Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 69.30.238.26 Peer Coord. List: Resource List: Observed Start: 05/09/2013 03:27:14.622 PDT Gen. Time: 05/09/2013 03:30:48.185 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 69.30.238.26 (03:30:48.185 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->54395 (03:30:48.185 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 69.30.238.26 (10) (03:27:14.622 PDT) event=1:552123 (10) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->36672 (03:27:14.622 PDT) 80->45251 (03:27:28.061 PDT) 80->49711 (03:27:35.243 PDT) 80->41213 (03:28:06.162 PDT) 80->45557 (03:28:12.824 PDT) 80->59170 (03:28:34.350 PDT) 80->42733 (03:28:54.538 PDT) 80->48351 (03:29:04.424 PDT) 80->33423 (03:30:14.533 PDT) 80->49991 (03:30:41.057 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368095234.622 1368095234.623 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 91.64.188.76 Peer Coord. List: Resource List: Observed Start: 05/09/2013 14:30:52.144 PDT Gen. Time: 05/09/2013 14:40:58.181 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 91.64.188.76 (14:40:58.181 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->56971 (14:40:58.181 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 91.64.188.76 (17) (14:30:52.144 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57088 (14:30:52.144 PDT) 80->58041 (14:31:02.043 PDT) 80->59035 (14:31:13.812 PDT) 80->65341 (14:32:11.767 PDT) 80->52749 (14:32:51.570 PDT) 80->53708 (14:33:04.922 PDT) 80->56645 (14:33:46.410 PDT) 80->57655 (14:34:01.008 PDT) 80->59578 (14:34:29.449 PDT) 80->60547 (14:34:43.954 PDT) 80->63331 (14:35:27.296 PDT) 80->51075 (14:36:36.308 PDT) 80->53959 (14:37:19.844 PDT) 80->55810 (14:37:46.349 PDT) 80->60742 (14:38:47.828 PDT) 80->62941 (14:39:10.176 PDT) 80->64863 (14:39:33.923 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368135052.144 1368135052.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 91.64.188.76 (4) Peer Coord. List: Resource List: Observed Start: 05/09/2013 14:30:52.144 PDT Gen. Time: 05/09/2013 14:45:25.710 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 91.64.188.76 (4) (14:40:58.181 PDT) event=1:2002033 (4) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->56971 (14:40:58.181 PDT) 80->58173 (14:41:07.784 PDT) 80->60525 (14:41:26.757 PDT) 80->63441 (14:41:50.892 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 91.64.188.76 (17) (14:30:52.144 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57088 (14:30:52.144 PDT) 80->58041 (14:31:02.043 PDT) 80->59035 (14:31:13.812 PDT) 80->65341 (14:32:11.767 PDT) 80->52749 (14:32:51.570 PDT) 80->53708 (14:33:04.922 PDT) 80->56645 (14:33:46.410 PDT) 80->57655 (14:34:01.008 PDT) 80->59578 (14:34:29.449 PDT) 80->60547 (14:34:43.954 PDT) 80->63331 (14:35:27.296 PDT) 80->51075 (14:36:36.308 PDT) 80->53959 (14:37:19.844 PDT) 80->55810 (14:37:46.349 PDT) 80->60742 (14:38:47.828 PDT) 80->62941 (14:39:10.176 PDT) 80->64863 (14:39:33.923 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368135052.144 1368135052.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================