Score: 1.1 (>= 0.8) Infected Target: 192.168.1.158 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/04/2013 16:45:28.850 PDT Gen. Time: 07/04/2013 16:45:30.541 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 98.9.238.231 (16:45:28.850 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/0/1): 445:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:45:28.850 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.30.215.71 (16:45:30.541 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/0/1): 445:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:45:30.541 PDT) tcpslice 1372981528.850 1372981528.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.158' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.158 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/04/2013 16:45:28.850 PDT Gen. Time: 07/04/2013 16:58:28.928 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 98.9.238.231 (16:45:28.850 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/0/1): 445:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:45:28.850 PDT) OUTBOUND SCAN 75.120.75.178 (16:45:34.268 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 1510->445 (16:45:34.268 PDT) 108.177.188.150 (13) (16:46:49.366 PDT-16:46:49.417 PDT) event=1:52000046 {tcp} E5[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k), [] MAC_Src: 00:01:64:FF:CE:EA 4485->445 (16:46:49.417 PDT) ------------------------- event=1:52314 (5) {tcp} E5[rb] GPL SHELLCODE x86 0x90 NOOP unicode, [] MAC_Src: 00:01:64:FF:CE:EA 4576->445 (16:46:50.775 PDT) 4: 4485->445 (16:46:49.366 PDT-16:46:49.417 PDT) ------------------------- event=1:52514 (2) {tcp} E5[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Src: 00:01:64:FF:CE:EA 2: 4485->445 (16:46:49.366 PDT-16:46:49.416 PDT) ------------------------- event=1:5653 (5) {tcp} E5[rb] GPL SHELLCODE x86 0x90 unicode NOOP, [] MAC_Src: 00:01:64:FF:CE:EA 4576->445 (16:46:50.775 PDT) 4: 4485->445 (16:46:49.366 PDT-16:46:49.417 PDT) 86.30.112.86 (16:46:33.270 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 3052->445 (16:46:33.270 PDT) 124.33.30.156 (2) (16:46:02.054 PDT) event=1:52514 (2) {tcp} E5[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Src: 00:01:64:FF:CE:EA 2140->445 (16:46:03.910 PDT) 2103->445 (16:46:02.054 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.30.215.71 (16:45:30.541 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/0/1): 445:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:45:30.541 PDT) 130.117.95.78 (16:46:54.431 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 384 IPs (383 /24s) (# pkts S/M/O/I=0/200/9/200): 445:200, [] MAC_Src: 00:01:64:FF:CE:EA (16:46:54.431 PDT) tcpslice 1372981528.850 1372981609.418 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.158' ============================== SEPARATOR ================================