Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =cbc51ed4b0d5d55bfe0ef487f03c0b81

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
cbc51ed4b0d5d55bfe0ef487f03c0b81	cfae8bab224a62bb926336721583108460a75215	b65384650379383cbbb924a5915facd8ed8af496bb945464142fd0238cdeb6e2	768:JNfH5SlBV8qPl0CD6jjEwRLzmk0juaqs2o+4ZH98iZhifZ/0FM:rfZwGqd0y6nEwRLSk0bqLuH98	37376

File Results

File Name
ml1.txt.exe

SNORT Results

Snort Class	Snort Alert	Count
Misc Attack	ET RBN Known Russian Business Network IP TCP (289)	4
Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound	1

AV Results

AV Alert	AV Vendor
Backdoor.Trojan	Symantec
N/A	McAfee
Backdoor.Win32.VB.njo	Kaspersky
Trojan.Dropper	Symantec
Generic	McAfee
Rootkit.Win32.Tent.cos	Kaspersky
Artemis!CBC51ED4B0D5	McAfee

Folders (Added) - ICC Results

Path	Folder Name

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Local Settings/Temp	nftmgqxl.bat
c:/Documents and Settings/dmc73144/Local Settings/Temp	u5ck1r.exe
c:/Documents and Settings/dmc73144/Local Settings/Temp	~DFDC85.tmp
c:/WINDOWS/Prefetch	NET.EXE-01A53C2F.pf
c:/WINDOWS/Prefetch	NET1.EXE-029B9DB4.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:/WINDOWS/Prefetch	SC.EXE-012262AF.pf
c:/WINDOWS/Prefetch	U5CK1R.EXE-298971A8.pf
c:/WINDOWS/system32	8lwh0u.log
c:	netstat_post.txt
c:	tasksvc_post.txt
c:	taskv_post.txt

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/Documents and Settings/LocalService	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	TASKLIST.EXE-10D94B23.pf
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/config	system.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wbemess.log
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log

Registry Keys (Added) - ICC Results

Action	Path

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	85 81 82 98 01 41 B5 5F 02 C0 08 85 26 D0 3B 77 0B 15 0C E5 11 DC 17 C1 A0 67 D7	8D 26 40 A8 73 50 30 B7 4E 0C D0 D4 F5 D5 71 E9 82 46 45 6B 15 A4 03 7A A1 84 F
modified	HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList/S-1-5-19	RefCount	0x00000002	0x00000001
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/ControlSet001/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess	Start	0x00000002	0x00000004
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000105
modified	HKLM/SYSTEM/CurrentControlSet/Services/wscsvc	Start	0x00000002	0x00000004
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Connections	SavedLegacySettings	3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00	3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000001

DNS Results

DNS	DNS Response
justoldleft.ru	Standard query response A 91.213.29.174

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
91.213.29.174	justoldleft.ru	/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3969C1DC9ECA9D5FF7F6D9DFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5F44337&v=2&t=0.2226221	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
91.213.29.174	justoldleft.ru	/list.php?c=AEB679AE48FE379B886FAD85A7E26FBE20B9615A596B2F879FDDE7B0FA52F2DDA19F3F22186F5F31433ADE44E8AD280A7D87AF5838413263B3C7&v=2&t=0.0194971	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
91.213.29.174	justoldleft.ru	/list.php?c=BBA37FA8B006923EBE59341C96D311C0EF76D8E3457774DCB0F2164149E16C43013FBBA6CEB9C0AE99E075EF581D371535CFDB2CB5CCB8E93145&v=2&t=0.529339	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06
91.213.29.174	justoldleft.ru	/list.php?c=2C3496414FF9AE02A24580A8E9AC13C218816A5183B181295A18451255FD1F3082BC0D107D0A650BB2CBAB314F0A270509F31BECED94CF9ECFBB&v=2&t=0.4483148	Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600)	0x06

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	20	16	2427	2060

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
80	6	20	16	2427	2060

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
10:32:04	2011-03-25	6	10.10.10.7	91.213.29.174	->	e	43	80	9	1122
10:33:10	2011-03-25	6	10.10.10.7	91.213.29.174	->	e	578	80	9	1122
10:34:19	2011-03-25	6	10.10.10.7	91.213.29.174	->	e	111	80	9	1121
10:35:23	2011-03-25	6	10.10.10.7	91.213.29.174	->	e	770	80	9	1122

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location