 (16:52:44.996 PST) 157.55.33.83 (16:52:38.090 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40701 (16:52:38.090 PST) 65.55.52.118 (16:52:40.463 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62322 (16:52:40.463 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358297558.090 1358297558.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.32.102 (4), 157.55.33.84, 157.55.36.49 (2), 157.55.35.85 (2), 157.56.93.201 (2), 157.55.34.35 (2) Peer Coord. List: Resource List: Observed Start: 01/15/2013 16:52:38.090 PST Gen. Time: 01/15/2013 17:10:37.846 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.32.102 (4) (17:04:47.701 PST) event=1:2002033 (4) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->32433 (17:04:47.701 PST) 80->55458 (17:04:53.919 PST) 80->53043 (17:04:57.355 PST) 80->30919 (17:04:58.681 PST) 157.55.33.84 (17:03:43.954 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->18721 (17:03:43.954 PST) 157.55.36.49 (2) (17:05:52.877 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->28320 (17:05:52.877 PST) 80->59267 (17:06:36.034 PST) 157.55.35.85 (2) (16:52:46.388 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->23857 (16:52:46.388 PST) 80->38956 (16:52:58.312 PST) 157.56.93.201 (2) (16:53:27.267 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->39516 (16:53:27.267 PST) 80->45736 (16:53:28.419 PST) 157.55.34.35 (2) (16:52:55.758 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->35790 (16:52:55.758 PST) 80->12310 (16:53:15.184 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.35.85 (4) (16:52:39.474 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49939 (16:52:39.474 PST) 80->12121 (16:52:41.482 PST) 80->23126 (16:52:42.758 PST) 80->63536 (16:52:44.996 PST) 157.55.33.83 (4) (16:52:38.090 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40701 (16:52:38.090 PST) 80->47241 (16:53:07.181 PST) 80->56945 (16:53:10.273 PST) 80->27498 (16:53:12.392 PST) 157.55.34.35 (16:52:47.555 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->46645 (16:52:47.555 PST) 65.55.52.118 (8) (16:52:40.463 PST) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62322 (16:52:40.463 PST) 80->51706 (16:52:48.416 PST) 80->40556 (16:52:51.264 PST) 80->21274 (16:52:55.452 PST) 80->17276 (16:53:15.669 PST) 80->37412 (16:53:18.384 PST) 80->50733 (16:53:22.231 PST) 80->53051 (16:53:22.477 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358297558.090 1358297558.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.35.85 Peer Coord. List: Resource List: Observed Start: 01/15/2013 22:35:58.696 PST Gen. Time: 01/15/2013 22:40:57.864 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.35.85 (22:40:57.864 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->20209 (22:40:57.864 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.35.85 (22:35:58.696 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54703 (22:35:58.696 PST) 157.55.33.83 (7) (22:38:59.591 PST) event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40342 (22:38:59.591 PST) 80->42224 (22:39:05.444 PST) 80->40088 (22:39:06.469 PST) 80->63886 (22:39:09.393 PST) 80->29636 (22:39:16.197 PST) 80->41312 (22:39:19.191 PST) 80->53242 (22:39:24.277 PST) 157.56.93.201 (22:37:19.826 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->44834 (22:37:19.826 PST) 157.55.34.35 (4) (22:36:24.117 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57064 (22:36:24.117 PST) 80->40789 (22:36:31.360 PST) 80->64003 (22:36:33.703 PST) 80->23718 (22:36:34.669 PST) 65.55.52.118 (4) (22:36:23.532 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->32477 (22:36:23.532 PST) 80->24563 (22:36:25.710 PST) 80->34826 (22:36:25.768 PST) 80->30251 (22:36:30.015 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358318158.696 1358318158.697 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.35.85 (2), 157.56.93.201 (2), 157.55.34.35 (2), 65.55.52.118 Peer Coord. List: Resource List: Observed Start: 01/15/2013 22:35:58.696 PST Gen. Time: 01/15/2013 22:48:53.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.35.85 (2) (22:40:57.864 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->20209 (22:40:57.864 PST) 80->44320 (22:41:06.466 PST) 157.56.93.201 (2) (22:42:06.824 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->63650 (22:42:06.824 PST) 80->57980 (22:42:07.833 PST) 157.55.34.35 (2) (22:41:36.556 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->13763 (22:41:36.556 PST) 80->63455 (22:42:19.472 PST) 65.55.52.118 (22:42:50.538 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->18064 (22:42:50.538 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.35.85 (22:35:58.696 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54703 (22:35:58.696 PST) 157.55.33.83 (7) (22:38:59.591 PST) event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40342 (22:38:59.591 PST) 80->42224 (22:39:05.444 PST) 80->40088 (22:39:06.469 PST) 80->63886 (22:39:09.393 PST) 80->29636 (22:39:16.197 PST) 80->41312 (22:39:19.191 PST) 80->53242 (22:39:24.277 PST) 157.56.93.201 (22:37:19.826 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->44834 (22:37:19.826 PST) 157.55.34.35 (4) (22:36:24.117 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57064 (22:36:24.117 PST) 80->40789 (22:36:31.360 PST) 80->64003 (22:36:33.703 PST) 80->23718 (22:36:34.669 PST) 65.55.52.118 (4) (22:36:23.532 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->32477 (22:36:23.532 PST) 80->24563 (22:36:25.710 PST) 80->34826 (22:36:25.768 PST) 80->30251 (22:36:30.015 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358318158.696 1358318158.697 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.33.84 Peer Coord. List: Resource List: Observed Start: 01/15/2013 22:48:53.671 PST Gen. Time: 01/15/2013 22:49:17.966 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.33.84 (22:49:17.966 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->58154 (22:49:17.966 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.33.84 (6) (22:48:53.671 PST) event=1:552123 (6) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39046 (22:48:53.671 PST) 80->19095 (22:48:56.009 PST) 80->33497 (22:49:00.324 PST) 80->50111 (22:49:01.380 PST) 80->38509 (22:49:06.887 PST) 80->34896 (22:49:15.684 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358318933.671 1358318933.672 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================