Score: 0.8 (>= 0.8) Infected Target: 192.168.1.131 Infector List: 37.229.225.184 Egg Source List: 37.229.225.184 C & C List: Peer Coord. List: Resource List: Observed Start: 08/29/2013 02:01:58.875 PDT Gen. Time: 08/29/2013 02:01:59.792 PDT INBOUND SCAN EXPLOIT 37.229.225.184 (02:01:58.875 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-1216 (02:01:58.875 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 37.229.225.184 (02:01:59.792 PDT) event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-7158 (02:01:59.792 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1377766918.875 1377766918.876 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.131' ============================== SEPARATOR ================================ Score: 2.7 (>= 0.8) Infected Target: 192.168.1.131 Infector List: 37.229.225.184 Egg Source List: 37.229.225.184 C & C List: 213.155.14.161 Peer Coord. List: Resource List: Observed Start: 08/29/2013 02:01:58.875 PDT Gen. Time: 08/29/2013 02:05:52.425 PDT INBOUND SCAN EXPLOIT 37.229.225.184 (02:01:58.875 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-1216 (02:01:58.875 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 37.229.225.184 (02:01:59.792 PDT) event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-7158 (02:01:59.792 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 213.155.14.161 (02:02:10.126 PDT) event=1:2003070 {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=vfoozmvdblblezyxb&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:30:48:30:03:AE 1032->80 (02:02:10.126 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.155.14.161 (02:02:09.910 PDT) event=1:9920003 {tcp} E8[std] BotHunter MTC confirmed botnet control server on standard port, [] MAC_Src: 00:30:48:30:03:AF 1032->80 (02:02:09.910 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 98.130.120.152 (02:02:11.199 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (02:02:11.199 PDT) tcpslice 1377766918.875 1377766918.876 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.131' ============================== SEPARATOR ================================