Score: 1.1 (>= 0.8) Infected Target: 192.168.1.156 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/10/2013 15:51:46.402 PDT Gen. Time: 07/10/2013 15:51:48.353 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 129.171.29.100 (15:51:46.402 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (12 /24s) (# pkts S/M/O/I=0/12/0/3): 445:12, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:51:46.402 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.171.29.100 (15:51:48.353 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/5): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:51:48.353 PDT) tcpslice 1373496706.402 1373496706.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.156' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.156 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/10/2013 15:51:46.402 PDT Gen. Time: 07/10/2013 15:59:37.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 129.171.29.100 (15:51:46.402 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (12 /24s) (# pkts S/M/O/I=0/12/0/3): 445:12, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:51:46.402 PDT) OUTBOUND SCAN 223.27.18.65 (14) (15:54:41.753 PDT-15:54:41.940 PDT) event=1:52000046 {tcp} E5[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k), [] MAC_Src: 00:01:64:FF:CE:EA 1768->445 (15:54:41.940 PDT) ------------------------- event=1:52314 (5) {tcp} E5[rb] GPL SHELLCODE x86 0x90 NOOP unicode, [] MAC_Src: 00:01:64:FF:CE:EA 4: 1768->445 (15:54:41.753 PDT-15:54:41.940 PDT) 1783->445 (15:54:44.250 PDT) ------------------------- event=1:52514 (3) {tcp} E5[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Src: 00:01:64:FF:CE:EA 2: 1768->445 (15:54:41.753 PDT-15:54:41.940 PDT) 1783->445 (15:54:44.250 PDT) ------------------------- event=1:5653 (5) {tcp} E5[rb] GPL SHELLCODE x86 0x90 unicode NOOP, [] MAC_Src: 00:01:64:FF:CE:EA 1783->445 (15:54:44.250 PDT) 4: 1768->445 (15:54:41.753 PDT-15:54:41.940 PDT) 93.59.230.196 (15:53:50.982 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 1578->445 (15:53:50.982 PDT) 210.31.204.216 (15:51:51.000 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 1086->445 (15:51:51.000 PDT) 125.22.252.106 (15:52:51.520 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 1301->445 (15:52:51.520 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.171.29.100 (15:51:48.353 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/5): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:51:48.353 PDT) 101.87.240.222 (15:52:51.856 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 357 IPs (357 /24s) (# pkts S/M/O/I=0/200/1/188): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:52:51.856 PDT) tcpslice 1373496706.402 1373496881.941 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.156' ============================== SEPARATOR ================================