Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.32.152 Peer Coord. List: Resource List: Observed Start: 02/19/2013 06:05:56.810 PST Gen. Time: 02/19/2013 06:19:35.951 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.32.152 (06:19:35.951 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->37054 (06:19:35.951 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.32.80 (10) (06:08:24.896 PST) event=1:552123 (10) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->28416 (06:08:24.896 PST) 80->30975 (06:08:24.903 PST) 80->52391 (06:08:25.951 PST) 80->45533 (06:08:30.588 PST) 80->48411 (06:08:31.503 PST) 80->16823 (06:08:59.414 PST) 80->41046 (06:09:00.656 PST) 80->20470 (06:09:00.681 PST) 80->49502 (06:09:01.649 PST) 80->52892 (06:09:03.581 PST) 65.55.24.233 (3) (06:05:56.810 PST) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->37950 (06:05:56.810 PST) 80->50105 (06:08:22.111 PST) 80->24303 (06:08:37.119 PST) 157.55.32.106 (4) (06:08:59.603 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49624 (06:08:59.603 PST) 80->51535 (06:09:02.722 PST) 80->49329 (06:09:03.548 PST) 80->39183 (06:09:08.368 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361282756.810 1361282756.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.32.152 (8) Peer Coord. List: Resource List: Observed Start: 02/19/2013 06:05:56.810 PST Gen. Time: 02/19/2013 06:28:53.766 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.32.152 (8) (06:19:35.951 PST-06:19:39.890 PST) event=1:2002033 (8) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->37054 (06:19:35.951 PST-06:19:35.951 PST) 2: 80->63155 (06:19:36.030 PST-06:19:36.030 PST) 2: 80->24373 (06:19:37.887 PST-06:19:37.887 PST) 2: 80->54351 (06:19:39.890 PST-06:19:39.890 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.32.80 (10) (06:08:24.896 PST) event=1:552123 (10) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->28416 (06:08:24.896 PST) 80->30975 (06:08:24.903 PST) 80->52391 (06:08:25.951 PST) 80->45533 (06:08:30.588 PST) 80->48411 (06:08:31.503 PST) 80->16823 (06:08:59.414 PST) 80->41046 (06:09:00.656 PST) 80->20470 (06:09:00.681 PST) 80->49502 (06:09:01.649 PST) 80->52892 (06:09:03.581 PST) 65.55.24.233 (3) (06:05:56.810 PST) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->37950 (06:05:56.810 PST) 80->50105 (06:08:22.111 PST) 80->24303 (06:08:37.119 PST) 157.55.32.106 (4) (06:08:59.603 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49624 (06:08:59.603 PST) 80->51535 (06:09:02.722 PST) 80->49329 (06:09:03.548 PST) 80->39183 (06:09:08.368 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361282756.810 1361283579.891 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.33.77 Peer Coord. List: Resource List: Observed Start: 02/19/2013 06:30:53.161 PST Gen. Time: 02/19/2013 06:41:22.956 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.33.77 (06:41:22.956 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->54262 (06:41:22.956 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.33.77 (14) (06:34:09.220 PST) event=1:552123 (14) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->22654 (06:34:09.220 PST) 80->46189 (06:34:15.192 PST) 80->45031 (06:34:18.392 PST) 80->30742 (06:34:21.588 PST) 80->62816 (06:34:22.106 PST) 80->26087 (06:34:26.471 PST) 80->53432 (06:34:27.941 PST) 80->26419 (06:34:28.953 PST) 80->46010 (06:34:30.860 PST) 80->35073 (06:34:31.899 PST) 80->29009 (06:34:54.418 PST) 80->42874 (06:34:55.959 PST) 80->61859 (06:35:18.251 PST) 80->51862 (06:35:19.181 PST) 66.249.74.120 (3) (06:30:53.161 PST) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62735 (06:30:53.161 PST) 80->34087 (06:32:31.019 PST) 80->54706 (06:33:04.017 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361284253.161 1361284253.162 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.33.77 (2), 157.55.35.105 (2), 157.55.32.106 (2) Peer Coord. List: Resource List: Observed Start: 02/19/2013 06:30:53.161 PST Gen. Time: 02/19/2013 06:59:08.881 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.33.77 (2) (06:41:22.956 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->54262 (06:41:22.956 PST-06:41:22.956 PST) 157.55.35.105 (2) (06:51:44.020 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->24417 (06:51:44.020 PST-06:51:44.020 PST) 157.55.32.106 (2) (06:49:44.998 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->11511 (06:49:44.998 PST-06:49:44.998 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.33.77 (14) (06:34:09.220 PST) event=1:552123 (14) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->22654 (06:34:09.220 PST) 80->46189 (06:34:15.192 PST) 80->45031 (06:34:18.392 PST) 80->30742 (06:34:21.588 PST) 80->62816 (06:34:22.106 PST) 80->26087 (06:34:26.471 PST) 80->53432 (06:34:27.941 PST) 80->26419 (06:34:28.953 PST) 80->46010 (06:34:30.860 PST) 80->35073 (06:34:31.899 PST) 80->29009 (06:34:54.418 PST) 80->42874 (06:34:55.959 PST) 80->61859 (06:35:18.251 PST) 80->51862 (06:35:19.181 PST) 66.249.74.120 (3) (06:30:53.161 PST) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62735 (06:30:53.161 PST) 80->34087 (06:32:31.019 PST) 80->54706 (06:33:04.017 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361284253.161 1361285504.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.32.77 Peer Coord. List: Resource List: Observed Start: 02/19/2013 06:59:34.646 PST Gen. Time: 02/19/2013 07:05:51.011 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.32.77 (07:05:51.011 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->62114 (07:05:51.011 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (07:01:06.080 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34604 (07:01:06.080 PST) 65.55.24.233 (7) (06:59:34.646 PST) event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->41074 (06:59:34.646 PST) 80->65230 (06:59:48.758 PST) 80->20723 (07:00:30.196 PST) 80->21279 (07:00:33.177 PST) 80->18416 (07:00:42.575 PST) 80->28881 (07:00:44.731 PST) 80->33578 (07:00:49.819 PST) 157.55.32.77 (9) (07:00:42.011 PST) event=1:552123 (9) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->52278 (07:00:42.011 PST) 80->55477 (07:00:42.944 PST) 80->55596 (07:00:42.974 PST) 80->58857 (07:00:43.937 PST) 80->64450 (07:00:45.655 PST) 80->16597 (07:01:07.974 PST) 80->20557 (07:01:08.961 PST) 80->26670 (07:01:10.911 PST) 80->32766 (07:01:13.713 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361285974.646 1361285974.647 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.35.44 (2), 157.55.32.77 (2) Peer Coord. List: Resource List: Observed Start: 02/19/2013 06:59:34.646 PST Gen. Time: 02/19/2013 07:33:38.280 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.35.44 (2) (07:27:55.141 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->26116 (07:27:55.141 PST-07:27:55.141 PST) 157.55.32.77 (2) (07:05:51.011 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->62114 (07:05:51.011 PST-07:05:51.011 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (07:01:06.080 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34604 (07:01:06.080 PST) 65.55.24.233 (7) (06:59:34.646 PST) event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->41074 (06:59:34.646 PST) 80->65230 (06:59:48.758 PST) 80->20723 (07:00:30.196 PST) 80->21279 (07:00:33.177 PST) 80->18416 (07:00:42.575 PST) 80->28881 (07:00:44.731 PST) 80->33578 (07:00:49.819 PST) 157.55.32.77 (9) (07:00:42.011 PST) event=1:552123 (9) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->52278 (07:00:42.011 PST) 80->55477 (07:00:42.944 PST) 80->55596 (07:00:42.974 PST) 80->58857 (07:00:43.937 PST) 80->64450 (07:00:45.655 PST) 80->16597 (07:01:07.974 PST) 80->20557 (07:01:08.961 PST) 80->26670 (07:01:10.911 PST) 80->32766 (07:01:13.713 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361285974.646 1361287675.142 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.32.152 Peer Coord. List: Resource List: Observed Start: 02/19/2013 19:36:27.976 PST Gen. Time: 02/19/2013 20:01:38.931 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.32.152 (20:01:38.931 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->14086 (20:01:38.931 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.32.80 (17) (19:36:27.976 PST) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54830 (19:36:27.976 PST) 80->13338 (19:36:54.322 PST) 80->49647 (19:37:05.320 PST) 80->42683 (19:37:12.993 PST) 80->35210 (19:37:18.963 PST) 80->41963 (19:37:18.965 PST) 80->36525 (19:37:20.003 PST) 80->41960 (19:37:20.043 PST) 80->26237 (19:37:27.986 PST) 80->28206 (19:37:31.257 PST) 80->52632 (19:38:16.268 PST) 80->23998 (19:38:21.238 PST) 80->52935 (19:38:22.146 PST) 80->53742 (19:38:24.319 PST) 80->10560 (19:38:25.331 PST) 80->21831 (19:38:31.799 PST) 80->39208 (19:38:45.918 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361331387.976 1361331387.977 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.32.152 (2), 157.55.32.77 (2) Peer Coord. List: Resource List: Observed Start: 02/19/2013 19:36:27.976 PST Gen. Time: 02/19/2013 20:31:14.917 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.32.152 (2) (20:01:38.931 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->14086 (20:01:38.931 PST-20:01:38.931 PST) 157.55.32.77 (2) (20:27:38.466 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->56206 (20:27:38.466 PST-20:27:38.466 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.32.80 (17) (19:36:27.976 PST) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54830 (19:36:27.976 PST) 80->13338 (19:36:54.322 PST) 80->49647 (19:37:05.320 PST) 80->42683 (19:37:12.993 PST) 80->35210 (19:37:18.963 PST) 80->41963 (19:37:18.965 PST) 80->36525 (19:37:20.003 PST) 80->41960 (19:37:20.043 PST) 80->26237 (19:37:27.986 PST) 80->28206 (19:37:31.257 PST) 80->52632 (19:38:16.268 PST) 80->23998 (19:38:21.238 PST) 80->52935 (19:38:22.146 PST) 80->53742 (19:38:24.319 PST) 80->10560 (19:38:25.331 PST) 80->21831 (19:38:31.799 PST) 80->39208 (19:38:45.918 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361331387.976 1361334458.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.32.77 Peer Coord. List: Resource List: Observed Start: 02/19/2013 20:31:38.723 PST Gen. Time: 02/19/2013 20:34:16.591 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.32.77 (20:34:16.591 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->47980 (20:34:16.591 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (20:32:30.656 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->52093 (20:32:30.656 PST) 157.55.32.77 (16) (20:31:38.723 PST) event=1:552123 (16) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50252 (20:31:38.723 PST) 80->23996 (20:31:42.310 PST) 80->21981 (20:31:46.355 PST) 80->63511 (20:31:50.276 PST) 80->41642 (20:31:55.495 PST) 80->46235 (20:31:56.470 PST) 80->21292 (20:32:03.714 PST) 80->29584 (20:32:10.652 PST) 80->34946 (20:32:11.625 PST) 80->50570 (20:32:14.543 PST) 80->14512 (20:32:20.631 PST) 80->28166 (20:32:24.100 PST) 80->49276 (20:32:28.496 PST) 80->61660 (20:32:33.820 PST) 80->22732 (20:32:35.500 PST) 80->32605 (20:32:36.503 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361334698.723 1361334698.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.32.152 Peer Coord. List: Resource List: Observed Start: 02/19/2013 20:40:40.344 PST Gen. Time: 02/19/2013 21:18:59.915 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.32.152 (21:18:59.915 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->42053 (21:18:59.915 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.32.77 (17) (20:40:40.344 PST) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->48060 (20:40:40.344 PST) 80->55267 (20:40:41.264 PST) 80->19385 (20:40:44.350 PST) 80->25561 (20:40:45.504 PST) 80->30557 (20:40:46.439 PST) 80->50857 (20:40:50.407 PST) 80->40901 (20:41:14.049 PST) 80->45648 (20:41:15.143 PST) 80->64503 (20:41:20.096 PST) 80->16937 (20:41:22.254 PST) 80->20787 (20:41:23.289 PST) 80->48939 (20:41:30.534 PST) 80->58572 (20:41:34.113 PST) 80->15661 (20:41:50.422 PST) 80->24984 (20:41:53.801 PST) 80->27146 (20:41:54.709 PST) 80->27671 (20:41:54.963 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361335240.344 1361335240.345 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================