Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =eb8af1e7720c7bfe31761371c75b4dd7

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
eb8af1e7720c7bfe31761371c75b4dd7	4d95d0262741802faf2291cbc5a4ac11d723c14e	74a5ed007fd679de4463961b5be2329d55487f7dde3948a94ed82d7c303ef68b	12288:LZcw07Ox3ZpuXxohyGN3Zd01VDdJTdbe+m:LZcNqx2hk7JyDc+m	479232

File Results

File Name
favicon.ico.exe

SNORT Results

Snort Class	Snort Alert	Count
N/A	No snort alerts generated	0

AV Results

AV Alert	AV Vendor

Folders (Added) - ICC Results

Path	Folder Name
c:/Documents and Settings/dmc73144/Local Settings/Temp	WZSE0.TMP

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Application Data/Microsoft	dwm.exe
c:/WINDOWS/Prefetch	AUTOIT3.EXE-32361418.pf
c:/WINDOWS/Prefetch	DWM.EXE-13134A32.pf
c:/WINDOWS/Prefetch	DWM.EXE-2B3A7981.pf
c:/WINDOWS/Prefetch	REGSHOT.EXE-010A5EE6.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:/WINDOWS/SoftwareDistribution/DataStore/Logs	tmp.edb

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/Prefetch	WMIPRVSE.EXE-28F301A9.pf
modified	c:/WINDOWS/Prefetch	WUAUCLT.EXE-399A8E72.pf
modified	c:/WINDOWS/SoftwareDistribution/DataStore	DataStore.edb
modified	c:/WINDOWS/SoftwareDistribution/DataStore/Logs	edb.chk
modified	c:/WINDOWS/SoftwareDistribution/DataStore/Logs	edb.log
modified	c:/WINDOWS/system32/config	system.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS	WindowsUpdate.log

Registry Keys (Added) - ICC Results

Action	Path
added	HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/WindowsUpdate/Reporting/RebootWatch

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data
added	HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{2379147B-6370-49A1-81EC-749CAFE9626A}	NameServer	"8.8.8.8,8.8.8.4"
added	HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{42A772D2-FB5D-4B58-999A-7AD4C8696A02}	NameServer	"8.8.8.8,8.8.8.4"
added	HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{2379147B-6370-49A1-81EC-749CAFE9626A}	NameServer	"8.8.8.8,8.8.8.4"
added	HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{42A772D2-FB5D-4B58-999A-7AD4C8696A02}	NameServer	"8.8.8.8,8.8.8.4"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Run	dwm.exe	"C:/Documents and Settings/dmc73144/Application Data/Microsoft/dwm.exe"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/ShellNoRoam/MUICache	C://windows//system32//sandnet.exe	"sandnet"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/ShellNoRoam/MUICache	C://Documents and Settings//dmc73144//Application Data//Microsoft//dwm.exe	"dwm"

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	C8 40 C9 DC FE CC 13 CE 8A C6 6F 7D 26 D3 D7 87 18 C8 86 6E C3 33 9F DB 8A 53 CA	6C 5B 7D 04 7C 8F 25 AE 00 5F 89 6A BC 98 C9 2B 95 0B 65 16 D4 36 77 9B 90 05 D1
modified	HKLM/SYSTEM/ControlSet001/Services/Eventlog/Application/ESENT	EventMessageFile	"c	"C:WINDOWSsystem32ESENT.dll"
modified	HKLM/SYSTEM/ControlSet001/Services/Eventlog/Application/ESENT	CategoryMessageFile	"c	"C:WINDOWSsystem32ESENT.dll"
modified	HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{9B7E3E9B-6887-4894-8EE4-B4EFDC3EBE75}	NameServer	"10.10.10.2"	"8.8.8.8,8.8.8.4"
modified	HKLM/SYSTEM/CurrentControlSet/Services/Eventlog/Application/ESENT	EventMessageFile	"c	"C:WINDOWSsystem32ESENT.dll"
modified	HKLM/SYSTEM/CurrentControlSet/Services/Eventlog/Application/ESENT	CategoryMessageFile	"c	"C:WINDOWSsystem32ESENT.dll"
modified	HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{9B7E3E9B-6887-4894-8EE4-B4EFDC3EBE75}	NameServer	"10.10.10.2"	"8.8.8.8,8.8.8.4"
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Explorer/Main	Start Page	"about	"http://www.google.com.tr"
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Connections	SavedLegacySettings	3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00	3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00

DNS Results

DNS	DNS Response
onikinokta.info	Standard query response A 85.17.81.166

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	44	40	2870	2408

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
443	6	44	40	2870	2408

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
01:42:33	2011-10-06	6	10.10.10.7	85.17.81.166	->	e	525	443	13	856
01:42:38	2011-10-06	6	10.10.10.7	85.17.81.166	->	e	525	443	10	600
01:42:43	2011-10-06	6	10.10.10.7	85.17.81.166	->	e	525	443	6	360
01:42:44	2011-10-06	6	10.10.10.7	85.17.81.166	->	e	401	443	13	823
01:42:47	2011-10-06	6	10.10.10.7	85.17.81.166	->	e	535	443	13	856
01:42:52	2011-10-06	6	10.10.10.7	85.17.81.166	->	e	535	443	11	660
01:42:57	2011-10-06	6	10.10.10.7	85.17.81.166	->	e	535	443	5	300
01:42:58	2011-10-06	6	10.10.10.7	85.17.81.166	->	e	562	443	13	823

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location