Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.14
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       95.96.224.110
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   06/14/2013 03:32:49.086 PDT
Gen. Time:        06/14/2013 03:33:54.823 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    95.96.224.110 (03:33:54.823 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->50666 (03:33:54.823 PDT)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    95.96.224.110 (10) (03:32:49.086 PDT-03:33:50.723 PDT)
       event=1:552123 (10) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          5: 80->49687 (03:32:49.086 PDT-03:33:00.170 PDT)
          5: 80->50666 (03:33:23.777 PDT-03:33:50.723 PDT)
       
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT Local Threat Triggered
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1371205969.086 1371206030.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.14
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       173.208.180.58
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   06/14/2013 08:32:22.038 PDT
Gen. Time:        06/14/2013 08:32:56.847 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    173.208.180.58 (08:32:56.847 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->37230 (08:32:56.847 PDT)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    173.208.180.58 (7) (08:32:22.038 PDT)
       event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->33752 (08:32:22.038 PDT)
          80->34459 (08:32:28.800 PDT)
          80->34695 (08:32:31.140 PDT)
          80->35799 (08:32:42.243 PDT)
          80->36000 (08:32:44.254 PDT)
          80->36208 (08:32:46.267 PDT)
          80->36857 (08:32:52.669 PDT)
       
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT Local Threat Triggered
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1371223942.038 1371223942.039 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.14
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       173.208.180.58 (17)
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   06/14/2013 08:32:22.038 PDT
Gen. Time:        06/14/2013 08:38:14.560 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    173.208.180.58 (17) (08:32:56.847 PDT-08:33:33.092 PDT)
       event=1:2002033 (17) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          9: 80->37230 (08:32:56.847 PDT-08:32:56.848 PDT)
          8: 80->40680 (08:33:33.091 PDT-08:33:33.092 PDT)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    173.208.180.58 (17) (08:32:22.038 PDT)
       event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->33752 (08:32:22.038 PDT)
          80->34459 (08:32:28.800 PDT)
          80->34695 (08:32:31.140 PDT)
          80->35799 (08:32:42.243 PDT)
          80->36000 (08:32:44.254 PDT)
          80->36208 (08:32:46.267 PDT)
          80->36857 (08:32:52.669 PDT)
          80->38187 (08:33:06.613 PDT)
          80->38372 (08:33:08.603 PDT)
          80->39290 (08:33:18.561 PDT)
          80->39490 (08:33:20.555 PDT)
          80->39667 (08:33:22.533 PDT)
          80->40280 (08:33:28.923 PDT)
          80->41953 (08:33:42.904 PDT)
          80->42234 (08:33:44.906 PDT)
          80->43429 (08:33:54.977 PDT)
          80->43679 (08:33:57.026 PDT)
       
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT Local Threat Triggered
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1371223942.038 1371224013.093 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14'

============================== SEPARATOR ================================