Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       199.192.207.146
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/19/2013 08:12:32.339 PDT
Gen. Time:        09/19/2013 08:19:22.626 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    199.192.207.146 (08:19:22.626 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->54196 (08:19:22.626 PDT)
       
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    199.192.207.146 (17) (08:12:32.339 PDT)
       event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->60117 (08:12:32.339 PDT)
          80->5778 (08:12:38.103 PDT)
          80->33437 (08:12:53.784 PDT)
          80->52545 (08:13:04.807 PDT)
          80->14233 (08:13:19.920 PDT)
          80->30611 (08:13:29.480 PDT)
          80->2194 (08:13:50.555 PDT)
          80->9480 (08:13:54.861 PDT)
          80->20015 (08:14:39.091 PDT)
          80->34319 (08:14:47.410 PDT)
          80->53583 (08:14:58.602 PDT)
          80->8882 (08:15:10.279 PDT)
          80->18278 (08:15:15.854 PDT)
          80->28374 (08:15:21.851 PDT)
          80->32502 (08:16:02.397 PDT)
          80->42587 (08:16:08.277 PDT)
          80->34446 (08:16:41.785 PDT)
       
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1379603552.339 1379603552.340 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       88.191.188.103
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/19/2013 16:17:43.240 PDT
Gen. Time:        09/19/2013 16:18:16.273 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    88.191.188.103 (16:18:16.273 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->59150 (16:18:16.273 PDT)
       
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    66.188.48.182 (3) (16:17:43.240 PDT-16:18:06.329 PDT)
       event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          3: 80->18179 (16:17:43.240 PDT-16:18:06.329 PDT)
       
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1379632663.240 1379632686.330 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       88.191.188.103 (6)
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/19/2013 16:17:43.240 PDT
Gen. Time:        09/19/2013 16:33:10.776 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    88.191.188.103 (6) (16:18:16.273 PDT-16:19:03.254 PDT)
       event=1:2002033 (6) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->48331 (16:20:54.373 PDT)
          80->40037 (16:20:10.468 PDT)
          4: 80->59150 (16:18:16.273 PDT-16:19:03.254 PDT)
       
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    66.188.48.182 (19) (16:17:43.240 PDT-16:26:20.840 PDT)
       event=1:552123 (19) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          3: 80->40376 (16:24:56.081 PDT-16:25:42.260 PDT)
          80->36990 (16:23:08.832 PDT)
          3: 80->30479 (16:21:26.625 PDT-16:21:59.062 PDT)
          3: 80->18179 (16:17:43.240 PDT-16:18:06.329 PDT)
          3: 80->27984 (16:20:47.564 PDT-16:21:11.422 PDT)
          2: 80->33060 (16:22:21.269 PDT-16:22:27.760 PDT)
          2: 80->46331 (16:25:51.881 PDT-16:26:20.840 PDT)
          2: 80->25813 (16:19:54.563 PDT-16:20:01.846 PDT)
       
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1379632663.240 1379633180.841 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================