Score: 0.8 (>= 0.8) Infected Target: 192.168.1.190 Infector List: 37.192.144.85 Egg Source List: 37.192.144.85 C & C List: Peer Coord. List: Resource List: Observed Start: 09/01/2013 06:36:41.381 PDT Gen. Time: 09/01/2013 06:36:42.285 PDT INBOUND SCAN EXPLOIT 37.192.144.85 (06:36:41.381 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-1564 (06:36:41.381 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 37.192.144.85 (06:36:42.285 PDT) event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-6104 (06:36:42.285 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378042601.381 1378042601.382 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.190' ============================== SEPARATOR ================================ Score: 2.2 (>= 0.8) Infected Target: 192.168.1.190 Infector List: 37.192.144.85 Egg Source List: 37.192.144.85 C & C List: Peer Coord. List: Resource List: Observed Start: 09/01/2013 06:36:41.381 PDT Gen. Time: 09/01/2013 06:39:25.944 PDT INBOUND SCAN EXPLOIT 37.192.144.85 (06:36:41.381 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-1564 (06:36:41.381 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 37.192.144.85 (06:36:42.285 PDT) event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-6104 (06:36:42.285 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.155.14.161 (06:36:53.669 PDT) event=1:9920003 {tcp} E8[std] BotHunter MTC confirmed botnet control server on standard port, [] MAC_Src: 00:30:48:30:03:AF 1032->80 (06:36:53.669 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 100.136.97.210 (06:36:55.459 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (06:36:55.459 PDT) tcpslice 1378042601.381 1378042601.382 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.190' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.190 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/01/2013 06:43:04.635 PDT Gen. Time: 09/01/2013 06:43:04.635 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 100.136.97.210 (06:43:04.635 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/23/1/1): 445:23, [] MAC_Src: 00:30:48:30:03:AF (06:43:04.635 PDT) tcpslice 1378042984.635 1378042984.636 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.190' ============================== SEPARATOR ================================