PDF

Print

ThreatScope Analysis Report

For file kav.exe uploaded 2012-10-25 at 06:23:01 AM

Threat level: Suspicious

This file is suspicious. Monitor communications from any machine that has run the file to detect suspicious behavior.

Threat Assessment

Drops executable file(s)

Adds a registry key to automatically start an executable when the system starts

Traffic to uncategorized server

Screenshots: None

File details:

Hash MD5

f6b258f2c3f10a5d35c8ff852fb6a004

File size

144.50 KB

Hash SHA-1

0541078f7200af1a102582feb57019515bdc8955

File uploaded

2012-10-25 06:23:01 AM

Hash SHA-256

8d7e05ccf2577a04c7109ad4c33e41997c59ae071be8e6b7b93c108564143963

Report created

2012-10-25 06:24:37 AM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL

IP Address

Category

Details

May include user agent string, HTTP server, or encryption information.

Details

Method

Status

The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response.

Status

MIME

The first item is the server-declared content type. The second item is the true content type.

MIME

www.chat-mr.com/images/.vr/tas
ks.php?uid={a81f29c0-dc94-11e0
-b358-806d6172696f--337009188}

68.178.232.99

United States

Uncategorized

User agent:

V32

HTTP Server:

Microsoft-IIS/6.0

GET

200
1.01 KB

text/html; charset=utf-8

www.chat-mr.com/images/.vr/add
user.php?uid={a81f29c0-dc94-11
e0-b358-806d6172696f--33700918
8}&lan=10.74.33.100&cmpname=AD
MIN-0B1297EC9%20[Administrator
]&country=English%20(United%20
States)%20+1&cc=US&idle=249&ve
r=v1.2

68.178.232.99

United States

Uncategorized

User agent:

V32

HTTP Server:

GET

0
0 B

www.chat-mr.com/images/.vr/tas
ks.php?uid={a81f29c0-dc94-11e0
-b358-806d6172696f--337009188}

68.178.232.99

United States

Uncategorized

User agent:

V32

HTTP Server:

GET

302
0 B

www.chat-mr.com/images/.vr/add
user.php?uid={a81f29c0-dc94-11
e0-b358-806d6172696f--33700918
8}&lan=10.74.33.100&cmpname=AD
MIN-0B1297EC9%20[Administrator
]&country=English%20(United%20
States)%20+1&cc=US&idle=283&ve
r=v1.2

68.178.232.99

United States

Uncategorized

User agent:

V32

HTTP Server:

Microsoft-IIS/6.0

GET

200
1.01 KB

text/html; charset=utf-8

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname

Category

IP address

chat-mr.com

Uncategorized

68.178.232.99

IP addresses

The analyzed file requests the following IP addresses.

IP Address

ASN

68.178.232.99

AS26496 GoDaddy.com, LLC

United States

68.178.232.99

AS26496 GoDaddy.com, LLC

United States

68.178.232.99

AS26496 GoDaddy.com, LLC

United States

68.178.232.99

AS26496 GoDaddy.com, LLC

United States

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Creates file

c:\svstem32.exe

Writes file

c:\svstem32.exe

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

Sample started

Registry

The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.

Event

Key

Value

Changes value

HKUS\s-1-5-21-1123561945-436374069-854245398-500\software\microsoft\windows\currentversion\run

Data:

C:\svstem32.exe

Global system events

The following global system events were detected.

Event

Name

Creates event

Global\crypt32LogoffEvent

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}a004.exe

Creates mutex

ZonesCounterMutex

Creates mutex

ZonesCacheCounterMutex

Creates mutex

ZonesLockedCacheCounterMutex

Creates mutex

VN_MUTEX16

Creates semaphore

shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}a004.exe

Creates mutex

c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Creates mutex

c:!documents and settings!administrator!cookies!ttings!temporary internet files!content.ie5!

Creates mutex

c:!documents and settings!administrator!local settings!history!history.ie5!iles!content.ie5!

Creates mutex

WininetConnectionMutex

Creates event

DINPUTWINMM

Creates mutex

RasPbFile

Creates event

Global\userenv: User Profile setup eventocal settings!history!history.ie5!iles!content.ie5!

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result