Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.56.229.187 Peer Coord. List: Resource List: Observed Start: 03/11/2013 01:57:25.387 PDT Gen. Time: 03/11/2013 01:57:30.148 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.56.229.187 (01:57:30.148 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->39377 (01:57:30.148 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.56.229.187 (5) (01:57:25.387 PDT) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->12083 (01:57:25.387 PDT) 80->42204 (01:57:25.857 PDT) 80->44603 (01:57:26.989 PDT) 80->51843 (01:57:27.084 PDT) 80->37151 (01:57:27.966 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362992245.387 1362992245.388 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.56.229.187 (4) Peer Coord. List: Resource List: Observed Start: 03/11/2013 01:57:25.387 PDT Gen. Time: 03/11/2013 01:57:39.984 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.56.229.187 (4) (01:57:30.148 PDT-01:57:30.183 PDT) event=1:2002033 (4) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 4: 80->39377 (01:57:30.148 PDT-01:57:30.183 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.56.229.187 (8) (01:57:25.387 PDT) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->12083 (01:57:25.387 PDT) 80->42204 (01:57:25.857 PDT) 80->44603 (01:57:26.989 PDT) 80->51843 (01:57:27.084 PDT) 80->37151 (01:57:27.966 PDT) 80->40418 (01:57:34.556 PDT) 80->48459 (01:57:36.003 PDT) 80->30233 (01:57:39.984 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362992245.387 1362992250.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 65.55.24.243 Peer Coord. List: Resource List: Observed Start: 03/11/2013 02:08:38.484 PDT Gen. Time: 03/11/2013 02:08:41.570 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 65.55.24.243 (02:08:41.570 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->29488 (02:08:41.570 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 65.55.24.243 (02:08:38.484 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->15572 (02:08:38.484 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362992918.484 1362992918.485 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 65.55.24.243 (2) Peer Coord. List: Resource List: Observed Start: 03/11/2013 02:08:38.484 PDT Gen. Time: 03/11/2013 02:09:02.689 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 65.55.24.243 (2) (02:08:41.570 PDT) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->29488 (02:08:41.570 PDT-02:08:41.570 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 65.55.24.236 (5) (02:08:57.718 PDT) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->19443 (02:08:57.718 PDT) 80->19775 (02:08:59.955 PDT) 80->44809 (02:09:01.104 PDT) 80->44806 (02:09:01.127 PDT) 80->51431 (02:09:02.173 PDT) 65.55.24.243 (3) (02:08:38.484 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->15572 (02:08:38.484 PDT) 80->34989 (02:09:01.596 PDT) 80->13321 (02:09:02.689 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362992918.484 1362992921.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 65.55.24.236 Peer Coord. List: Resource List: Observed Start: 03/11/2013 02:11:00.597 PDT Gen. Time: 03/11/2013 02:11:07.880 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 65.55.24.236 (02:11:07.880 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->55573 (02:11:07.880 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 65.55.24.236 (2) (02:11:00.597 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->23184 (02:11:00.597 PDT) 80->31517 (02:11:04.827 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362993060.597 1362993060.598 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 65.55.24.236 (5) Peer Coord. List: Resource List: Observed Start: 03/11/2013 02:11:00.597 PDT Gen. Time: 03/11/2013 02:11:50.653 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 65.55.24.236 (5) (02:11:07.880 PDT-02:11:07.951 PDT) event=1:2002033 (5) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 5: 80->55573 (02:11:07.880 PDT-02:11:07.951 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.35.114 (02:11:44.956 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->23077 (02:11:44.956 PDT) 65.55.24.236 (11) (02:11:00.597 PDT) event=1:552123 (11) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->23184 (02:11:00.597 PDT) 80->31517 (02:11:04.827 PDT) 80->47363 (02:11:13.054 PDT) 80->56116 (02:11:17.757 PDT) 80->22312 (02:11:21.657 PDT) 80->50693 (02:11:23.093 PDT) 80->59005 (02:11:23.127 PDT) 80->25734 (02:11:36.735 PDT) 80->45151 (02:11:41.389 PDT) 80->13366 (02:11:42.598 PDT) 80->60778 (02:11:50.653 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362993060.597 1362993067.952 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.35.88 Peer Coord. List: Resource List: Observed Start: 03/11/2013 02:24:42.506 PDT Gen. Time: 03/11/2013 02:25:17.169 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.35.88 (02:25:17.169 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->36748 (02:25:17.169 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.33.22 (7) (02:24:42.506 PDT) event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->31178 (02:24:42.506 PDT) 80->34166 (02:24:43.371 PDT) 80->63875 (02:24:52.174 PDT) 80->24468 (02:24:55.579 PDT) 80->24479 (02:25:05.499 PDT) 80->50885 (02:25:09.678 PDT) 80->59781 (02:25:10.821 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362993882.506 1362993882.507 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 157.55.35.88 (5) Peer Coord. List: Resource List: Observed Start: 03/11/2013 02:24:42.506 PDT Gen. Time: 03/11/2013 02:26:16.603 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 157.55.35.88 (5) (02:25:17.169 PDT-02:25:17.205 PDT) event=1:2002033 (5) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->35172 (02:26:05.581 PDT) 4: 80->36748 (02:25:17.169 PDT-02:25:17.205 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.33.22 (7) (02:24:42.506 PDT) event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->31178 (02:24:42.506 PDT) 80->34166 (02:24:43.371 PDT) 80->63875 (02:24:52.174 PDT) 80->24468 (02:24:55.579 PDT) 80->24479 (02:25:05.499 PDT) 80->50885 (02:25:09.678 PDT) 80->59781 (02:25:10.821 PDT) 157.55.35.88 (10) (02:25:24.345 PDT) event=1:552123 (10) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45672 (02:25:24.345 PDT) 80->15410 (02:25:29.646 PDT) 80->57390 (02:25:34.155 PDT) 80->65428 (02:25:35.134 PDT) 80->31413 (02:25:37.019 PDT) 80->43481 (02:25:38.259 PDT) 80->28140 (02:25:41.605 PDT) 80->38868 (02:25:42.578 PDT) 80->58982 (02:25:45.424 PDT) 80->39196 (02:25:49.057 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362993882.506 1362993917.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 65.55.52.94 Peer Coord. List: Resource List: Observed Start: 03/11/2013 02:37:12.435 PDT Gen. Time: 03/11/2013 02:37:37.398 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 65.55.52.94 (02:37:37.398 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->52526 (02:37:37.398 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.33.77 (4) (02:37:29.977 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->27250 (02:37:29.977 PDT) 80->28211 (02:37:33.346 PDT) 80->60320 (02:37:33.383 PDT) 80->41835 (02:37:35.460 PDT) 157.56.229.187 (2) (02:37:13.525 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50152 (02:37:13.525 PDT) 80->37102 (02:37:33.726 PDT) 65.55.52.94 (5) (02:37:12.435 PDT) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->10818 (02:37:12.435 PDT) 80->40843 (02:37:13.218 PDT) 80->39949 (02:37:15.549 PDT) 80->26067 (02:37:17.328 PDT) 80->12649 (02:37:21.458 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362994632.435 1362994632.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 65.55.52.94 Peer Coord. List: Resource List: Observed Start: 03/11/2013 02:37:12.435 PDT Gen. Time: 03/11/2013 02:37:59.801 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 65.55.52.94 (02:37:37.398 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->52526 (02:37:37.398 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.55.33.77 (4) (02:37:29.977 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->27250 (02:37:29.977 PDT) 80->28211 (02:37:33.346 PDT) 80->60320 (02:37:33.383 PDT) 80->41835 (02:37:35.460 PDT) 157.56.229.187 (2) (02:37:13.525 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50152 (02:37:13.525 PDT) 80->37102 (02:37:33.726 PDT) 65.55.52.94 (6) (02:37:12.435 PDT) event=1:552123 (6) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->10818 (02:37:12.435 PDT) 80->40843 (02:37:13.218 PDT) 80->39949 (02:37:15.549 PDT) 80->26067 (02:37:17.328 PDT) 80->12649 (02:37:21.458 PDT) 80->54579 (02:37:39.486 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362994632.435 1362994632.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================