Sample ID:160099
General Information
Filename B856E336EFEF7DF934BF27F81983714C
Report Generated at 2014-01-29 10:52:06
File Last Modified 2014-01-02 14:30:27
SHA1 f32ce44d5c82e7aa04ad0ad2a472ebef4abe0a53
SHA256 3765ecdf469b9640a8352ad659d2339147400e15cd695d6cade51ae0e7a875a5
MD5 b856e336efef7df934bf27f81983714c
Summary of Results
CAMAL Heuristics Result Malicious
AVG Collected_c.BGFI
BitDefender Undetected
ClamWin Undetected
ESET Undetected
GFI Trojan.Win32.Generic!BT
Norman Undetected
QuickHeal Undetected
TotalDefense Undetected
Processes (click cells to select highlights)
BehaviourTarget
process creationC:\Windows\system32\SearchIndexer.ex
process creationC:\Windows\system32\SearchProtocolHost.ex
created processes"C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
creates suspended process"C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
creates suspended process"C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
process creationC:\Windows\system32\SearchFilterHost.ex
process creationC:\Windows\system32\taskhost.ex
process terminationC:\Windows\system32\taskhost.ex
process creatione:\binary.ex
created processes"C:\Users\admin\AppData\Local\Temp\javainstall1.exe"
creates suspended process"C:\Users\admin\AppData\Local\Temp\javainstall1.exe"
process creationC:\Users\admin\AppData\Local\Temp\javainstall1.ex
open process12ddec
open process5dc
open process138
open process7e8
open process7bc
open process6d4
open process6ac
open process570
open process564
open process510
open process4c0
open process498
open process410
open process3c8
open process358
open process330
open process2bc
open process288
open process244
open process1dc
open process1d4
open process1cc
open process1a0
open process178
open process16c
open process148
open processf8
open process4
open process0
open process535c7473
open process5dc
open process138
open process7e8
open process7bc
open process6d4
open process6ac
open process570
open process564
open process510
open process4c0
open process498
open process410
open process3c8
open process358
open process330
open process2bc
open process288
open process244
open process1dc
process terminationC:\Users\admin\AppData\Local\Temp\javainstall1.ex
created processes"C:\Users\admin\AppData\Local\Temp\javainstall2.exe"
creates suspended process"C:\Users\admin\AppData\Local\Temp\javainstall2.exe"
process creationC:\Users\admin\AppData\Local\Temp\javainstall2.ex
Files (click cells to select highlights)
BehaviourTarget
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.7.gthr
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.7.gthr
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.7.Crwl
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.7.Crwl
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.8.gthr
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.8.gthr
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.8.Crwl
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.8.Crwl
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\INDEX.000
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\INDEX.000
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010001.wid
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010001.wid
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010002.wid
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010002.wid
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010008.wid
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010008.wid
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010008.wsb
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010008.wsb
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010011.wid
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010011.wid
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010013.wid
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010013.wid
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\CiAD0002.000
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\CiAD0002.000
created files\\.\PIPE\samr
create file weird location\\.\PIPE\samr
created files\\?\Volume{e0c45204-0910-11e3-b691-806e6f6e6963}
create file weird location\\?\Volume{e0c45204-0910-11e3-b691-806e6f6e6963}
created files\\.\PIPE\lsarpc
create file weird location\\.\PIPE\lsarpc
created filesC:\Users\admin\AppData\Local\Temp\nsaBA2B.tmp
created filesC:\Users\admin\AppData\Local\Temp\nsfBA4B.tmp\inetc2.dll
created filesC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
created filesC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
create file weird locationC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
created filesC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
created filesC:\Users\admin\AppData\Local\Temp\javainstall1.txt
created filesC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@davedownloads[1].txt
create file weird locationC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@davedownloads[1].txt
created filesC:\Users\admin\AppData\Local\Temp\javainstall2.txt
created filesC:\Users\admin\AppData\Local\Temp\nspF1AE.tmp\System.dll
created filesC:\Users\admin\AppData\Local\Temp\nspF1AE.tmp\Processes.dll
created filesC:\Users\admin\AppData\Local\Temp\nspF1AE.tmp\Math.dll
created filesC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@davedownloads[2].txt
create file weird locationC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@davedownloads[2].txt
created filesC:\Users\admin\AppData\Local\Temp\nspF1AE.tmp\NsisCrypt.dll
created filesjavainst1.exe
create file weird locationjavainst1.exe
created filesC:\Users\admin\AppData\Local\Temp\javainstall3.txt
created filesC:\Users\admin\AppData\Local\Temp\nsqFF65.tmp\System.dll
created filesC:\Users\admin\AppData\Local\Temp\nsqFF65.tmp\inetcEXT.dll
created filesC:\Users\admin\AppData\Local\Temp\nsqFF65.tmp\InstallManager.ex_
Registry (click cells to select highlights)
BehaviourTarget
created regHKLM\SOFTWARE\Microsoft\Windows Search\CrawlScopeManager\Windows\SystemIndex
created regHKLM\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
created regHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
reg browser settingsSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
reg error reportingSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
created regHKLM\Software\Microsoft\Tracing
created regHKLM\Software\Microsoft\Tracing\binary_RASAPI32
created regHKLM\Software\Microsoft\Tracing\binary_RASMANCS
created regHKLM\System\CurrentControlSet\Services\Tcpip\Parameters
created regHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
reg browser settingsSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
reg error reportingSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
created regHKCU\Software\Microsoft\Internet Explorer\Main
reg browser settingsSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
reg error reportingSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
created regHKLM\Software\Microsoft\Tracing\javainstall2_RASAPI32
created regHKLM\Software\Microsoft\Tracing\javainstall2_RASMANCS
Others (click cells to select highlights)
BehaviourTarget
main module retrieve nameC:\Windows\system32\SearchIndexer.exe
load self imageC:\Windows\system32\en-us\tQuery.dll.mui
load self imageOLEAUT32
load self imageSHFOLDER
show window5
load self imageRichEd20
tamper browser history writeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
duplicate handle21c
tamper browser history writeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
duplicate handle228
tamper browser history writeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
duplicate handle234
load self imagews2_32
load self imagednsapi
load self imageiphlpapi
remove internet settingsAutoConfigURL
duplicate handle228
load self imageSHFOLDER
load self imageiphlpapi
load self imageSHFOLDER
show window5
load self imageRichEd20
show window8
duplicate handle204
duplicate handle210
duplicate handle21c
load self imagews2_32
load self imagednsapi
load self imageiphlpapi
remove internet settingsAutoConfigURL
HTTP Requests (click cells to select highlights)
ActionURIIP
GET www.msftncsi.com /ncsi.txt 23.15.7.152
GET www.davedownloads.info /dl/index.cgi?cid=114&eid=001&key=davedownloads0113AApr201310k 174.137.173.76
GET www.davedownloads.info /files/javainst1.exe 174.137.173.76
GET www.davedownloads.info /dl/index.cgi?cid=114&eid=002&key=davedownloads0113AApr201310k 174.137.173.76
GET www.davedownloads.info /files/javainst2.exe 174.137.173.76
GET www.davedownloads.info /dl/index.cgi?cid=114&eid=003&key=davedownloads0113AApr201310k 174.137.173.76
GET www.davedownloads.info /files/javainst3.exe 174.137.173.76
GET www.coaug13belly.com /download.php?l3t9dQ== 204.236.209.57
GET secure.rocketdlgo.com /nsi/nsis-html/DNetworkAug2013_8205.exe 14.0.57.12
GET www.davedownloads.info /dl/index.cgi?cid=114&eid=004&key=davedownloads0113AApr201310k 174.137.173.76
POST www.fcgoattrack.com /FCL_Co_v1.php 50.19.102.217
GET www.davedownloads.info /files/javainst4.exe 174.137.173.76
POST www.steasttrack.com /DSS_IMapplication_mon_v2.php 50.19.102.217
GET cdn.cmatecdnfast.us /os/OfferScreen_146.zip 14.0.57.13
Destination IPs (click cells to select highlights)
IPPacket CountProtocol
174.137.173.76:801023 TCP
[BROADCAST]:13748 UDP
14.0.57.12:80108 TCP
[DNS]:5313 UDP
[BROADCAST]:13814 UDP
23.15.7.152:805 TCP
204.236.209.57:805 TCP
14.0.57.13:8012 TCP
50.19.102.217:8010 TCP
[LLMNR]:535522 UDP
Similar samples
MD5Link to report
640f306bf5ab4445c557b55b6c9d51cb
Here
e74c1a6724fa1abb45cdac019f0ee1b4
Here
fba26ca6224491297a95422ff567b43d
Here
b3ffae88c07608e44c2a775d1221b965
Here
477aaf585b210b0c2ffbc3798c6af3bb
Here
6537e86edcff963f7a3a47f793ffb8dd
Here
663a05a82aadae0605b82f1aeb820fe7
Here
17a21867e3340973ca7931ce3f0f0633
Here
45bbfb6937b87f49d0f19b987055a128
Here
f01ef86393c0bc8ee57053183c012775
Here
3619169ae44c42f1a5a807912c699609
Here
494754bc714709cae5a653df11d13127
Here
188a995192b08120405141d587d961be
Here
9fbe9937ebaf18fa5211b7cd65d3dc62
Here
88b8d5cf52b8d8444bb8bd38042bdae5
Here
a83e22bc8acc2386a4d49526efa20128
Here
554d92c0e3db5211f80cba39341d828d
Here
1ba01508a3ea52473db211afe35e74eb
Here
65818846fc23d1c1ea67a2237fcb0d27
Here
bcd6cc6ce928870efa74c26d62b65d2f
Here
6be371719036d80508fdc5132541efb6
Here
b62482eb68c42d5d40e6265a82b0d23d
Here
34c972159a682fc835be9c32845b20f9
Here
755fd2b032347f3da055d5e094e95af8
Here
43f0cdc51d320530ef945287e8752081
Here
ce0f28e2b915281493d353bb86ddbf8b
Here
84742f82d56444585b0bcec9edb873ea
Here
6236a814bde9605a564b37664a2834bd
Here
2e9b4317633672e4a6fcc754f9511af3
Here
cc500588e814439039113103578d94fe
Here
742e787870ead3b44c45a7f2a28a770a
Here
91cd4c4b292082c189ad5bbfd0123f94
Here
764789e2935fc5418bca88f27d5af93e
Here
d2c31628390234c737616a494f6906fe
Here
4facf6b73090756b930666edd6cc6378
Here
f6028dabeba99e5a46a7fb135e71d8aa
Here
d78c7591b8ff1cfc3afdff39c4bb5930
Here
e7d2d5e509c9c2d874ff039951402274
Here
9bdedd9d606420de815a147935b02654
Here
4df69e0799494c962029dba763b2b9c8
Here
f5a8326fc2c66375a795c7d32dbb4f4f
Here
41ad149a55e5ee0f617a47dcd7891191
Here
ea30387fdad63a0fc7f64ed96ecb4227
Here
9eeee605d3b6998ca93ca6d8b1afda18
Here
a270809a4852e0f3a9007ceae7964919
Here
c0a1d2e70e0e12e3695adfc1b6d019ef
Here
d6c518647916800aad339fd2c763a4f0
Here
e84d077b266e01d85b2aeeb83f08e3ae
Here
e5ff33adec78fa869e3bd2a699549adb
Here
bc6296f875dc259af989d624317244d5
Here