Score:            1.1 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       198.51.132.60, 94.23.1.180
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/05/2013 11:15:01.649 PDT
Gen. Time:        09/05/2013 16:29:22.951 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL ATK SRC)
    <unobserved>
    
EXPLOIT (ATK FROM INTERNAL SRC)
    <unobserved>
    
CLIENT-INITIATED EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL SRC)
    <unobserved>
    
EGG DOWNLOAD (DL FROM INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    198.51.132.60 (16:29:22.951 PDT)
       event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/little-steves-house-of-pizza-boston?start=0&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:EC:40
          50370->80 (16:29:22.951 PDT)
       
C and C TRAFFIC (INTERNAL BOT)
    <unobserved>
    
C and C TRAFFIC (INTERNAL CnC)
    <unobserved>
    
C and C TRAFFIC (RBN)
    94.23.1.180 (14:29:56.705 PDT)
       event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40
          22145->63033 (14:29:56.705 PDT)
       
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    194.29.178.5 (11:15:02.735 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          46169->5900 (11:15:02.735 PDT)
       
    132.227.62.122 (11:15:04.957 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          41929->5900 (11:15:04.957 PDT)
       
    134.151.255.180 (11:15:13.113 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          36347->5900 (11:15:13.113 PDT)
       
    146.57.249.99 (11:15:12.814 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          39918->5900 (11:15:12.814 PDT)
       
    156.56.250.227 (11:15:11.505 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          33431->5900 (11:15:11.505 PDT)
       
    192.16.125.12 (11:15:10.796 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          49057->5900 (11:15:10.796 PDT)
       
    194.36.10.161 (11:15:01.649 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          50420->5900 (11:15:01.649 PDT)
       
    165.91.55.9 (11:15:09.002 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          39752->5900 (11:15:09.002 PDT)
       
    150.254.212.148 (11:15:07.827 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          37257->5900 (11:15:07.827 PDT)
       
    130.37.193.143 (11:15:09.991 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          37374->5900 (11:15:09.991 PDT)
       
    108.58.13.205 (11:15:02.287 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          52509->5900 (11:15:02.287 PDT)
       
    128.138.207.45 (11:15:06.605 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          59857->5900 (11:15:06.605 PDT)
       
    213.73.40.106 (11:15:03.574 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          47812->5900 (11:15:03.574 PDT)
       
    134.76.249.229 (11:15:11.919 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          50553->5900 (11:15:11.919 PDT)
       
    150.140.184.251 (11:15:11.159 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          51655->5900 (11:15:11.159 PDT)
       
    203.178.133.11 (11:15:04.010 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          56564->5900 (11:15:04.010 PDT)
       
    141.76.45.18 (11:15:12.329 PDT)
       event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:21:5A:08:EC:40
          33081->5900 (11:15:12.329 PDT)
       
OUTBOUND ATTACK (ATK TO INTERNAL TARGET)
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL TARGET)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1378404901.649 1378404901.650 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================