Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 77.75.74.41 Peer Coord. List: Resource List: Observed Start: 06/19/2013 20:23:17.772 PDT Gen. Time: 06/19/2013 20:24:22.536 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 77.75.74.41 (20:24:22.536 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->40065 (20:24:22.536 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.230 (4) (20:23:17.772 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->64083 (20:23:17.772 PDT) 80->63675 (20:23:32.694 PDT) 80->41442 (20:23:41.418 PDT) 80->61493 (20:24:16.291 PDT) 77.75.74.41 (20:24:22.536 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40065 (20:24:22.536 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371698597.772 1371698597.773 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 77.75.74.41 Peer Coord. List: Resource List: Observed Start: 06/19/2013 20:23:17.772 PDT Gen. Time: 06/19/2013 20:30:53.736 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 77.75.74.41 (20:24:22.536 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->40065 (20:24:22.536 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 208.115.113.83 (4) (20:26:20.415 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34045 (20:26:20.415 PDT) 80->36997 (20:26:22.641 PDT) 80->43338 (20:26:28.476 PDT) 80->44132 (20:26:29.193 PDT) 66.249.74.230 (8) (20:23:17.772 PDT) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->64083 (20:23:17.772 PDT) 80->63675 (20:23:32.694 PDT) 80->41442 (20:23:41.418 PDT) 80->61493 (20:24:16.291 PDT) 80->59170 (20:24:25.041 PDT) 80->42078 (20:24:51.211 PDT) 80->61287 (20:24:59.942 PDT) 80->43904 (20:27:10.771 PDT) 77.75.74.41 (20:24:22.536 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40065 (20:24:22.536 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371698597.772 1371698597.773 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================