Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.230 Peer Coord. List: Resource List: Observed Start: 11/03/2013 01:57:34.597 PST Gen. Time: 11/03/2013 02:04:06.106 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 66.249.74.230 (02:04:06.106 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 1C:DF:0F:66:3D:B0 80->38716 (02:04:06.106 PST) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 66.249.74.230 (6) (01:57:34.597 PST) event=1:552123 (6) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 1C:DF:0F:66:3D:B0 80->46498 (01:57:34.597 PST) 80->40902 (02:00:38.818 PST) 80->42553 (02:02:10.935 PST) 80->64752 (02:03:20.044 PST) 80->61906 (02:03:43.054 PST) 80->38716 (02:04:06.083 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383472654.597 1383472654.598 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.230 Peer Coord. List: Resource List: Observed Start: 11/03/2013 01:57:34.597 PST Gen. Time: 11/03/2013 02:11:53.338 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 66.249.74.230 (02:04:06.106 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 1C:DF:0F:66:3D:B0 80->38716 (02:04:06.106 PST) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 66.249.74.230 (11) (01:57:34.597 PST) event=1:552123 (11) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 1C:DF:0F:66:3D:B0 80->46498 (01:57:34.597 PST) 80->40902 (02:00:38.818 PST) 80->42553 (02:02:10.935 PST) 80->64752 (02:03:20.044 PST) 80->61906 (02:03:43.054 PST) 80->38716 (02:04:06.083 PST) 80->35852 (02:05:15.191 PST) 80->63343 (02:06:24.264 PST) 80->53901 (02:06:47.283 PST) 80->40112 (02:07:10.394 PST) 80->49850 (02:07:33.327 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383472654.597 1383472654.598 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.230 Peer Coord. List: Resource List: Observed Start: 11/03/2013 04:42:13.188 PST Gen. Time: 11/03/2013 04:59:06.432 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 66.249.74.230 (04:59:06.432 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 1C:DF:0F:66:3D:B0 80->50074 (04:59:06.432 PST) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 66.249.74.230 (15) (04:42:13.188 PST) event=1:552123 (15) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 1C:DF:0F:66:3D:B0 80->56989 (04:42:13.188 PST) 80->35133 (04:43:45.469 PST) 80->64435 (04:44:08.330 PST) 80->56641 (04:44:31.356 PST) 80->34480 (04:45:17.431 PST) 80->34048 (04:46:03.466 PST) 80->42018 (04:47:58.604 PST) 80->50158 (04:51:02.825 PST) 80->64307 (04:51:48.876 PST) 80->37115 (04:53:44.002 PST) 80->35389 (04:54:30.064 PST) 80->43363 (04:55:16.197 PST) 80->38763 (04:57:34.297 PST) 80->49895 (04:57:57.333 PST) 80->63671 (04:58:20.350 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383482533.188 1383482533.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.230 (2) Peer Coord. List: Resource List: Observed Start: 11/03/2013 04:42:13.188 PST Gen. Time: 11/03/2013 05:12:09.355 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 66.249.74.230 (2) (04:59:06.432 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 1C:DF:0F:66:3D:B0 80->50074 (04:59:06.432 PST) 80->41603 (05:01:24.597 PST) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 66.249.74.230 (17) (04:42:13.188 PST) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 1C:DF:0F:66:3D:B0 80->56989 (04:42:13.188 PST) 80->35133 (04:43:45.469 PST) 80->64435 (04:44:08.330 PST) 80->56641 (04:44:31.356 PST) 80->34480 (04:45:17.431 PST) 80->34048 (04:46:03.466 PST) 80->42018 (04:47:58.604 PST) 80->50158 (04:51:02.825 PST) 80->64307 (04:51:48.876 PST) 80->37115 (04:53:44.002 PST) 80->35389 (04:54:30.064 PST) 80->43363 (04:55:16.197 PST) 80->38763 (04:57:34.297 PST) 80->49895 (04:57:57.333 PST) 80->63671 (04:58:20.350 PST) 80->60531 (05:00:15.485 PST) 80->55569 (05:02:33.643 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383482533.188 1383482533.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================