Score: 1.1 (>= 0.8) Infected Target: 192.168.1.138 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2013 02:37:28.189 PDT Gen. Time: 07/17/2013 02:37:28.231 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 191.39.130.127 (02:37:28.189 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:37:28.189 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 191.39.130.127 (02:37:28.231 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:37:28.231 PDT) tcpslice 1374053848.189 1374053848.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.138' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.138 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2013 02:37:28.189 PDT Gen. Time: 07/17/2013 02:44:05.555 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 191.39.130.127 (02:37:28.189 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:37:28.189 PDT) OUTBOUND SCAN 110.79.88.84 (02:37:28.274 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 1103->445 (02:37:28.274 PDT) 63.61.210.9 (02:39:28.505 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 1114->445 (02:39:28.505 PDT) 52.5.56.91 (02:38:30.010 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 3118->445 (02:38:30.010 PDT) 147.75.71.52 (02:40:28.377 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 3279->445 (02:40:28.377 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.94.191.24 (02:39:12.108 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=0/200/1/0): 445:200, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:39:12.108 PDT) 191.39.130.127 (02:37:28.231 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:37:28.231 PDT) tcpslice 1374053848.189 1374053848.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.138' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.138 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2013 21:38:33.275 PDT Gen. Time: 07/17/2013 21:38:33.321 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 94.28.196.79 (21:38:33.275 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:38:33.275 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 94.28.196.79 (21:38:33.321 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:38:33.321 PDT) tcpslice 1374122313.275 1374122313.276 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.138' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.138 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2013 21:38:33.275 PDT Gen. Time: 07/17/2013 21:45:44.711 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 94.28.196.79 (21:38:33.275 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:38:33.275 PDT) OUTBOUND SCAN 62.55.193.54 (21:38:33.366 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 1102->445 (21:38:33.366 PDT) 14.101.249.63 (21:41:33.451 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 3276->445 (21:41:33.451 PDT) 74.50.124.78 (21:41:46.920 PDT) event=1:52009200 {tcp} E5[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Src: 00:01:64:FF:CE:EA 3678->445 (21:41:46.920 PDT) 211.127.234.58 (21:40:33.658 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 1127->445 (21:40:33.658 PDT) 24.103.126.87 (21:39:35.123 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 3095->445 (21:39:35.123 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 94.28.196.79 (2) (21:38:33.321 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:38:33.321 PDT) 0->0 (21:41:15.788 PDT) tcpslice 1374122313.275 1374122313.276 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.138' ============================== SEPARATOR ================================