Score: 0.8 (>= 0.8) Infected Target: 192.168.1.206 Infector List: 176.8.27.52 Egg Source List: 176.8.27.52 C & C List: Peer Coord. List: Resource List: Observed Start: 09/08/2013 03:05:08.059 PDT Gen. Time: 09/08/2013 03:05:08.934 PDT INBOUND SCAN EXPLOIT 176.8.27.52 (03:05:08.059 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-3865 (03:05:08.059 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 176.8.27.52 (03:05:08.934 PDT) event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-1167 (03:05:08.934 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378634708.059 1378634708.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.206' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.206 Infector List: 176.8.27.52 Egg Source List: 176.8.27.52 C & C List: Peer Coord. List: Resource List: Observed Start: 09/08/2013 03:05:08.059 PDT Gen. Time: 09/08/2013 03:09:09.311 PDT INBOUND SCAN EXPLOIT 176.8.27.52 (03:05:08.059 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-3865 (03:05:08.059 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 176.8.27.52 (03:05:08.934 PDT) event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-1167 (03:05:08.934 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 99.215.157.196 (03:05:16.740 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (03:05:16.740 PDT) tcpslice 1378634708.059 1378634708.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.206' ============================== SEPARATOR ================================