Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =564048b35da9d447f2e861d5896d908d

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
564048b35da9d447f2e861d5896d908d	2a6d5ad9a782c96f9cd214fcd105056248e6df31	6fbc4d506f4d4e0a64ca09fd826408d3103c1a258c370553583a07a4cb9a6530	768:Xa+sl1CyWuSOuRUxjwcIA4RkfpocQijKB9pftm+Ezz/aS:Xat8zuSF2wcIdRkfOcpjKB9pZEaS	37376

File Results

File Name
ml2.txt.exe

SNORT Results

Snort Class	Snort Alert	Count
Misc Attack	ET RBN Known Russian Business Network IP TCP (62)	4
Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound	1

AV Results

AV Alert	AV Vendor
Backdoor.Trojan	Symantec
Generic	McAfee
Backdoor.Win32.VB.nju	Kaspersky

Folders (Added) - ICC Results

Path	Folder Name

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Local Settings/Temp	qtfcyyp.exe
c:/Documents and Settings/dmc73144/Local Settings/Temp	yq4yr18ww.bat
c:/Documents and Settings/dmc73144/Local Settings/Temp	~DF57AA.tmp
c:/Documents and Settings/dmc73144/Local Settings/Temp	~DFBC23.tmp
c:/WINDOWS/Prefetch	NET.EXE-01A53C2F.pf
c:/WINDOWS/Prefetch	NET1.EXE-029B9DB4.pf
c:/WINDOWS/Prefetch	QTFCYYP.EXE-0D80FEDE.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:/WINDOWS/Prefetch	SC.EXE-012262AF.pf
c:/WINDOWS/system32	31rvuk6.log
c:	netstat_post.txt
c:	tasksvc_post.txt
c:	taskv_post.txt
c:/WINDOWS/Prefetch	7Z.EXE-1A62CD19.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:	netstat_post.txt
c:	tasksvc_post.txt
c:	taskv_post.txt
c:/Documents and Settings/dmc73144/Local Settings/Temp	e6kd7goc.bat
c:/Documents and Settings/dmc73144/Local Settings/Temp	qtfcyyp.exe
c:/Documents and Settings/dmc73144/Local Settings/Temp	~DF8940.tmp
c:/Documents and Settings/dmc73144/Local Settings/Temp	~DFD638.tmp
c:/WINDOWS/Prefetch	NET.EXE-01A53C2F.pf
c:/WINDOWS/Prefetch	NET1.EXE-029B9DB4.pf
c:/WINDOWS/Prefetch	QTFCYYP.EXE-0D80FEDE.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:/WINDOWS/Prefetch	SC.EXE-012262AF.pf
c:/WINDOWS/system32	31rvuk6.log
c:	netstat_post.txt
c:	tasksvc_post.txt
c:	taskv_post.txt

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/Documents and Settings/LocalService	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	TASKLIST.EXE-10D94B23.pf
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/config	SysEvent.Evt
modified	c:/WINDOWS/system32/config	system.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wbemess.log
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	TASKLIST.EXE-10D94B23.pf
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log
modified	c:/WINDOWS/system32/wbem/Repository/FS	INDEX.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING.VER
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING1.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	OBJECTS.MAP
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/Documents and Settings/LocalService	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	TASKLIST.EXE-10D94B23.pf
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/config	SysEvent.Evt
modified	c:/WINDOWS/system32/config	system.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wbemess.log
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log

Registry Keys (Added) - ICC Results

Action	Path

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	4B 5D 3C F6 50 D8 70 89 0F 03 69 45 F5 7E D2 64 CA 31 4A DD B2 AE 20 9B 69 03 25	43 B7 3F 62 64 78 11 C8 5B FD 5C 07 EA 0F 28 B1 51 D1 8C 08 BB 23 BA 3D 7A 84 2
modified	HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList/S-1-5-19	RefCount	0x00000002	0x00000001
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/ControlSet001/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/CurrentControlSet/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Connections	SavedLegacySettings	3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00	3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000001
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	09 49 54 7E 82 7E 14 D4 DE C6 90 D7 BA D7 B1 35 22 B2 CA 05 08 1D 39 3E 28 18 38	86 18 E2 C0 02 D3 EC 54 3B 7A CD 52 A8 B7 27 8E 26 77 E1 0C D5 7C B2 1A B4 8F 6
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000003
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	05 96 41 AD AC B1 FE C8 74 76 81 4C 5B A4 DF 61 ED D8 25 F2 B4 43 FE 18 F4 A4 C4	E2 56 DC E3 5E 40 D8 94 89 1D 71 11 9B 30 13 0E 86 67 50 FF 7C 89 D4 72 25 5F 9
modified	HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList/S-1-5-19	RefCount	0x00000002	0x00000001
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/ControlSet001/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/CurrentControlSet/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Connections	SavedLegacySettings	3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00	3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0

DNS Results

DNS	DNS Response
mewgost.com	Standard query response A 194.28.44.213

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
194.28.44.213	mewgost.com	/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3969C1DC9ECA9D5FF7F6D9DFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5F44337&v=2&t=9.170169E-02	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
194.28.44.213	mewgost.com	/list.php?c=D5CD11C608BE50FC61862008FEBB43924CD55962A89A872FFBB91A4D3D9587A8003E3D20790E1C729CE592084306A78582788C7B8EF75E0FDEAA&v=2&t=0.291012	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
194.28.44.213	mewgost.com	/list.php?c=140CEB3CA315359901E6022A02476DBC9A03B78CA391872F91D34314EC44250A92ACF1EC0D7A82EC7900801AD89DFBD9C238C93ED2ABCF9E4135&v=2&t=0.1554376	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
194.28.44.213	mewgost.com	/list.php?c=342C5087F64045E902E57D55EAAF3AEBF56C6F54F0C2D47C6321B7E0A50D4E616759908DA6D1E18F2950158FF6B396B4609AB245A0D959081561&v=2&t=0.1592066	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
194.28.44.213	mewgost.com	/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3969C1DC9ECA9D5FF7F6D9DFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5F44337&v=2&t=0.663418	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
194.28.44.213	mewgost.com	/list.php?c=0D151FC8B503C16DA6418AA21A5FE6377BE283B80133F25A53114B1C02AA2F001E209B86384F59377E0722B8E9ACAD8F877D35C269104415C3B7&v=2&t=1.385134E-02	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
194.28.44.213	mewgost.com	/list.php?c=B5ADFC2B9325F854FC1B456D9DD870A1148DBD863604E44C3F7DEDBAD37BC4EBBA84706DB5C21C72EE9754CEBFFA1A38EA10C43385FCCA9B1165&v=2&t=0.9291345	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
194.28.44.213	mewgost.com	/list.php?c=435BDE0917A17ED2856270589CD97FAE138A526993A108A0723085D247EF456AEFD1B4A906715D33E1986AF083C64B692ED483747900E9B81165&v=2&t=0.6016046	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
239.255.255.250	239.255.255.250:1900	*	--blank--	0x11

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	20	16	2418	2060
17	2	0	350	0

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
80	6	20	16	2418	2060
1900	17	2	0	350	0

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
21:19:15	2011-04-03	6	10.10.10.7	194.28.44.213	->	e	227	80	9	1122
21:20:21	2011-04-03	6	10.10.10.7	194.28.44.213	->	e	531	80	9	1118
21:21:36	2011-04-03	6	10.10.10.7	194.28.44.213	->	e	259	80	9	1119
21:22:41	2011-04-03	6	10.10.10.7	194.28.44.213	->	e	759	80	9	1119
16:00:35	2011-04-29	6	10.10.10.7	194.28.44.213	->	e	43	80	9	1118
16:01:39	2011-04-29	6	10.10.10.7	194.28.44.213	->	e	532	80	9	1122
16:02:51	2011-04-29	6	10.10.10.7	194.28.44.213	->	e	258	80	9	1119
16:03:54	2011-04-29	6	10.10.10.7	194.28.44.213	->	e	762	80	9	1119
16:06:07	2011-04-29	17	10.10.10.7	239.255.255.250	->	e	8	1900	2	350

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location