Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.73.140 Peer Coord. List: Resource List: Observed Start: 06/13/2013 09:18:49.949 PDT Gen. Time: 06/13/2013 09:19:03.424 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.73.140 (09:19:03.424 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->51518 (09:19:03.424 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.199.114.187 (09:18:57.182 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->42768 (09:18:57.182 PDT) 66.249.73.140 (09:18:49.949 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->35569 (09:18:49.949 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371140329.949 1371140329.950 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.73.140 Peer Coord. List: Resource List: Observed Start: 06/13/2013 11:10:24.459 PDT Gen. Time: 06/13/2013 11:24:58.798 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.73.140 (11:24:58.798 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->38873 (11:24:58.798 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.199.114.187 (11:21:22.966 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->56332 (11:21:22.966 PDT) 66.249.73.140 (16) (11:10:24.459 PDT) event=1:552123 (16) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->42794 (11:10:24.459 PDT) 80->41858 (11:14:09.897 PDT) 80->43201 (11:14:23.410 PDT) 80->64403 (11:14:36.952 PDT) 80->49514 (11:14:50.458 PDT) 80->56418 (11:15:03.946 PDT) 80->46095 (11:15:17.497 PDT) 80->47773 (11:15:31.023 PDT) 80->52736 (11:16:38.585 PDT) 80->43337 (11:17:19.124 PDT) 80->50051 (11:17:32.653 PDT) 80->38007 (11:17:46.173 PDT) 80->62354 (11:20:28.371 PDT) 80->50680 (11:20:55.412 PDT) 80->53320 (11:21:22.438 PDT) 80->45255 (11:21:35.947 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371147024.459 1371147024.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================