Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =e260be6942e13c0159ca42964c7bb5f6

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
e260be6942e13c0159ca42964c7bb5f6	b438a4d58c7d64f24764ccf0fdcc60850f80120d	947653b7d0efb47b2ac99abdd7e68f1206887418d541273d0bc8c673bb9d0a18	3072:124/wTotfpE4mCYT/6i5HSfiyY4x/3g0B8yf/WwG3VTiXa4aLC/lQ6qAkKcY:1sVHTii5HSfrx/	237836

File Results

File Name
Commune.exe

SNORT Results

Snort Class	Snort Alert	Count
N/A	No snort alerts generated	0

AV Results

AV Alert	AV Vendor
Backdoor.Trojan	Symantec
Generic.dx!b2zk	McAfee
Trojan.Win32.Scar.edlv	Kaspersky

Folders (Added) - ICC Results

Path	Folder Name
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	ITB2CJ0C

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Application Data/Mozilla/Firefox/Profiles/ektregxy.default	signons.sqlite
c:/Documents and Settings/dmc73144/Application Data	Firewall.exe
c:/Documents and Settings/dmc73144/Application Data	lovely.ini
c:/Documents and Settings/dmc73144/Application Data	net.bat
c:/Documents and Settings/dmc73144/Application Data	net.vbs
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	desktop.ini
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	profile[1].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	profile[2].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	profile[3].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	profile[4].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	profile[5].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	profile[6].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	warrior_logdata=downloaded payload[1].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	warrior_logdata=executed payload[1].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	warrior_logdata=infected[1].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	warrior_logdata=rar archives infected[1].htm
c:/WINDOWS/Prefetch	AUTOIT3.EXE-32361418.pf
c:/WINDOWS/Prefetch	REGSHOT.EXE-010A5EE6.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Documents and Settings/dmc73144	NTUSER.DAT
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	WMIPRVSE.EXE-28F301A9.pf
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log

Registry Keys (Added) - ICC Results

Action	Path
added	HKLM/SOFTWARE/Microsoft/DownloadManager
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_FASTFAT/0000/Control
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_FASTFAT/0000/Control
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data
added	HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run	Firewall.ex	"C:/Documents and Settings/dmc73144/Application Data/Firewall.exe"
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_FASTFAT/0000/Control	ActiveService	"Fastfat"
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_FASTFAT/0000/Control	ActiveService	"Fastfat"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Identities/{32BF15D6-D919-458D-8A1A-AC3F3B3F3027}	Identity Ordinal	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Run	Firewall.ex	"C:/Documents and Settings/dmc73144/Application Data/Firewall.exe"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/RunOnce	FILE_47200	"C:/Documents and Settings/dmc73144/Application Data/FILE_47200.exe"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Server ID	0x00000003
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	Account Name	"WhoWhere Internet Directory Service"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Server	"ldap.whowhere.com"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP URL	"http
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Authentication	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Simple Search	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Logo	"%ProgramFiles%Common FilesServiceswhowhere.bmp"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Server ID	0x00000002
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	Account Name	"VeriSign Internet Directory Service"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Server	"directory.verisign.com"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP URL	"http
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Authentication	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Search Base	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Simple Search	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Logo	"%ProgramFiles%Common FilesServicesverisign.bmp"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Server ID	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	Account Name	"Bigfoot Internet Directory Service"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Server	"ldap.bigfoot.com"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP URL	"http
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Authentication	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Simple Search	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Logo	"%ProgramFiles%Common FilesServicesbigfoot.bmp"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Server ID	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	Account Name	"Active Directory"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Server	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Authentication	0x00000002
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Simple Search	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Bind DN	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Port	0x00000CC4
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Resolve Flag	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Secure Connection	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP User Name	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Search Base	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts	AssociatedID	D6 15 BF 32 19 D9 8D 45 8A 1A AC 3F 3B 3F 30 27
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts	PreConfigVer	0x00000004
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts	PreConfigVerNTDS	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager	Server ID	0x00000004
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager	Default LDAP Account	"Active Directory GC"

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	47 33 7C 69 CE 6C 80 0A E3 1A D9 58 94 0B 8E 76 30 47 B0 4F 3E 74 FC EA 12 7C 0F	38 70 CD 70 09 2D D9 FD CA 7A 7C 0C 1E C2 2F 29 C1 3A 25 5C 9F 90 9B 28 CD AA B7
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Identities	Identity Ordinal	0x00000001	0x00000002
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Connections	SavedLegacySettings	3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00	3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00

DNS Results

DNS	DNS Response
www.warrior?logdata=downloaded payload	Standard query response A 63.251.179.57 A 64.158.56.57
www.warrior?logdata=executed payload	Standard query response A 63.251.179.57 A 64.158.56.57
www.warrior?logdata=infected	Standard query response A 63.251.179.57 A 64.158.56.57
www.warrior?logdata=rar archives infected	Standard query response A 63.251.179.57 A 64.158.56.57
www.facebook.com	Standard query response A 69.171.228.39
warriorz.org	Standard query response, Server failure

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
63.251.179.57	www.warrior?logdata=Downloaded payload	/	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
63.251.179.57	www.warrior?logdata=Executed payload	/	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
63.251.179.57	www.warrior?logdata=Infected	/	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
63.251.179.57	www.warrior?logdata=RAR archives infected	/	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.228.39	www.facebook.com	/profile.php?id=122439211758459&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.228.39	www.facebook.com	/profile.php?id=215439087642321&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.228.39	www.facebook.com	/profile.php?id=376398625752988&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.228.39	www.facebook.com	/profile.php?id=241360917393383&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.228.39	www.facebook.com	/profile.php?id=686682047654965&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.228.39	www.facebook.com	/profile.php?id=74703789741141&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.228.39	www.facebook.com	/profile.php?id=7812863055943&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.228.39	www.facebook.com	/profile.php?id=443011053336067&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	60	48	5780	6180

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
80	6	60	48	5780	6180

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
04:58:56	2011-10-10	6	10.10.10.7	63.251.179.57	->	e	253	80	9	987
04:58:57	2011-10-10	6	10.10.10.7	63.251.179.57	->	e	254	80	9	985
04:58:58	2011-10-10	6	10.10.10.7	63.251.179.57	->	e	397	80	9	977
04:58:59	2011-10-10	6	10.10.10.7	63.251.179.57	->	e	398	80	9	990
04:59:05	2011-10-10	6	10.10.10.7	69.171.228.39	->	e	508	80	9	1003
04:59:14	2011-10-10	6	10.10.10.7	69.171.228.39	->	e	523	80	9	1003
04:59:23	2011-10-10	6	10.10.10.7	69.171.228.39	->	e	524	80	9	1003
04:59:32	2011-10-10	6	10.10.10.7	69.171.228.39	->	e	559	80	9	1003
04:59:40	2011-10-10	6	10.10.10.7	69.171.228.39	->	e	560	80	9	1003
04:59:49	2011-10-10	6	10.10.10.7	69.171.228.39	->	e	469	80	9	1002
04:59:57	2011-10-10	6	10.10.10.7	69.171.228.39	->	e	598	80	9	1001
05:00:12	2011-10-10	6	10.10.10.7	69.171.228.39	->	e	308	80	9	1003

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location