Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 83.161.67.152 Peer Coord. List: Resource List: Observed Start: 09/02/2013 01:33:05.531 PDT Gen. Time: 09/02/2013 01:35:50.727 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 83.161.67.152 (01:35:50.727 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->52966 (01:35:50.727 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 66.249.74.230 (2) (01:33:05.531 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->47140 (01:33:05.531 PDT) 80->41101 (01:33:30.510 PDT) 83.161.67.152 (4) (01:33:18.688 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->42644 (01:33:18.688 PDT) 80->44063 (01:33:38.171 PDT) 80->46486 (01:34:14.627 PDT) 80->49306 (01:34:57.184 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378110785.531 1378110785.532 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 83.161.67.152 Peer Coord. List: Resource List: Observed Start: 09/02/2013 01:33:05.531 PDT Gen. Time: 09/02/2013 01:42:53.209 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 83.161.67.152 (01:35:50.727 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->52966 (01:35:50.727 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 66.249.74.230 (3) (01:33:05.531 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->47140 (01:33:05.531 PDT) 80->41101 (01:33:30.510 PDT) 80->62778 (01:38:55.529 PDT) 83.161.67.152 (4) (01:33:18.688 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->42644 (01:33:18.688 PDT) 80->44063 (01:33:38.171 PDT) 80->46486 (01:34:14.627 PDT) 80->49306 (01:34:57.184 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378110785.531 1378110785.532 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 209.222.89.86 Peer Coord. List: Resource List: Observed Start: 09/02/2013 08:29:16.386 PDT Gen. Time: 09/02/2013 08:34:14.502 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 209.222.89.86 (08:34:14.502 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->46801 (08:34:14.502 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 91.121.24.97 (3) (08:31:59.273 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->47996 (08:31:59.273 PDT) 80->39633 (08:33:47.246 PDT) 80->42694 (08:34:04.345 PDT) 209.222.89.86 (7) (08:29:16.386 PDT) event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57738 (08:29:16.386 PDT) 80->58468 (08:30:51.640 PDT) 80->54705 (08:31:27.445 PDT) 80->52179 (08:32:06.030 PDT) 80->60686 (08:32:19.477 PDT) 80->53121 (08:33:38.243 PDT) 80->56723 (08:33:43.789 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378135756.386 1378135756.387 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 209.222.89.86 (3) Peer Coord. List: Resource List: Observed Start: 09/02/2013 08:29:16.386 PDT Gen. Time: 09/02/2013 08:43:03.764 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 209.222.89.86 (3) (08:34:14.502 PDT) event=1:2002033 (3) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->58287 (08:34:31.235 PDT) 2: 80->46801 (08:34:14.502 PDT-08:34:14.502 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 91.121.24.97 (9) (08:31:59.273 PDT) event=1:552123 (9) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->47996 (08:31:59.273 PDT) 80->39633 (08:33:47.246 PDT) 80->42694 (08:34:04.345 PDT) 80->51801 (08:34:51.997 PDT) 80->37685 (08:36:12.291 PDT) 80->39677 (08:36:24.964 PDT) 80->41409 (08:36:35.999 PDT) 80->47469 (08:37:13.614 PDT) 80->52974 (08:37:47.430 PDT) 209.222.89.86 (8) (08:29:16.386 PDT) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57738 (08:29:16.386 PDT) 80->58468 (08:30:51.640 PDT) 80->54705 (08:31:27.445 PDT) 80->52179 (08:32:06.030 PDT) 80->60686 (08:32:19.477 PDT) 80->53121 (08:33:38.243 PDT) 80->56723 (08:33:43.789 PDT) 80->34744 (08:36:10.749 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378135756.386 1378136054.503 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 178.151.143.247 Peer Coord. List: Resource List: Observed Start: 09/02/2013 16:24:36.537 PDT Gen. Time: 09/02/2013 16:32:29.330 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 178.151.143.247 (16:32:29.330 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->38151 (16:32:29.330 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 80.57.78.214 (12) (16:24:36.537 PDT) event=1:552123 (12) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54469 (16:24:36.537 PDT) 80->57606 (16:25:07.932 PDT) 80->60408 (16:25:36.509 PDT) 80->61997 (16:25:53.735 PDT) 80->63085 (16:26:08.778 PDT) 80->52002 (16:27:07.623 PDT) 80->57015 (16:28:17.628 PDT) 80->60895 (16:29:17.533 PDT) 80->62794 (16:29:41.392 PDT) 80->65390 (16:30:18.726 PDT) 80->51093 (16:30:43.331 PDT) 80->51961 (16:30:52.898 PDT) 178.151.143.247 (16:30:06.352 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->42949 (16:30:06.352 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378164276.537 1378164276.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 80.57.78.214 (2), 178.151.143.247 (13) Peer Coord. List: Resource List: Observed Start: 09/02/2013 16:24:36.537 PDT Gen. Time: 09/02/2013 16:45:28.926 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 80.57.78.214 (2) (16:34:03.390 PDT) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->55079 (16:34:13.200 PDT) 80->54067 (16:34:03.390 PDT) 178.151.143.247 (13) (16:32:29.330 PDT-16:32:29.331 PDT) event=1:2002033 (13) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->42237 (16:38:35.889 PDT) 80->48054 (16:38:44.295 PDT) 80->47456 (16:32:44.370 PDT) 10: 80->38151 (16:32:29.330 PDT-16:32:29.331 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 80.57.78.214 (15) (16:24:36.537 PDT) event=1:552123 (15) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54469 (16:24:36.537 PDT) 80->57606 (16:25:07.932 PDT) 80->60408 (16:25:36.509 PDT) 80->61997 (16:25:53.735 PDT) 80->63085 (16:26:08.778 PDT) 80->52002 (16:27:07.623 PDT) 80->57015 (16:28:17.628 PDT) 80->60895 (16:29:17.533 PDT) 80->62794 (16:29:41.392 PDT) 80->65390 (16:30:18.726 PDT) 80->51093 (16:30:43.331 PDT) 80->51961 (16:30:52.898 PDT) 80->50252 (16:33:26.640 PDT) 80->53528 (16:33:56.079 PDT) 80->56010 (16:34:24.087 PDT) 178.151.143.247 (2) (16:30:06.352 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->42949 (16:30:06.352 PDT) 80->54323 (16:34:45.597 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378164276.537 1378164749.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 199.58.86.206 Peer Coord. List: Resource List: Observed Start: 09/02/2013 21:25:22.427 PDT Gen. Time: 09/02/2013 21:28:24.366 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 199.58.86.206 (21:28:24.366 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->59175 (21:28:24.366 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 199.58.86.206 (13) (21:25:22.427 PDT) event=1:552123 (13) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57548 (21:25:22.427 PDT) 80->49237 (21:25:53.755 PDT) 80->51224 (21:25:57.788 PDT) 80->53393 (21:26:03.176 PDT) 80->34207 (21:26:16.771 PDT) 80->48408 (21:26:40.309 PDT) 80->52334 (21:26:45.627 PDT) 80->39421 (21:27:08.238 PDT) 80->43649 (21:27:14.354 PDT) 80->48469 (21:27:22.172 PDT) 80->49435 (21:27:23.578 PDT) 80->32961 (21:27:43.477 PDT) 80->44599 (21:28:02.123 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378182322.427 1378182322.428 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.85 Infector List: 185.12.111.245 Egg Source List: 185.12.111.245 C & C List: Peer Coord. List: Resource List: Observed Start: 09/02/2013 21:43:21.639 PDT Gen. Time: 09/02/2013 21:43:22.428 PDT INBOUND SCAN EXPLOIT 185.12.111.245 (21:43:21.639 PDT) event=1:22009200 {tcp} E2[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Dst: 00:30:48:30:03:AE 445<-3490 (21:43:21.639 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 185.12.111.245 (21:43:22.428 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 1028<-3348 (21:43:22.428 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378183401.639 1378183401.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================