Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 79.161.51.12 Peer Coord. List: Resource List: Observed Start: 05/10/2013 03:07:58.115 PDT Gen. Time: 05/10/2013 03:14:11.882 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 79.161.51.12 (03:14:11.882 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->44546 (03:14:11.882 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.242.125.196 (17) (03:07:58.115 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50503 (03:07:58.115 PDT) 80->55500 (03:08:07.751 PDT) 80->35311 (03:08:26.444 PDT) 80->48377 (03:08:55.398 PDT) 80->52111 (03:09:02.744 PDT) 80->55907 (03:09:10.351 PDT) 80->34661 (03:09:25.464 PDT) 80->44867 (03:09:50.186 PDT) 80->48449 (03:09:58.087 PDT) 80->51684 (03:10:05.637 PDT) 80->55132 (03:10:12.916 PDT) 80->35345 (03:10:30.719 PDT) 80->45119 (03:10:53.251 PDT) 80->52052 (03:11:08.107 PDT) 80->58461 (03:11:23.280 PDT) 80->40767 (03:11:46.373 PDT) 80->50842 (03:12:08.712 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368180478.115 1368180478.116 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 173.242.125.196 (8), 79.161.51.12 (4) Peer Coord. List: Resource List: Observed Start: 05/10/2013 03:07:58.115 PDT Gen. Time: 05/10/2013 03:17:38.894 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.242.125.196 (8) (03:15:13.647 PDT-03:15:42.884 PDT) event=1:2002033 (8) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->58825 (03:15:21.225 PDT-03:15:21.225 PDT) 2: 80->41576 (03:15:42.884 PDT-03:15:42.884 PDT) 2: 80->37612 (03:15:35.534 PDT-03:15:35.534 PDT) 2: 80->55037 (03:15:13.647 PDT-03:15:13.647 PDT) 79.161.51.12 (4) (03:14:11.882 PDT-03:15:00.107 PDT) event=1:2002033 (4) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->51336 (03:15:00.107 PDT-03:15:00.107 PDT) 2: 80->44546 (03:14:11.882 PDT-03:14:11.882 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.242.125.196 (17) (03:07:58.115 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50503 (03:07:58.115 PDT) 80->55500 (03:08:07.751 PDT) 80->35311 (03:08:26.444 PDT) 80->48377 (03:08:55.398 PDT) 80->52111 (03:09:02.744 PDT) 80->55907 (03:09:10.351 PDT) 80->34661 (03:09:25.464 PDT) 80->44867 (03:09:50.186 PDT) 80->48449 (03:09:58.087 PDT) 80->51684 (03:10:05.637 PDT) 80->55132 (03:10:12.916 PDT) 80->35345 (03:10:30.719 PDT) 80->45119 (03:10:53.251 PDT) 80->52052 (03:11:08.107 PDT) 80->58461 (03:11:23.280 PDT) 80->40767 (03:11:46.373 PDT) 80->50842 (03:12:08.712 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368180478.115 1368180942.885 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================