Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.73.140 Peer Coord. List: Resource List: Observed Start: 06/04/2013 07:15:33.391 PDT Gen. Time: 06/04/2013 07:18:09.097 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.73.140 (07:18:09.097 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->56832 (07:18:09.097 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.73.140 (6) (07:15:33.391 PDT) event=1:552123 (6) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->46355 (07:15:33.391 PDT) 80->55890 (07:16:31.449 PDT) 80->56570 (07:17:27.622 PDT) 80->61058 (07:17:34.518 PDT) 80->55123 (07:17:39.111 PDT) 80->38251 (07:17:48.327 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370355333.391 1370355333.392 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.73.140 Peer Coord. List: Resource List: Observed Start: 06/04/2013 07:15:33.391 PDT Gen. Time: 06/04/2013 07:23:18.989 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.73.140 (07:18:09.097 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->56832 (07:18:09.097 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.73.140 (8) (07:15:33.391 PDT) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->46355 (07:15:33.391 PDT) 80->55890 (07:16:31.449 PDT) 80->56570 (07:17:27.622 PDT) 80->61058 (07:17:34.518 PDT) 80->55123 (07:17:39.111 PDT) 80->38251 (07:17:48.327 PDT) 80->45348 (07:18:36.656 PDT) 80->43381 (07:19:11.163 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370355333.391 1370355333.392 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.73.140 Peer Coord. List: Resource List: Observed Start: 06/04/2013 12:26:15.804 PDT Gen. Time: 06/04/2013 12:33:51.420 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.73.140 (12:33:51.420 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->37538 (12:33:51.420 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.73.140 (15) (12:26:15.804 PDT) event=1:552123 (15) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34794 (12:26:15.804 PDT) 80->37794 (12:26:39.331 PDT) 80->61006 (12:26:55.062 PDT) 80->52420 (12:27:02.887 PDT) 80->34752 (12:27:10.747 PDT) 80->51370 (12:29:08.605 PDT) 80->45982 (12:29:16.430 PDT) 80->45054 (12:30:03.572 PDT) 80->55934 (12:30:34.980 PDT) 80->51719 (12:30:58.527 PDT) 80->48672 (12:32:09.232 PDT) 80->40949 (12:32:32.803 PDT) 80->57788 (12:32:40.638 PDT) 80->49362 (12:33:04.201 PDT) 80->58231 (12:33:12.052 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370373975.804 1370373975.805 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================