Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 146.52.224.16 Peer Coord. List: Resource List: Observed Start: 09/08/2013 13:52:19.038 PDT Gen. Time: 09/08/2013 14:04:44.995 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 146.52.224.16 (14:04:44.995 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->53287 (14:04:44.995 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 74.112.202.19 (17) (13:52:19.038 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->31803 (13:52:19.038 PDT) 80->34780 (13:52:28.363 PDT) 80->39155 (13:52:45.305 PDT) 80->43389 (13:52:59.272 PDT) 80->44653 (13:53:05.099 PDT) 80->59915 (13:53:55.516 PDT) 80->61028 (13:53:59.236 PDT) 80->12411 (13:54:51.379 PDT) 80->13670 (13:54:56.677 PDT) 80->15862 (13:55:02.092 PDT) 80->18694 (13:55:13.001 PDT) 80->20257 (13:55:17.369 PDT) 80->35333 (13:56:01.284 PDT) 80->36835 (13:56:05.545 PDT) 80->51596 (13:56:47.982 PDT) 80->54730 (13:56:57.756 PDT) 80->55570 (13:57:00.596 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378673539.038 1378673539.039 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 69.197.129.42 Peer Coord. List: Resource List: Observed Start: 09/08/2013 18:21:44.936 PDT Gen. Time: 09/08/2013 18:22:52.039 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 69.197.129.42 (18:22:52.039 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->39963 (18:22:52.039 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 69.197.129.42 (11) (18:21:44.936 PDT) event=1:552123 (11) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->41344 (18:21:44.936 PDT) 80->45601 (18:21:48.347 PDT) 80->59666 (18:21:59.986 PDT) 80->33544 (18:22:01.524 PDT) 80->41421 (18:22:07.970 PDT) 80->43632 (18:22:09.685 PDT) 80->46809 (18:22:12.630 PDT) 80->33178 (18:22:23.432 PDT) 80->37529 (18:22:27.183 PDT) 80->43316 (18:22:31.557 PDT) 80->35247 (18:22:47.314 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378689704.936 1378689704.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 69.197.129.42 (17) Peer Coord. List: Resource List: Observed Start: 09/08/2013 18:21:44.936 PDT Gen. Time: 09/08/2013 18:27:37.209 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 69.197.129.42 (17) (18:22:52.039 PDT-18:23:41.731 PDT) event=1:2002033 (17) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 8: 80->49768 (18:23:41.730 PDT-18:23:41.731 PDT) 9: 80->39963 (18:22:52.039 PDT-18:22:52.078 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 69.197.129.42 (17) (18:21:44.936 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->41344 (18:21:44.936 PDT) 80->45601 (18:21:48.347 PDT) 80->59666 (18:21:59.986 PDT) 80->33544 (18:22:01.524 PDT) 80->41421 (18:22:07.970 PDT) 80->43632 (18:22:09.685 PDT) 80->46809 (18:22:12.630 PDT) 80->33178 (18:22:23.432 PDT) 80->37529 (18:22:27.183 PDT) 80->43316 (18:22:31.557 PDT) 80->35247 (18:22:47.314 PDT) 80->54914 (18:23:02.150 PDT) 80->60246 (18:23:06.980 PDT) 80->39660 (18:23:12.044 PDT) 80->56348 (18:23:26.076 PDT) 80->60170 (18:23:28.178 PDT) 80->34451 (18:23:29.734 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378689704.936 1378689821.732 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================