Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =4c806459c744620b84cc6dceb838ef64

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
4c806459c744620b84cc6dceb838ef64	6ec805f13214a93d3b615e8cc614a6cc734966a1	5053bef3c6b22cb1ac90d124f8794d3f8541119b35b26edd2e221e3b38c52aa5	3072:ZYhrihSYup/A1kgDwWHUzEfY18miNLrV/LKL9XWyaWWKRp6a6Q8qqoXVUFfDU3eR:yhR9vJoYNi	281600

File Results

File Name
show.php.exe
4.exe

SNORT Results

Snort Class	Snort Alert	Count
N/A	No snort alerts generated	0

AV Results

AV Alert	AV Vendor

Folders (Added) - ICC Results

Path	Folder Name

Files (Added) - ICC Results

Path	File Name
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:	netstat_post.txt
c:	taskv_post.txt
c:/DELL/VIDEO/OUTPUT	netstat_base.txt
c:/DELL/VIDEO/OUTPUT	netstat_post.txt
c:/DELL/VIDEO/OUTPUT	tasksvc_base.txt
c:/DELL/VIDEO/OUTPUT	tasksvc_post.txt
c:/DELL/VIDEO/OUTPUT	taskv_base.txt
c:/DELL/VIDEO/OUTPUT	taskv_post.txt
c:/WINDOWS/Prefetch	7Z.EXE-1A62CD19.pf
c:/WINDOWS/Prefetch	NET.EXE-01A53C2F.pf
c:/WINDOWS/Prefetch	NET1.EXE-029B9DB4.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	TASKLIST.EXE-10D94B23.pf
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log
modified	c:/WINDOWS/system32/wbem/Repository/FS	INDEX.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING.VER
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING2.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	OBJECTS.MAP
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	TASKLIST.EXE-10D94B23.pf
modified	c:/WINDOWS/Prefetch	WMIPRVSE.EXE-28F301A9.pf
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wbemess.log
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log
modified	c:/WINDOWS/system32/wbem/Repository/FS	INDEX.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING.VER
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING2.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	OBJECTS.MAP

Registry Keys (Added) - ICC Results

Action	Path

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	76 AC F7 94 5F 99 33 45 87 54 77 27 83 3F 5B 58 C9 05 A5 00 43 7F 1E CC 7F BC 9C	21 32 D9 E3 69 1B 4A 0D 34 90 BA C2 4A 40 F2 FD 20 99 9C BB 6F 1A A2 9E 0A D3 E
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000001
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	79 11 5E 7B 2F 80 C5 21 6B 88 D9 44 AB 5D C2 6F A7 C7 DB BF E8 63 F1 11 59 46 46	99 92 8B 6B 50 57 A9 72 AC 16 D5 02 8C 48 4F 76 2E 9B 9B 99 1F 4F A7 D3 26 46 C
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000001

DNS Results

DNS	DNS Response

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
77.78.240.80	drivers-win-x4442124.com	/vk/get_ip_pay_needblock_lite.php		0x06
77.78.240.80	drivers-win-x4442124.com	/vk/1-md5		0x06
77.78.240.80	drivers-win-x4442124.com	/vk/1-encode		0x06
239.255.255.250	239.255.255.250:1900	*	--blank--	0x11

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	90	84	5892	21432
17	2	0	350	0

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
80	6	90	84	5892	21432
1900	17	2	0	350	0

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
07:55:46	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	224	80	13	1971
07:55:51	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	224	80	10	1965
07:55:56	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	224	80	6	633
07:55:57	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	284	80	13	1947
07:56:02	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	284	80	10	1965
07:56:07	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	284	80	6	633
07:56:08	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	511	80	13	1950
07:56:13	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	511	80	11	2298
07:56:18	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	511	80	5	300
07:58:19	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	619	80	13	1971
07:58:24	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	619	80	11	2298
07:58:29	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	619	80	5	300
07:58:30	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	668	80	13	1947
07:58:35	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	668	80	11	2298
07:58:41	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	668	80	5	300
07:58:41	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	461	80	13	1950
07:58:46	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	461	80	11	2298
07:58:51	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	461	80	5	300
08:01:10	2010-09-25	17	10.10.10.7	239.255.255.250	->	e	8	1900	2	350
20:09:14	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	222	80	13	1971
20:09:19	2010-09-25	6	10.10.10.7	77.78.240.80	->	e d	222	80	12	2631
20:09:25	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	222	80	5	300
20:09:25	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	223	80	13	1947
20:09:31	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	223	80	11	2298
20:09:36	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	223	80	5	300
20:09:36	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	400	80	13	1950
20:09:42	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	400	80	10	1965
20:09:47	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	400	80	6	633
20:11:48	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	299	80	13	1971
20:11:53	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	299	80	10	1965
20:11:58	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	299	80	6	633
20:11:59	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	714	80	14	2280
20:12:04	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	714	80	11	2025
20:12:10	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	756	80	13	1950
20:12:10	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	714	80	4	240
20:12:15	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	756	80	11	2298
20:12:20	2010-09-25	6	10.10.10.7	77.78.240.80	->	e	756	80	5	300
20:14:39	2010-09-25	17	10.10.10.7	239.255.255.250	->	e	8	1900	2	350

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location