Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =3815ec73533c286a25a0e5f2356f58e5

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
3815ec73533c286a25a0e5f2356f58e5	87dcfb8c150e362c24a8724a0e7d10cd21c3dcae	a240c8a898b65f229dbac814f0b7433a2c9f8f4d7b0bfe56158499b8cb1011e6	6144:/48lglQc6287PWYFNtt+HVwHMt783Io7wX8bcZsWU9:gDQRPWw3westQ3Hw7	406016

File Results

File Name
drop.php%3Fe%3DJavaSignedApplet.exe

SNORT Results

Snort Class	Snort Alert	Count
A Network Trojan was Detected	ET ATTACK_RESPONSE IRC - Nick change on non-std port	17

AV Results

AV Alert	AV Vendor

Folders (Added) - ICC Results

Path	Folder Name
c:/Program Files	KAZAA
c:	My Downloads

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Application Data	data.dat
c:/Documents and Settings/dmc73144/Application Data	fgKDd1hgbF.txt
c:/Documents and Settings/dmc73144/Application Data	google_q35[s6_2]rh_h.tmp
c:/Documents and Settings/dmc73144/Application Data	windsys2.exe
c:/Documents and Settings/dmc73144/Local Settings/Temp	NullBot_saud.exe
c:/Program Files	svchost.dat
c:/Program Files	winlogon.exe
c:/WINDOWS/Prefetch	NULLBOT_SAUD.EXE-02423B30.pf
c:/WINDOWS/Prefetch	REG.EXE-0D2A95F7.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:/WINDOWS/Prefetch	WINLOGON.EXE-008FCD73.pf
c:	netstat_post.txt
c:	taskv_post.txt

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32	sandnet.exe
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log
modified	c:/WINDOWS/system32/wbem/Repository/FS	INDEX.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING.VER
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING2.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	OBJECTS.MAP

Registry Keys (Added) - ICC Results

Action	Path

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	7B D8 9F 32 5B 48 DF 85 63 B5 AA B4 BC 58 37 42 77 ED 86 65 3E D9 F4 90 76 79 D4	96 C7 24 B7 BC 48 5F 7B E7 5B 67 45 39 B5 14 BE FA B9 73 B0 E6 3A 44 52 1C E8 9
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000106
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000106
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000001

DNS Results

DNS	DNS Response
saud.markaz-royal.net	Standard query response A 46.4.176.169
nokia2mon2.markaz-royal.net	Standard query response A 2.90.213.40

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
239.255.255.250	239.255.255.250:1900	*	--blank--	0x11

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	496	471	30749	28326
17	2	0	350	0

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
7493	6	276	259	17517	15574
8787	6	220	212	13232	12752
1900	17	2	0	350	0

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
05:59:34	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	56	7493	17	1085
05:59:39	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	56	7493	10	600
05:59:39	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	44	8787	11	664
05:59:44	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	56	7493	6	360
05:59:44	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	44	8787	11	660
05:59:48	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	108	7493	17	1073
05:59:49	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	44	8787	5	300
05:59:53	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	108	7493	11	660
05:59:53	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	316	8787	11	664
05:59:58	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	108	7493	5	300
05:59:58	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	316	8787	10	600
06:00:02	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	189	7493	16	1019
06:00:03	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	316	8787	6	360
06:00:07	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	189	7493	10	600
06:00:08	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	190	8787	12	724
06:00:12	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	189	7493	5	300
06:00:13	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	190	8787	11	660
06:00:16	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	191	7493	15	959
06:00:19	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	190	8787	4	240
06:00:21	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	191	7493	11	660
06:00:23	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	530	8787	12	724
06:00:26	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	191	7493	5	300
06:00:28	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	530	8787	10	600
06:00:30	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	541	7493	15	959
06:00:33	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	530	8787	5	300
06:00:35	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	541	7493	10	600
06:00:38	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	542	8787	11	664
06:00:40	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	541	7493	6	360
06:00:43	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	542	8787	10	600
06:00:44	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	543	7493	17	1073
06:00:48	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	542	8787	6	360
06:00:49	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	543	7493	11	660
06:00:53	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	581	8787	12	724
06:00:54	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	543	7493	5	300
06:00:58	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	582	7493	17	1073
06:00:58	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	581	8787	11	660
06:01:03	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	582	7493	10	600
06:01:04	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	581	8787	4	240
06:01:08	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	582	7493	6	360
06:01:08	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	380	8787	11	664
06:01:12	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	583	7493	15	959
06:01:13	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	380	8787	11	660
06:01:17	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	583	7493	11	660
06:01:18	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	380	8787	5	300
06:01:22	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	583	7493	5	300
06:01:23	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	48	8787	11	664
06:01:26	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	102	7493	15	959
06:01:28	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	48	8787	11	660
06:01:31	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	102	7493	10	600
06:01:33	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	48	8787	5	300
06:01:36	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	102	7493	6	360
06:01:38	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	436	8787	11	664
06:01:40	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	381	7493	15	959
06:01:43	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	436	8787	11	660
06:01:45	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	381	7493	11	660
06:01:48	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	436	8787	5	300
06:01:50	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	381	7493	5	300
06:01:53	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	230	8787	11	664
06:01:54	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	454	7493	15	959
06:01:58	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	230	8787	11	660
06:01:59	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	454	7493	11	660
06:02:03	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	230	8787	5	300
06:02:04	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	454	7493	5	300
06:02:08	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	231	7493	15	959
06:02:08	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	294	8787	11	664
06:02:13	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	231	7493	11	660
06:02:13	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	294	8787	11	660
06:02:18	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	231	7493	5	300
06:02:18	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	294	8787	5	300
06:02:22	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	740	7493	15	959
06:02:23	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	741	8787	11	664
06:02:27	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	740	7493	10	600
06:02:28	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	741	8787	11	660
06:02:32	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	740	7493	6	360
06:02:33	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	741	8787	5	300
06:02:36	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	788	7493	15	959
06:02:38	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	789	8787	11	664
06:02:41	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	788	7493	11	660
06:02:43	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	789	8787	11	660
06:02:46	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	788	7493	5	300
06:02:48	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	789	8787	5	300
06:02:50	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	790	7493	15	959
06:02:53	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	791	8787	11	664
06:02:55	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	790	7493	10	600
06:02:58	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	791	8787	10	600
06:03:00	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	790	7493	6	360
06:03:03	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	791	8787	6	360
06:03:04	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	838	7493	15	959
06:03:08	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	839	8787	11	664
06:03:10	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	838	7493	11	660
06:03:13	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	839	8787	11	660
06:03:15	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	838	7493	5	300
06:03:19	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	840	7493	15	959
06:03:18	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	839	8787	5	300
06:03:23	2010-12-27	6	10.10.10.7	2.90.213.40	->	e	841	8787	11	664
06:03:24	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	840	7493	10	600
06:03:28	2010-12-27	6	10.10.10.7	2.90.213.40	->	e d	841	8787	10	600
06:03:29	2010-12-27	6	10.10.10.7	46.4.176.169	->	e	840	7493	6	360
06:03:33	2010-12-27	6	10.10.10.7	2.90.213.40	->	e d	841	8787	4	240
06:03:44	2010-12-27	6	10.10.10.7	2.90.213.40	->	e d	841	8787	1	60
06:03:56	2010-12-27	6	10.10.10.7	2.90.213.40	->	e d	841	8787	1	60
06:05:05	2010-12-27	17	10.10.10.7	239.255.255.250	->	e	8	1900	2	350

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location