Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =8f5173da17f9ba2cb97ded22bf9c40d4

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
8f5173da17f9ba2cb97ded22bf9c40d4	3d84525bd591589956689be05cad8de9f985765a	885d1cbd606b166ecf20132d4a309c46ef6ed27325bbe8600954f62f3e95aa25	12288:xTUEMqBOkErRLvUoIUwlr/APWgIw80+rWyd7cx2JCT:NUEM6ErRLFIb1/A+7Kyd3JC	501155

File Results

File Name
ctfmon.exe

SNORT Results

Snort Class	Snort Alert	Count
N/A	No snort alerts generated	0

AV Results

AV Alert	AV Vendor

Folders (Added) - ICC Results

Path	Folder Name
c:/Documents and Settings/dmc73144/Local Settings/Temp	nsg3.tmp

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Application Data	b2l0zj6.exe
c:/Documents and Settings/dmc73144/Application Data	jdv50pd.log
c:/Documents and Settings/dmc73144/Application Data	MouseDriver.bat
c:/Documents and Settings/dmc73144/Local Settings/Temp	7.tmp
c:/Documents and Settings/dmc73144/Local Settings/Temp/nsg3.tmp	5tbp.exe
c:/Documents and Settings/dmc73144/Local Settings/Temp/nsg3.tmp	ctfmon.exe
c:/WINDOWS/Prefetch	1EUROP.EXE-01E7A961.pf
c:/WINDOWS/Prefetch	2E4U - BUCKS.EXE-34D903D1.pf
c:/WINDOWS/Prefetch	3IC.EXE-0858A957.pf
c:/WINDOWS/Prefetch	4IR.EXE-1679E25E.pf
c:/WINDOWS/Prefetch	5TBP.EXE-14B4196A.pf
c:/WINDOWS/Prefetch	B2L0ZJ6.EXE-04228E99.pf
c:/WINDOWS/Prefetch	CTFMON.EXE-2DADCC36.pf
c:/WINDOWS/Prefetch	GRPCONV.EXE-111CD845.pf
c:/WINDOWS/Prefetch	NET.EXE-01A53C2F.pf
c:/WINDOWS/Prefetch	NET1.EXE-029B9DB4.pf
c:/WINDOWS/Prefetch	RUNDLL32.EXE-253557CF.pf
c:/WINDOWS/Prefetch	RUNDLL32.EXE-3167A563.pf
c:/WINDOWS/Prefetch	RUNDLL32.EXE-37B9E2B6.pf
c:/WINDOWS/Prefetch	RUNONCE.EXE-2803F297.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:/WINDOWS/Prefetch	SC.EXE-012262AF.pf
c:/WINDOWS/Prefetch	SVCHOST.EXE-3530F672.pf
c:/WINDOWS	mqlcsv.dll
c:	netstat_post.txt
c:	tasksvc_post.txt
c:	taskv_post.txt

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/Documents and Settings/LocalService	ntuser.dat.LOG
modified	c:/Program Files/OpenSSH/var/log	OpenSSHd.log
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	TASKLIST.EXE-10D94B23.pf
modified	c:/WINDOWS/system32/config	default.LOG
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/config	SysEvent.Evt
modified	c:/WINDOWS/system32/config	SYSTEM
modified	c:/WINDOWS/system32/config	system.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wbemess.log
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log
modified	c:/WINDOWS/system32/wbem/Repository/FS	INDEX.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING.VER
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING2.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	OBJECTS.MAP

Registry Keys (Added) - ICC Results

Action	Path

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	BD 93 11 2F EB 00 AF 49 42 10 F3 A6 96 8D F5 EE 78 7E A0 84 46 A3 DB 7B E7 04 21	34 66 61 25 BE 1E 71 2E FE 7D 44 A5 F6 92 70 56 6A 38 4B E3 08 74 EA 4D 4E 7B B
modified	HKLM/SOFTWARE/Microsoft/DirectDraw/MostRecentApplication	Name	"msoobe.exe"	"svchost.exe"
modified	HKLM/SOFTWARE/Microsoft/DirectDraw/MostRecentApplication	ID	0x3B7D853E	0x41107ED6
modified	HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList/S-1-5-19	RefCount	0x00000002	0x00000001
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/ControlSet001/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/CurrentControlSet/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKU/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	CurrentLevel	0x00011000	0x00000000
modified	HKU/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	1601	0x00000001	0x00000000
modified	HKU/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	1A10	0x00000001	0x00000000
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Connections	SavedLegacySettings	3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00	3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000001
modified	HKU/S-1-5-18/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	CurrentLevel	0x00011000	0x00000000
modified	HKU/S-1-5-18/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	1601	0x00000001	0x00000000
modified	HKU/S-1-5-18/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3	1A10	0x00000001	0x00000000

DNS Results

DNS	DNS Response
ikea.com	Standard query response A 192.71.68.7
sitesell.com	Standard query response A 66.43.48.39
google.ae	Standard query response A 74.125.93.103 A 74.125.93.104 A 74.125.93.105 A 74.125.93.106 A 74.125.93.147 A 74.125.93.99
mymita.in	Standard query response A 78.46.109.174
aacartel.com	Standard query response A 127.0.0.1
baonsale.com	Standard query response A 127.0.0.1
rooftopjam.in	Standard query response A 66.228.54.181
jumppack.in	Standard query response A 66.228.54.181
w.nucleardiscover.com	Standard query response A 60.190.223.75
170407db0816.einfoupdate.net	Standard query response, Server failure
170407db0818.einfoupdate.net	Standard query response, Server failure
170407db0818.edataupdate.com	Standard query response, Server failure
hk9sk2mfmf3h0.com	Standard query response A 194.242.2.62 A 212.36.9.52

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
78.46.109.174	mymita.in	/?ini=v22MmjDnH4OmXzNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7ZlDeAiBMF4XAHPzbYiRtufQpKX/NvtsuO7olw==	Mozilla/5.0 (Windows NT 6.1; wget 3.0; rv:5.0) Gecko/20100101 Firefox/5.0	0x06
66.228.54.181	rooftopjam.in	/?ini=v22MmjDnH4OmXzNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7ZlDeAiBMF4XAHPzbYiRtufQpKX/NvtsuO7olw==	Mozilla/5.0 (Windows NT 6.1; wget 3.0; rv:5.0) Gecko/20100101 Firefox/5.0	0x06
66.228.54.181	jumppack.in	/?ini=v22MmjDnH4OmXzNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7ZlDeAiBMF4XAHPzbYiRtufQpKX/NvtsuO7olw==	Mozilla/5.0 (Windows NT 6.1; wget 3.0; rv:5.0) Gecko/20100101 Firefox/5.0	0x06
239.255.255.250	239.255.255.250:1900	*	--blank--	0x11

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	112	104	9484	14446
17	2	0	350	0

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
80	6	45	42	4323	10716
443	6	22	20	1435	1204
888	6	45	42	3726	2526
1900	17	2	0	350	0

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
13:21:31	2011-08-04	6	10.10.10.7	78.46.109.174	->	e	311	80	13	2413
13:21:36	2011-08-04	6	10.10.10.7	78.46.109.174	->	e	311	80	10	1965
13:21:42	2011-08-04	6	10.10.10.7	78.46.109.174	->	e	311	80	6	633
13:21:43	2011-08-04	6	10.10.10.7	66.228.54.181	->	e	417	80	13	2417
13:21:48	2011-08-04	6	10.10.10.7	66.228.54.181	->	e	417	80	11	2298
13:21:53	2011-08-04	6	10.10.10.7	66.228.54.181	->	e	417	80	5	300
13:21:54	2011-08-04	6	10.10.10.7	66.228.54.181	->	e	367	80	13	2415
13:21:57	2011-08-04	6	10.10.10.7	60.190.223.75	->	e	468	888	14	1184
13:21:59	2011-08-04	6	10.10.10.7	66.228.54.181	->	e	367	80	11	2298
13:22:02	2011-08-04	6	10.10.10.7	60.190.223.75	->	e	468	888	11	660
13:22:04	2011-08-04	6	10.10.10.7	66.228.54.181	->	e	367	80	5	300
13:22:08	2011-08-04	6	10.10.10.7	60.190.223.75	->	e	468	888	4	240
13:23:10	2011-08-04	6	10.10.10.7	60.190.223.75	->	e	511	888	13	1124
13:23:15	2011-08-04	6	10.10.10.7	60.190.223.75	->	e	511	888	11	660
13:23:20	2011-08-04	6	10.10.10.7	60.190.223.75	->	e	511	888	5	300
13:24:22	2011-08-04	6	10.10.10.7	60.190.223.75	->	e	110	888	13	1124
13:24:27	2011-08-04	6	10.10.10.7	60.190.223.75	->	e	110	888	11	660
13:24:32	2011-08-04	6	10.10.10.7	60.190.223.75	->	e	110	888	5	300
13:24:57	2011-08-04	6	10.10.10.7	194.242.2.62	->	e	362	443	13	856
13:25:02	2011-08-04	6	10.10.10.7	194.242.2.62	->	e	362	443	11	660
13:25:07	2011-08-04	6	10.10.10.7	194.242.2.62	->	e	362	443	5	300
13:25:08	2011-08-04	6	10.10.10.7	194.242.2.62	->	e	363	443	13	823
13:26:57	2011-08-04	17	10.10.10.7	239.255.255.250	->	e	8	1900	2	350

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location