Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       157.55.32.93
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/07/2013 11:46:32.561 PDT
Gen. Time:        09/07/2013 11:57:32.168 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL ATK SRC)
    <unobserved>
    
EXPLOIT (ATK FROM INTERNAL SRC)
    <unobserved>
    
CLIENT-INITIATED EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL SRC)
    <unobserved>
    
EGG DOWNLOAD (DL FROM INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    157.55.32.93 (11:57:32.168 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->30629 (11:57:32.168 PDT)
       
C and C TRAFFIC (INTERNAL BOT)
    <unobserved>
    
C and C TRAFFIC (INTERNAL CnC)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    66.249.73.140 (8) (11:46:32.561 PDT)
       event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->51962 (11:46:32.561 PDT)
          80->56467 (11:47:26.297 PDT)
          80->33868 (11:48:20.025 PDT)
          80->42752 (11:49:13.745 PDT)
          80->45649 (11:51:54.983 PDT)
          80->64585 (11:53:42.468 PDT)
          80->60822 (11:54:36.210 PDT)
          80->48445 (11:56:23.588 PDT)
       
OUTBOUND ATTACK (ATK TO INTERNAL TARGET)
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL TARGET)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1378579592.561 1378579592.562 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       157.55.32.93
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/07/2013 11:46:32.561 PDT
Gen. Time:        09/07/2013 12:08:27.598 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL ATK SRC)
    <unobserved>
    
EXPLOIT (ATK FROM INTERNAL SRC)
    <unobserved>
    
CLIENT-INITIATED EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL SRC)
    <unobserved>
    
EGG DOWNLOAD (DL FROM INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    157.55.32.93 (11:57:32.168 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->30629 (11:57:32.168 PDT)
       
C and C TRAFFIC (INTERNAL BOT)
    <unobserved>
    
C and C TRAFFIC (INTERNAL CnC)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    66.249.73.140 (12) (11:46:32.561 PDT)
       event=1:552123 (12) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->51962 (11:46:32.561 PDT)
          80->56467 (11:47:26.297 PDT)
          80->33868 (11:48:20.025 PDT)
          80->42752 (11:49:13.745 PDT)
          80->45649 (11:51:54.983 PDT)
          80->64585 (11:53:42.468 PDT)
          80->60822 (11:54:36.210 PDT)
          80->48445 (11:56:23.588 PDT)
          80->38973 (11:59:05.219 PDT)
          80->39853 (12:02:39.712 PDT)
          80->45657 (12:03:33.458 PDT)
          80->38428 (12:04:27.215 PDT)
       
OUTBOUND ATTACK (ATK TO INTERNAL TARGET)
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL TARGET)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1378579592.561 1378579592.562 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       157.55.32.93
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/07/2013 12:08:55.829 PDT
Gen. Time:        09/07/2013 12:13:52.738 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL ATK SRC)
    <unobserved>
    
EXPLOIT (ATK FROM INTERNAL SRC)
    <unobserved>
    
CLIENT-INITIATED EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL SRC)
    <unobserved>
    
EGG DOWNLOAD (DL FROM INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    157.55.32.93 (12:13:52.738 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->43221 (12:13:52.738 PDT)
       
C and C TRAFFIC (INTERNAL BOT)
    <unobserved>
    
C and C TRAFFIC (INTERNAL CnC)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    66.249.73.140 (4) (12:08:55.829 PDT)
       event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->55975 (12:08:55.829 PDT)
          80->39991 (12:09:49.565 PDT)
          80->47530 (12:12:30.758 PDT)
          80->34398 (12:13:22.304 PDT)
       
OUTBOUND ATTACK (ATK TO INTERNAL TARGET)
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL TARGET)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1378580935.829 1378580935.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       157.55.32.93 (2)
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/07/2013 12:08:55.829 PDT
Gen. Time:        09/07/2013 12:24:08.357 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL ATK SRC)
    <unobserved>
    
EXPLOIT (ATK FROM INTERNAL SRC)
    <unobserved>
    
CLIENT-INITIATED EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL SRC)
    <unobserved>
    
EGG DOWNLOAD (DL FROM INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    157.55.32.93 (2) (12:13:52.738 PDT)
       event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->43221 (12:13:52.738 PDT)
          80->17720 (12:19:56.248 PDT)
       
C and C TRAFFIC (INTERNAL BOT)
    <unobserved>
    
C and C TRAFFIC (INTERNAL CnC)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    100.43.83.137 (12:17:44.419 PDT)
       event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->30973 (12:17:44.419 PDT)
       
    66.249.73.140 (7) (12:08:55.829 PDT)
       event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->55975 (12:08:55.829 PDT)
          80->39991 (12:09:49.565 PDT)
          80->47530 (12:12:30.758 PDT)
          80->34398 (12:13:22.304 PDT)
          80->41715 (12:14:18.229 PDT)
          80->47317 (12:15:11.966 PDT)
          80->50390 (12:16:05.679 PDT)
       
OUTBOUND ATTACK (ATK TO INTERNAL TARGET)
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL TARGET)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1378580935.829 1378580935.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       157.55.32.93
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/07/2013 13:21:28.084 PDT
Gen. Time:        09/07/2013 13:34:08.248 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL ATK SRC)
    <unobserved>
    
EXPLOIT (ATK FROM INTERNAL SRC)
    <unobserved>
    
CLIENT-INITIATED EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL SRC)
    <unobserved>
    
EGG DOWNLOAD (DL FROM INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    157.55.32.93 (13:34:08.248 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->37734 (13:34:08.248 PDT)
       
C and C TRAFFIC (INTERNAL BOT)
    <unobserved>
    
C and C TRAFFIC (INTERNAL CnC)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    66.249.73.140 (5) (13:21:28.084 PDT)
       event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->55463 (13:21:28.084 PDT)
          80->62699 (13:25:56.742 PDT)
          80->61838 (13:28:37.926 PDT)
          80->40819 (13:29:31.656 PDT)
          80->49012 (13:31:19.217 PDT)
       
    198.74.231.14 (12) (13:23:56.391 PDT)
       event=1:552123 (12) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->46029 (13:23:56.391 PDT)
          80->59466 (13:24:15.980 PDT)
          80->44720 (13:25:20.045 PDT)
          80->41345 (13:26:00.291 PDT)
          80->54443 (13:27:57.345 PDT)
          80->57917 (13:28:46.788 PDT)
          80->56352 (13:29:28.320 PDT)
          80->37279 (13:29:43.191 PDT)
          80->47099 (13:30:01.347 PDT)
          80->45984 (13:30:45.016 PDT)
          80->55607 (13:31:03.093 PDT)
          80->37779 (13:31:20.616 PDT)
       
OUTBOUND ATTACK (ATK TO INTERNAL TARGET)
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL TARGET)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1378585288.084 1378585288.085 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================