Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 199.58.86.211 Peer Coord. List: Resource List: Observed Start: 05/06/2013 03:29:41.872 PDT Gen. Time: 05/06/2013 03:31:43.348 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 199.58.86.211 (03:31:43.348 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->60914 (03:31:43.348 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.230 (2) (03:29:41.872 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59264 (03:29:41.872 PDT) 80->53010 (03:30:09.747 PDT) 199.58.86.211 (5) (03:30:28.812 PDT) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34310 (03:30:28.812 PDT) 80->37636 (03:30:37.818 PDT) 80->41724 (03:30:49.098 PDT) 80->53341 (03:31:21.772 PDT) 80->57353 (03:31:33.156 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367836181.872 1367836181.873 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 199.58.86.211 (4) Peer Coord. List: Resource List: Observed Start: 05/06/2013 03:29:41.872 PDT Gen. Time: 05/06/2013 03:38:11.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 199.58.86.211 (4) (03:31:43.348 PDT-03:32:30.380 PDT) event=1:2002033 (4) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->48155 (03:32:30.380 PDT-03:32:30.380 PDT) 2: 80->60914 (03:31:43.348 PDT-03:31:43.348 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.230 (3) (03:29:41.872 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59264 (03:29:41.872 PDT) 80->53010 (03:30:09.747 PDT) 80->46843 (03:34:05.030 PDT) 199.58.86.211 (13) (03:30:28.812 PDT) event=1:552123 (13) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34310 (03:30:28.812 PDT) 80->37636 (03:30:37.818 PDT) 80->41724 (03:30:49.098 PDT) 80->53341 (03:31:21.772 PDT) 80->57353 (03:31:33.156 PDT) 80->38373 (03:31:59.175 PDT) 80->40803 (03:32:06.322 PDT) 80->45751 (03:32:22.922 PDT) 80->51635 (03:32:40.478 PDT) 80->53621 (03:32:47.563 PDT) 80->57862 (03:33:01.317 PDT) 80->60045 (03:33:08.460 PDT) 80->42176 (03:33:44.761 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367836181.872 1367836350.381 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 93.128.196.96 Peer Coord. List: Resource List: Observed Start: 05/06/2013 13:00:48.297 PDT Gen. Time: 05/06/2013 13:02:00.152 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 93.128.196.96 (13:02:00.152 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->53080 (13:02:00.152 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 93.128.196.96 (4) (13:00:48.297 PDT-13:01:15.762 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 4: 80->53080 (13:00:48.297 PDT-13:01:15.762 PDT) 100.43.83.137 (13:01:17.347 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54926 (13:01:17.347 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367870448.297 1367870475.763 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================