Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =284b6c4c413c8b157f703ee57ffeec5e

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
284b6c4c413c8b157f703ee57ffeec5e	128f8ea0cae74e25d4f5eeb24898895052306091	802ff97092e09cd3d0aa7e7166b2d048828839b943c9690a140043bdfb376e48	24576:/b4ev9M090bZa1gJAomV9TrS7VxpNBVJQ:HMbZaeez6DBs	889396

File Results

File Name
Extrato%5FPedencia%5FSerasa.exe

SNORT Results

Snort Class	Snort Alert	Count
N/A	No snort alerts generated	0

AV Results

AV Alert	AV Vendor
Backdoor.Trojan	Symantec
Artemis!284B6C4C413C	McAfee
Backdoor.Win32.Bifrose.dsvp	Kaspersky

Folders (Added) - ICC Results

Path	Folder Name

Files (Added) - ICC Results

Path	File Name
c:/Program Files/Common Files	1
c:/Program Files/Common Files	twunk.exe
c:/WINDOWS/Prefetch	7Z.EXE-1A62CD19.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:	netstat_post.txt
c:	tasksvc_post.txt
c:	taskv_post.txt

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	TASKLIST.EXE-10D94B23.pf
modified	c:/WINDOWS/Prefetch	WMIPRVSE.EXE-28F301A9.pf
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log
modified	c:/WINDOWS/system32/wbem/Repository/FS	INDEX.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING.VER
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING1.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	OBJECTS.MAP

Registry Keys (Added) - ICC Results

Action	Path

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	B3 96 89 F2 72 69 85 36 92 37 5D BA 6D 39 31 26 2B 04 6C F6 93 1F 06 22 6A 04 E0	43 51 E2 71 96 F5 CA 1C A5 2A D7 9E C2 70 B2 BE E4 F6 CC A8 C6 67 95 7F 15 49 3
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000001

DNS Results

DNS	DNS Response
viva.is	Standard query response A 81.15.42.111
www.byggja.is	Standard query response CNAME byggja.is A 81.15.42.111

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
81.15.42.111	viva.is	/isa/wp-content/gallery/build.php	Mozilla/3.0 (compatible; Indy Library)	0x06
81.15.42.111	www.byggja.is	/php/smarty/templates_c/help.txt	Mozilla/3.0 (compatible; Indy Library)	0x06

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	11	9	1635	1090

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
80	6	11	9	1635	1090

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
05:43:27	2011-03-27	6	10.10.10.7	81.15.42.111	->	e	127	80	11	1668
05:43:29	2011-03-27	6	10.10.10.7	81.15.42.111	->	e	89	80	9	1057

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location