Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 209.222.89.85 Peer Coord. List: Resource List: Observed Start: 09/20/2013 02:44:17.445 PDT Gen. Time: 09/20/2013 02:45:59.050 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 209.222.89.85 (02:45:59.050 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->41531 (02:45:59.050 PDT) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 66.249.74.230 (02:44:45.111 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39488 (02:44:45.111 PDT) 209.222.89.85 (2) (02:44:17.445 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->52606 (02:44:17.445 PDT) 80->37319 (02:44:45.342 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379670257.445 1379670257.446 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 209.222.89.85 Peer Coord. List: Resource List: Observed Start: 09/20/2013 02:44:17.445 PDT Gen. Time: 09/20/2013 02:50:19.666 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 209.222.89.85 (02:45:59.050 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->41531 (02:45:59.050 PDT) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 66.249.74.230 (02:44:45.111 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39488 (02:44:45.111 PDT) 209.222.89.85 (3) (02:44:17.445 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->52606 (02:44:17.445 PDT) 80->37319 (02:44:45.342 PDT) 80->50342 (02:47:26.982 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379670257.445 1379670257.446 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 209.222.89.85 (2) Peer Coord. List: Resource List: Observed Start: 09/20/2013 02:52:50.912 PDT Gen. Time: 09/20/2013 02:53:42.710 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 209.222.89.85 (2) (02:52:50.912 PDT) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->37164 (02:52:50.912 PDT) 80->49641 (02:53:10.486 PDT) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 209.222.89.85 (02:53:42.710 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39322 (02:53:42.710 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379670770.912 1379670770.913 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 209.222.89.85 (2) Peer Coord. List: Resource List: Observed Start: 09/20/2013 02:52:50.912 PDT Gen. Time: 09/20/2013 02:59:51.093 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 209.222.89.85 (2) (02:52:50.912 PDT) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->37164 (02:52:50.912 PDT) 80->49641 (02:53:10.486 PDT) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 209.222.89.85 (2) (02:53:42.710 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39322 (02:53:42.710 PDT) 80->60015 (02:56:26.445 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379670770.912 1379670770.913 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================