Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.60 Peer Coord. List: Resource List: Observed Start: 02/04/2013 15:34:32.107 PST Gen. Time: 02/04/2013 16:03:15.155 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.60 (16:03:15.155 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->55670 (16:03:15.155 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.76.103 (2) (15:39:14.318 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->52841 (15:39:14.318 PST) 80->37294 (15:52:52.654 PST) 180.76.6.26 (15:48:59.253 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->51934 (15:48:59.253 PST) 180.76.6.213 (15:46:44.364 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->51963 (15:46:44.364 PST) 180.76.5.179 (15:45:14.457 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->18157 (15:45:14.457 PST) 180.76.5.10 (2) (15:47:29.300 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->32790 (15:47:29.300 PST) 80->33656 (15:56:28.314 PST) 178.151.143.247 (9) (15:34:32.107 PST) event=1:552123 (9) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->32869 (15:34:32.107 PST) 80->34461 (15:36:24.920 PST) 80->44682 (15:36:51.181 PST) 80->39911 (15:41:08.483 PST) 80->57700 (15:43:34.975 PST) 80->54704 (15:45:20.809 PST) 80->55297 (15:47:02.610 PST) 80->50133 (15:48:38.221 PST) 80->60042 (15:55:10.992 PST) 180.76.5.60 (15:45:59.283 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53997 (15:45:59.283 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360020872.107 1360020872.108 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 77.75.77.17 Peer Coord. List: Resource List: Observed Start: 02/04/2013 20:02:48.789 PST Gen. Time: 02/04/2013 20:02:48.957 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 77.75.77.17 (20:02:48.957 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->48537 (20:02:48.957 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 77.75.77.17 (20:02:48.789 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->48537 (20:02:48.789 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360036968.789 1360036968.790 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================