Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =666673253bdab74ca47c6b09a573509d

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
666673253bdab74ca47c6b09a573509d	41c962fb0862bb3557d71569d5d9e84749f501ca	6be3ea0598a03280abccee96d6a2c347fb7bcb92ab7d683ea29f294a870535d2	1536:bNP7b+npR5UfgLli3D6sg/fUCcGVC7QqzrncN0eJWwum/3Qwd2mVYpOU:Rf4RKfk+DyU9uC7QcY	62976

File Results

File Name
kp.exe

SNORT Results

Snort Class	Snort Alert	Count
N/A	No snort alerts generated	0

AV Results

AV Alert	AV Vendor

Folders (Added) - ICC Results

Path	Folder Name

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Application Data	MouseDriver.bat
c:/Documents and Settings/dmc73144/Application Data	pqwc.log
c:/Documents and Settings/dmc73144/Application Data	qjxqkt0po.bat
c:/Documents and Settings/dmc73144/Application Data	w91dr2.exe
c:/WINDOWS/Prefetch	GRPCONV.EXE-111CD845.pf
c:/WINDOWS/Prefetch	NET.EXE-01A53C2F.pf
c:/WINDOWS/Prefetch	NET1.EXE-029B9DB4.pf
c:/WINDOWS/Prefetch	RUNDLL32.EXE-253557CF.pf
c:/WINDOWS/Prefetch	RUNONCE.EXE-2803F297.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:/WINDOWS/Prefetch	SC.EXE-012262AF.pf
c:/WINDOWS/Prefetch	W91DR2.EXE-2B18A250.pf
c:	netstat_post.txt
c:	tasksvc_post.txt
c:	taskv_post.txt

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/Documents and Settings/LocalService	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	TASKLIST.EXE-10D94B23.pf
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/config	system.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wbemess.log
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log

Registry Keys (Added) - ICC Results

Action	Path

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	E8 2A 64 3D 46 EA E3 2C 49 F7 6A 67 1C 70 39 AB 7A C9 E9 89 48 62 DD 4C A2 DE 60	40 25 69 0C D1 72 B2 21 88 7D DA CA 90 05 8F 3E A6 9B 20 4B 79 E8 3E E7 CC 88 A
modified	HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList/S-1-5-19	RefCount	0x00000002	0x00000001
modified	HKLM/SYSTEM/ControlSet001/Services/Eventlog/Application/ESENT	EventMessageFile	c:windowssystem32ESENT.dll	"C
modified	HKLM/SYSTEM/ControlSet001/Services/Eventlog/Application/ESENT	CategoryMessageFile	c:windowssystem32ESENT.dll	"C
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/ControlSet001/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/Eventlog/Application/ESENT	EventMessageFile	c:windowssystem32ESENT.dll	"C
modified	HKLM/SYSTEM/CurrentControlSet/Services/Eventlog/Application/ESENT	CategoryMessageFile	c:windowssystem32ESENT.dll	"C
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/CurrentControlSet/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Connections	SavedLegacySettings	3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00	3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000001

DNS Results

DNS	DNS Response
w.nucleardiscover.com	Standard query response A 60.190.223.75

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
239.255.255.250	239.255.255.250:1900	*	--blank--	0x11

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	60	56	4871	3368
17	1	0	175	0

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
888	6	60	56	4871	3368
1900	17	1	0	175	0

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
18:07:56	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	439	888	14	1160
18:08:01	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	439	888	11	660
18:08:07	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	439	888	4	240
18:09:10	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	569	888	13	1099
18:09:15	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	569	888	11	660
18:09:20	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	569	888	5	300
18:10:23	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	356	888	13	1100
18:10:28	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	356	888	11	660
18:10:33	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	356	888	5	300
18:11:36	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	809	888	13	1100
18:11:41	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	809	888	11	660
18:11:46	2011-07-02	6	10.10.10.7	60.190.223.75	->	e	809	888	5	300
18:13:23	2011-07-02	17	10.10.10.7	239.255.255.250	->	e	8	1900	1	175

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location