Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =13154ea8c5d0016e8cec361304ff4f20

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
13154ea8c5d0016e8cec361304ff4f20	c88d792688a3fde73060d75485dd1ad4e28d89b8	bb01563076dd0a0d447cb6414a31d62d1132b468d2c231af55bdfc1bbde10f48	12288:JfetfDj6qzQNfdKprp/farwpPVSNOKyuoDOYa:0lj66QxgRFlpPVpuxL	488761

File Results

File Name
exerev.exe

SNORT Results

Snort Class	Snort Alert	Count
N/A	No snort alerts generated	0

AV Results

AV Alert	AV Vendor

Folders (Added) - ICC Results

Path	Folder Name
c:/Documents and Settings/dmc73144/Local Settings/Temp	nsc3.tmp
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	ITB2CJ0C

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Application Data	b2l0zj6.exe
c:/Documents and Settings/dmc73144/Application Data	jdv50pd.log
c:/Documents and Settings/dmc73144/Application Data	MouseDriver.bat
c:/Documents and Settings/dmc73144/Local Settings/Temp	7.tmp
c:/Documents and Settings/dmc73144/Local Settings/Temp/nsc3.tmp	5tbp.exe
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	CARAKZV5.htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	desktop.ini
c:/WINDOWS/Prefetch	1EUROP.EXE-368E3FF5.pf
c:/WINDOWS/Prefetch	2E4U - BUCKS.EXE-007AB57D.pf
c:/WINDOWS/Prefetch	3IC.EXE-06683A57.pf
c:/WINDOWS/Prefetch	4IR.EXE-33E1CB57.pf
c:/WINDOWS/Prefetch	5TBP.EXE-12B768EB.pf
c:/WINDOWS/Prefetch	B2L0ZJ6.EXE-04228E99.pf
c:/WINDOWS/Prefetch	EXEREV.EXE-37FA894F.pf
c:/WINDOWS/Prefetch	GRPCONV.EXE-111CD845.pf
c:/WINDOWS/Prefetch	NET.EXE-01A53C2F.pf
c:/WINDOWS/Prefetch	NET1.EXE-029B9DB4.pf
c:/WINDOWS/Prefetch	RUNDLL32.EXE-253557CF.pf
c:/WINDOWS/Prefetch	RUNDLL32.EXE-2C8B53CF.pf
c:/WINDOWS/Prefetch	RUNDLL32.EXE-47DB8CE3.pf
c:/WINDOWS/Prefetch	RUNONCE.EXE-2803F297.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:/WINDOWS/Prefetch	SC.EXE-012262AF.pf
c:/WINDOWS/Prefetch	SVCHOST.EXE-3530F672.pf
c:/WINDOWS	arugiqin.dll
c:/WINDOWS	mgiodma.dll
c:	netstat_post.txt
c:	tasksvc_post.txt
c:	taskv_post.txt

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/Documents and Settings/LocalService	ntuser.dat.LOG
modified	c:/Program Files/OpenSSH/var/log	OpenSSHd.log
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	TASKLIST.EXE-10D94B23.pf
modified	c:/WINDOWS/system32/config	default.LOG
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/config	SYSTEM
modified	c:/WINDOWS/system32/config	system.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wbemess.log
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log

Registry Keys (Added) - ICC Results

Action	Path

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	C7 C2 AB D7 E5 AF 0C E3 65 F3 DB E2 4F 5F 5F 3F 32 42 75 02 04 D0 60 A5 F2 95 4D	09 C9 4E B9 C9 8C 26 84 1B 03 05 15 8A B0 59 E4 83 F5 55 B6 B7 08 8E 53 22 5E 1
modified	HKLM/SOFTWARE/Microsoft/DirectDraw/MostRecentApplication	Name	"msoobe.exe"	"svchost.exe"
modified	HKLM/SOFTWARE/Microsoft/DirectDraw/MostRecentApplication	ID	0x3B7D853E	0x41107ED6
modified	HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList/S-1-5-19	RefCount	0x00000002	0x00000001
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/ControlSet001/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/CurrentControlSet/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKU/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	CurrentLevel	0x00011000	0x00000000
modified	HKU/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	1601	0x00000001	0x00000000
modified	HKU/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	1A10	0x00000001	0x00000000
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Connections	SavedLegacySettings	3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00	3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000001
modified	HKU/S-1-5-18/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	CurrentLevel	0x00011000	0x00000000
modified	HKU/S-1-5-18/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	1601	0x00000001	0x00000000
modified	HKU/S-1-5-18/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	1A10	0x00000001	0x00000000

DNS Results

DNS	DNS Response
ikea.com	Standard query response A 192.71.68.7
sitesell.com	Standard query response A 66.43.48.39
google.ae	Standard query response A 74.125.113.105 A 74.125.113.106 A 74.125.113.147 A 74.125.113.99 A 74.125.113.103 A 74.125.113.104
grosstag.in	Standard query response A 1.1.1.1
aacartel.com	Standard query response, Server failure
rooftopjam.in	Standard query response A 66.228.54.181
baonsale.com	Standard query response, Server failure
w.nucleardiscover.com	Standard query response A 60.190.223.75
jumppack.in	Standard query response A 66.228.54.181
140807db081f.lalith.net	Standard query response A 202.150.208.68
hk9sk2mfmf3h0.com	Standard query response A 63.251.179.57 A 64.158.56.57

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
1.1.1.1	grosstag.in	/?ini=v22MmjDnH4OmXzNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7ZlDeAiBMF4XAHPzbYuRtufQpKX/MPtsu+7pkA==	Mozilla/5.0 (Windows NT 6.1; wget 3.0; rv:5.0) Gecko/20100101 Firefox/5.0	0x06
66.228.54.181	rooftopjam.in	/?ini=v22MmjDnH4OmXzNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7ZlDeAiBMF4XAHPzbYuRtufQpKX/MPtsu+7pkA==	Mozilla/5.0 (Windows NT 6.1; wget 3.0; rv:5.0) Gecko/20100101 Firefox/5.0	0x06
66.228.54.181	jumppack.in	/?ini=v22MmjDnH4OmXzNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7ZlDeAiBMF4XAHPzbYuRtufQpKX/MPtsu+7pkA==	Mozilla/5.0 (Windows NT 6.1; wget 3.0; rv:5.0) Gecko/20100101 Firefox/5.0	0x06
239.255.255.250	239.255.255.250:1900	*	--blank--	0x11

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	117	108	10379	14961
17	2	0	350	0

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
80	6	50	46	5218	11231
443	6	22	20	1435	1204
888	6	45	42	3726	2526
1900	17	2	0	350	0

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
10:31:10	2011-08-08	6	10.10.10.7	1.1.1.1	->	e	108	80	13	2415
10:31:15	2011-08-08	6	10.10.10.7	1.1.1.1	->	e	108	80	10	1965
10:31:21	2011-08-08	6	10.10.10.7	1.1.1.1	->	e	108	80	6	633
10:31:22	2011-08-08	6	10.10.10.7	66.228.54.181	->	e	127	80	13	2417
10:31:27	2011-08-08	6	10.10.10.7	66.228.54.181	->	e	127	80	11	2298
10:31:29	2011-08-08	6	10.10.10.7	60.190.223.75	->	e	503	888	14	1184
10:31:33	2011-08-08	6	10.10.10.7	66.228.54.181	->	e	127	80	5	300
10:31:33	2011-08-08	6	10.10.10.7	66.228.54.181	->	e	417	80	13	2415
10:31:34	2011-08-08	6	10.10.10.7	60.190.223.75	->	e	503	888	10	600
10:31:38	2011-08-08	6	10.10.10.7	66.228.54.181	->	e	417	80	10	1965
10:31:40	2011-08-08	6	10.10.10.7	60.190.223.75	->	e	503	888	5	300
10:31:40	2011-08-08	6	10.10.10.7	202.150.208.68	->	e	119	80	9	1408
10:31:43	2011-08-08	6	10.10.10.7	66.228.54.181	->	e	417	80	6	633
10:32:43	2011-08-08	6	10.10.10.7	60.190.223.75	->	e	253	888	13	1124
10:32:48	2011-08-08	6	10.10.10.7	60.190.223.75	->	e	253	888	11	660
10:32:53	2011-08-08	6	10.10.10.7	60.190.223.75	->	e	253	888	5	300
10:33:55	2011-08-08	6	10.10.10.7	60.190.223.75	->	e	258	888	13	1124
10:34:00	2011-08-08	6	10.10.10.7	60.190.223.75	->	e	258	888	11	660
10:34:05	2011-08-08	6	10.10.10.7	60.190.223.75	->	e	258	888	5	300
10:34:25	2011-08-08	6	10.10.10.7	63.251.179.57	->	e	164	443	13	856
10:34:30	2011-08-08	6	10.10.10.7	63.251.179.57	->	e	164	443	10	600
10:34:35	2011-08-08	6	10.10.10.7	63.251.179.57	->	e	164	443	6	360
10:34:36	2011-08-08	6	10.10.10.7	63.251.179.57	->	e	358	443	13	823
10:36:32	2011-08-08	17	10.10.10.7	239.255.255.250	->	e	8	1900	2	350

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location