Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.230 Peer Coord. List: Resource List: Observed Start: 07/16/2013 15:33:59.413 PDT Gen. Time: 07/16/2013 15:51:19.011 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.230 (15:51:19.011 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->43312 (15:51:19.011 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.230 (17) (15:33:59.413 PDT-15:44:48.732 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->61159 (15:33:59.413 PDT) 80->52446 (15:44:09.310 PDT) 80->61836 (15:45:27.423 PDT) 80->53878 (15:48:42.749 PDT) 2: 80->33971 (15:44:48.352 PDT-15:44:48.732 PDT) 80->64124 (15:46:45.563 PDT) 80->41012 (15:47:24.606 PDT) 80->38075 (15:49:21.863 PDT) 80->36500 (15:40:30.039 PDT) 80->52127 (15:38:32.841 PDT) 80->36179 (15:48:03.648 PDT) 80->42884 (15:34:38.464 PDT) 80->62729 (15:43:34.273 PDT) 80->58567 (15:37:53.790 PDT) 80->53290 (15:39:12.043 PDT) 80->36461 (15:46:06.489 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1374014039.413 1374014688.733 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 217.73.208.74 Peer Coord. List: Resource List: Observed Start: 07/16/2013 16:28:44.374 PDT Gen. Time: 07/16/2013 16:34:58.473 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 217.73.208.74 (16:34:58.473 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->46085 (16:34:58.473 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.230 (16:33:07.091 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->65479 (16:33:07.091 PDT) 217.73.208.74 (4) (16:28:44.374 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53872 (16:28:44.374 PDT) 80->39399 (16:28:49.829 PDT) 80->52785 (16:31:06.684 PDT) 80->42078 (16:32:16.960 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1374017324.374 1374017324.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 217.73.208.74 (6) Peer Coord. List: Resource List: Observed Start: 07/16/2013 16:28:44.374 PDT Gen. Time: 07/16/2013 16:41:07.376 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 217.73.208.74 (6) (16:34:58.473 PDT-16:34:58.879 PDT) event=1:2002033 (6) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 6: 80->46085 (16:34:58.473 PDT-16:34:58.879 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.230 (16:33:07.091 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->65479 (16:33:07.091 PDT) 217.73.208.74 (9) (16:28:44.374 PDT) event=1:552123 (9) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53872 (16:28:44.374 PDT) 80->39399 (16:28:49.829 PDT) 80->52785 (16:31:06.684 PDT) 80->42078 (16:32:16.960 PDT) 80->46696 (16:36:13.899 PDT) 80->35171 (16:36:36.059 PDT) 80->48973 (16:37:39.789 PDT) 80->40157 (16:38:23.512 PDT) 80->46698 (16:38:51.145 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1374017324.374 1374017698.880 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================