Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =4b52e1da2e800ca4ea9db4d5f5288238

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
4b52e1da2e800ca4ea9db4d5f5288238	8a199c2f8bba20fc6146e30399544ce406f88410	e4f7a40faff4ec8ad8feb4b3b2aa54bb8060470438bad737f4d8c4a074f09dae	12288:9o7YNQXQDzdYD/jGW/nSpVAn8GxyxOzauUPnIpVyKCFJo:OwQORHW/nS3A8G8kVCFJo	637750

File Results

File Name
Javaup.exe

SNORT Results

Snort Class	Snort Alert	Count
N/A	No snort alerts generated	0

AV Results

AV Alert	AV Vendor
Trojan.ADH.2	Symantec
Qhost-Gen!f	McAfee
Trojan.Win32.Qhost.xpf	Kaspersky

Folders (Added) - ICC Results

Path	Folder Name

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Local Settings/Temp	0FD0D0B0
c:/WINDOWS/Prefetch	AUTOIT3.EXE-32361418.pf
c:/WINDOWS/Prefetch	REGSHOT.EXE-010A5EE6.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Documents and Settings/dmc73144	NTUSER.DAT
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	WMIPRVSE.EXE-28F301A9.pf
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log

Registry Keys (Added) - ICC Results

Action	Path
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Enigma Protector
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Enigma Protector/11DE3BF085F161D2-32FAACCB8C53C6C1
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Enigma Protector/11DE3BF085F161D2-32FAACCB8C53C6C1/F2056619E67008B6-D3EAB50C2B7144EE

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data
added	HKLM/SOFTWARE/Microsoft/Security Center	UACDisableNotify	0x00000000
added	HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/policies/system	EnableLUA	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Identities/{32BF15D6-D919-458D-8A1A-AC3F3B3F3027}	Identity Ordinal	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Server ID	0x00000003
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	Account Name	"WhoWhere Internet Directory Service"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Server	"ldap.whowhere.com"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP URL	"http
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Authentication	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Simple Search	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Logo	"%ProgramFiles%Common FilesServiceswhowhere.bmp"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Server ID	0x00000002
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	Account Name	"VeriSign Internet Directory Service"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Server	"directory.verisign.com"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP URL	"http
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Authentication	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Search Base	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Simple Search	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Logo	"%ProgramFiles%Common FilesServicesverisign.bmp"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Server ID	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	Account Name	"Bigfoot Internet Directory Service"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Server	"ldap.bigfoot.com"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP URL	"http
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Authentication	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Simple Search	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Logo	"%ProgramFiles%Common FilesServicesbigfoot.bmp"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Server ID	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	Account Name	"Active Directory"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Server	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Authentication	0x00000002
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Simple Search	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Bind DN	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Port	0x00000CC4
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Resolve Flag	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Secure Connection	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP User Name	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Search Base	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts	AssociatedID	D6 15 BF 32 19 D9 8D 45 8A 1A AC 3F 3B 3F 30 27
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts	PreConfigVer	0x00000004
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts	PreConfigVerNTDS	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager	Server ID	0x00000004
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager	Default LDAP Account	"Active Directory GC"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Enigma Protector/11DE3BF085F161D2-32FAACCB8C53C6C1/F2056619E67008B6-D3EAB50C2B7144EE	2AA5A6E0	A0 4D 8D 7F C1 A3 FB B5 D0 AA 66 4C CE F4

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	AD 1A 38 42 FA A3 70 5F 60 5D EF 36 2B 66 DA E6 FF 64 A4 8E 95 F3 CC 11 03 58 AD	30 76 F4 45 79 3C D5 89 6D E3 A3 A8 39 78 6D 31 B5 48 69 3E 6C 0B F2 8C 22 C6 AF
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Identities	Identity Ordinal	0x00000001	0x00000002
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Connections	SavedLegacySettings	3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00	3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00

DNS Results

DNS	DNS Response
Smtp.Gmail.Com	Standard query response CNAME gmail-smtp-msa.l.google.Com A 74.125.115.109 A 74.125.115.108

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	19	17	1216	1024

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
465	6	19	17	1216	1024

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
00:51:43	2011-10-15	6	10.10.10.7	74.125.115.109	->	e	523	465	13	856
00:51:48	2011-10-15	6	10.10.10.7	74.125.115.109	->	e	523	465	10	600
00:51:53	2011-10-15	6	10.10.10.7	74.125.115.109	->	e	523	465	6	360
00:51:54	2011-10-15	6	10.10.10.7	74.125.115.109	->	e	560	465	7	424

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location