Score: 0.8 (>= 0.8) Infected Target: 130.107.211.38 Infector List: 80.225.161.204 Egg Source List: 80.225.161.204 C & C List: Peer Coord. List: Resource List: Observed Start: 06/25/2008 11:39:37.540 PDT Report End: 06/25/2008 11:39:45.981 PDT Gen. Time: 06/25/2008 11:47:30.057 PDT INBOUND SCAN EXPLOIT 80.225.161.204 (6) (11:39:37.540 PDT-11:39:45.981 PDT) event=1:22466 (2) {tcp} E2[rb] NETBIOS SMB-DS IPC$ unicode share access 445<-2012 (11:39:44.087 PDT) 445<-2007 (11:39:37.540 PDT) ------------------------- event=1:299913 (4) {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 2: 445<-2012 (11:39:45.885 PDT-11:39:45.981 PDT) 2: 445<-2007 (11:39:39.273 PDT-11:39:39.384 PDT) EXPLOIT (slade) EGG DOWNLOAD 80.225.161.204 (2) (11:39:52.444 PDT) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1033<-2022 (11:47:30.057 PDT) ------------------------- event=1:31000004 {tcp} E3[rb] BotHunter Scrip-based Windows egg download .exe 9995->2014 (11:39:52.444 PDT) C and C TRAFFIC PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1214419177.540 1214419185.982 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.211.38' ============================== SEPARATOR ================================