Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 88.190.44.26 Peer Coord. List: Resource List: Observed Start: 05/08/2013 13:13:59.392 PDT Gen. Time: 05/08/2013 13:20:07.676 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 88.190.44.26 (13:20:07.676 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->41951 (13:20:07.676 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 88.190.44.26 (12) (13:13:59.392 PDT-13:16:20.362 PDT) event=1:552123 (12) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->38728 (13:15:44.828 PDT) 2: 80->46812 (13:16:09.837 PDT-13:16:20.362 PDT) 80->54363 (13:17:52.582 PDT) 80->57765 (13:13:59.392 PDT) 80->58534 (13:15:34.123 PDT) 80->35390 (13:17:03.149 PDT) 80->33591 (13:18:29.086 PDT) 80->50857 (13:14:50.944 PDT) 2: 80->42866 (13:14:28.142 PDT-13:14:39.368 PDT) 80->36144 (13:14:09.556 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368044039.392 1368044180.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 77.75.74.41 Peer Coord. List: Resource List: Observed Start: 05/08/2013 15:37:00.087 PDT Gen. Time: 05/08/2013 15:40:52.050 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 77.75.74.41 (15:40:52.050 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->50518 (15:40:52.050 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 222.122.190.202 (15:38:27.464 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49946 (15:38:27.464 PDT) 66.249.74.230 (15:37:00.087 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39428 (15:37:00.087 PDT) 77.75.74.41 (15:40:51.882 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50518 (15:40:51.882 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368052620.087 1368052620.088 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================