Score: 0.8 (>= 0.8) Infected Target: 192.168.1.32 Infector List: 210.86.239.18 Egg Source List: 210.86.239.18 C & C List: Peer Coord. List: Resource List: Observed Start: 09/30/2013 07:50:53.439 PDT Gen. Time: 09/30/2013 07:50:54.975 PDT INBOUND SCAN EXPLOIT 210.86.239.18 (07:50:53.439 PDT) event=1:2538 {tcp} E2[rb] GPL NETBIOS SMB IPC$ unicode share access, [] MAC_Dst: 00:30:48:30:03:AE 139<-62046 (07:50:53.439 PDT) EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.86.239.18 (07:50:54.975 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 1028<-1459 (07:50:54.975 PDT) EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380552653.439 1380552653.440 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.32' ============================== SEPARATOR ================================