Score: 0.8 (>= 0.8) Infected Target: 192.168.1.245 Infector List: 178.137.28.151 Egg Source List: 178.137.28.151 C & C List: Peer Coord. List: Resource List: Observed Start: 09/05/2013 08:25:10.505 PDT Gen. Time: 09/05/2013 08:25:11.284 PDT INBOUND SCAN EXPLOIT 178.137.28.151 (08:25:10.505 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-4958 (08:25:10.505 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 178.137.28.151 (08:25:11.284 PDT) event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-5168 (08:25:11.284 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378394710.505 1378394710.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.245' ============================== SEPARATOR ================================ Score: 2.2 (>= 0.8) Infected Target: 192.168.1.245 Infector List: 178.137.28.151 Egg Source List: 178.137.28.151 C & C List: Peer Coord. List: Resource List: Observed Start: 09/05/2013 08:25:10.505 PDT Gen. Time: 09/05/2013 08:28:49.419 PDT INBOUND SCAN EXPLOIT 178.137.28.151 (08:25:10.505 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-4958 (08:25:10.505 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 178.137.28.151 (08:25:11.284 PDT) event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-5168 (08:25:11.284 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.155.14.161 (08:25:21.339 PDT) event=1:9920003 {tcp} E8[std] BotHunter MTC confirmed botnet control server on standard port, [] MAC_Src: 00:30:48:30:03:AF 1038->80 (08:25:21.339 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 76.71.4.70 (08:25:23.023 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (08:25:23.023 PDT) tcpslice 1378394710.505 1378394710.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.245' ============================== SEPARATOR ================================