Submission Summary:

• Submission details:
• Submission received: 21 June 2012, 01:35:46
• Processing time: 11 min 55 sec
• Submitted sample:
• File MD5: 0x222E551BE8E78796334293D8DEC54DD7
• File SHA-1: 0x61BAD34D6FE627A6E92FF7B71374865CA08EA3C2
• Filesize: 84,480 bytes
• Alias:
• Backdoor.Win32.Azbreg.k [Kaspersky Lab]
• Downloader.a!bwn [McAfee]
• Mal/FakeAV-PE [Sophos]
• Trojan-Downloader.Win32.Obvod [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\rM1sV4K2.exe [file and pathname of the sample #1]	84,480 bytes	MD5: 0x222E551BE8E78796334293D8DEC54DD7 SHA-1: 0x61BAD34D6FE627A6E92FF7B71374865CA08EA3C2	Backdoor.Win32.Azbreg.k [Kaspersky Lab] Downloader.a!bwn [McAfee] Mal/FakeAV-PE [Sophos] Trojan-Downloader.Win32.Obvod [Ikarus]
2	%Temp%\bV7cF1T8.dat	20 bytes	MD5: 0xC003E06EE3DAE3551D7B9267E4BBAD41 SHA-1: 0x0BD50145946A596EA21B6DF9335A8CAF258914E5	(not available)
3	%Temp%\qL4rU7J5.dat	240,177 bytes	MD5: 0x32D0160A32D5A01E3A2A64058780A76D SHA-1: 0xDA0600F6F0B27DE3E079160056DF9B629AC12FF9	(not available)
4	%Windir%\Tasks\At1.job	416 bytes	MD5: 0x3C36AE1D71EA0BEAEE7F13551ED86AEF SHA-1: 0xA47DF16BC398BE999BA3979216B31E36798F61E1	(not available)
5	%Windir%\Tasks\At10.job	416 bytes	MD5: 0xF9CFC31A0C0C109BC56559245D304F6E SHA-1: 0x68E09F29EF584D350DA6B6A9B529A750FFDDCBD5	(not available)
6	%Windir%\Tasks\At11.job	416 bytes	MD5: 0xE9E7DF3335C9670885060FA9674D1D1F SHA-1: 0x9B87F7CCD455B421F1431E87AD33992951491CC4	(not available)
7	%Windir%\Tasks\At12.job	416 bytes	MD5: 0x03728A43EF351B666B6FE0A4BBA13ECC SHA-1: 0x35FB333865DA2251B5C206FB43D63F7ADCA63A44	(not available)
8	%Windir%\Tasks\At13.job	416 bytes	MD5: 0xA69F63844D91E10D211B5AAEC2AEBB4C SHA-1: 0x22D6A6EA52D64B62AB9D56836473FBA96D86C3BD	(not available)
9	%Windir%\Tasks\At14.job	416 bytes	MD5: 0x4A178E11EADD8E976712E3BA1699AC11 SHA-1: 0x1564CE6A318431B145AC5DF80B7083054AE301D2	(not available)
10	%Windir%\Tasks\At15.job	416 bytes	MD5: 0xF188D0F23D45CEAD69071214B168220E SHA-1: 0xE264813CD6E6C7717E6F1C5FE08BDE16BC3CAA75	(not available)
11	%Windir%\Tasks\At16.job	416 bytes	MD5: 0x3DF4067F87B1C0F06421449FC27F8F4C SHA-1: 0x700DE1A86CAA7B010FC6FE769E42A7B407CC64AC	(not available)
12	%Windir%\Tasks\At17.job	416 bytes	MD5: 0x0EC44ED1233F591E92A0853BF6EDB934 SHA-1: 0x22BA0503DB825AB08D90C662AAEDCBCEB2A039B2	(not available)
13	%Windir%\Tasks\At18.job	416 bytes	MD5: 0x64AD0DF675E6A2794EB2B3B132E63CC0 SHA-1: 0xF1ADEC406BB4A91FE3B7D2F68239C300B1F175F6	(not available)
14	%Windir%\Tasks\At19.job	416 bytes	MD5: 0x4BDFEB64B1B7461B480CE595E180E480 SHA-1: 0xC25223588BEAE27B5C6D49C30C3ED18DCFD4A890	(not available)
15	%Windir%\Tasks\At2.job	416 bytes	MD5: 0x7C004CB7F2C98D0C560858CF91514A7A SHA-1: 0xC0F36F899DFB482D97D0C5C34307C73B13E29B06	(not available)
16	%Windir%\Tasks\At20.job	416 bytes	MD5: 0x4D1717E156C549AD6989FAD3D4A8FCC5 SHA-1: 0x9A36FF3FD9B8814068AE6CE23DDEE132B9AE1E76	(not available)
17	%Windir%\Tasks\At21.job	416 bytes	MD5: 0x0065C27980BE3A23D2FF9A7F4660CF2F SHA-1: 0x1F3CF8289FA15A31A8297D5C4A365A102BA4A968	(not available)
18	%Windir%\Tasks\At22.job	416 bytes	MD5: 0x56EA6E84CDC877D29DE831AEE5BE1CFF SHA-1: 0x190AE8583FC8EB618F6DC19A307B83440E6FFB14	(not available)
19	%Windir%\Tasks\At23.job	416 bytes	MD5: 0x49CF4B79FB1912450BCB4DB784147725 SHA-1: 0x6974EC70A34F16F73B9DDCD29ACAA7A0A797299A	(not available)
20	%Windir%\Tasks\At24.job	416 bytes	MD5: 0x26F4901AF068E6361D0E1EE9373E53E3 SHA-1: 0x7DAD5D8BB80EB196628B9E46581EF39C9AE4F9D6	(not available)
21	%Windir%\Tasks\At25.job	418 bytes	MD5: 0x4EE8464F96F1590DE57369CEC2D97430 SHA-1: 0x8B01E209AE124197EF68942503AAFD53C8D3F5F5	(not available)
22	%Windir%\Tasks\At26.job	418 bytes	MD5: 0xEC6C5CA1A3F08389BDB143D1DDF63BDC SHA-1: 0x762F1F7084E65827D98DED17505C4927AD357F4E	(not available)
23	%Windir%\Tasks\At27.job	418 bytes	MD5: 0xF56C3AFDDD3069351E5690B03A746EF0 SHA-1: 0xE1154B67C7C27F3A3B9F22870C6D217A313B2A75	(not available)
24	%Windir%\Tasks\At28.job	418 bytes	MD5: 0xFE4C40D8B7D1AFAA8FFD9772B99505EA SHA-1: 0x53E589C1E97B43775769D21B0E58C18C17FCE928	(not available)
25	%Windir%\Tasks\At29.job	418 bytes	MD5: 0x3DCD9B23A464F36CE4DF0ECDACD70085 SHA-1: 0x253369312846A401810D314236157C0F669F494C	(not available)
26	%Windir%\Tasks\At3.job	416 bytes	MD5: 0x95268BB197DC63DB9B7A38CD4B223B73 SHA-1: 0x91C2F0717DC55E8202CE85ADB022AD90CAFD53B1	(not available)
27	%Windir%\Tasks\At30.job	418 bytes	MD5: 0xE354D7EC2714FC0D543B0F619E54125B SHA-1: 0x5529385494A691FE3ADB539A8CCFFE62AE92E392	(not available)
28	%Windir%\Tasks\At31.job	418 bytes	MD5: 0x9FBB6988637B9725F2605F8DCD50194A SHA-1: 0x23657F2B7DCAAC6D8BB2C8A820199705A4A016C0	(not available)
29	%Windir%\Tasks\At32.job	418 bytes	MD5: 0xE6DD871B33AE9AF319DA2AE08900FA03 SHA-1: 0xA993B517BEFDD572381618693F6A11E9A40A99F9	(not available)
30	%Windir%\Tasks\At33.job	418 bytes	MD5: 0x7EB506284EACA103E125C6FF272517E8 SHA-1: 0x8991130083E67D808ABCD4D539219D88C4EE9087	(not available)
31	%Windir%\Tasks\At34.job	418 bytes	MD5: 0x8F5D1F4255613101F69F9E4B505F355C SHA-1: 0xCF67EE1AE91D2A8DA066A024D46D80DFDD879FB0	(not available)
32	%Windir%\Tasks\At35.job	418 bytes	MD5: 0x161EEF1426C95DBE538845DCCF072B04 SHA-1: 0x880F8622BB91D153507E104AEF3D4BF28962EB32	(not available)
33	%Windir%\Tasks\At36.job	418 bytes	MD5: 0x507F59F9DF15D12D473646DC755E2403 SHA-1: 0x6D843660761C50D432F8DEF9C25448E047119CF3	(not available)
34	%Windir%\Tasks\At37.job	418 bytes	MD5: 0xFF9D0A4A96897B352692064460F9563F SHA-1: 0x3E86CE81994B92B3B80A3439CC942DEF6AAC3D43	(not available)
35	%Windir%\Tasks\At38.job	418 bytes	MD5: 0x38602CFE5FF31F52D247E35691374916 SHA-1: 0x137D8969F6BDE52E2981A5BC3F0F41BBE81C25F5	(not available)
36	%Windir%\Tasks\At39.job	418 bytes	MD5: 0xBCE49E22578AEC3F4412599B137FC0F4 SHA-1: 0x747F7D86AA147C1314DC90AC77C843F073DD0F1B	(not available)
37	%Windir%\Tasks\At4.job	416 bytes	MD5: 0xC6A6C9CF4157F18525952E793F31088B SHA-1: 0x3406A02CE51268144AA6BE0E14CCD3F28D0A485E	(not available)
38	%Windir%\Tasks\At40.job	418 bytes	MD5: 0x2CB97EB671B6754A8A041FA103106647 SHA-1: 0x3DAD2ADAEDF7DFA080DA8766B0801D3D462A7BBE	(not available)
39	%Windir%\Tasks\At41.job	418 bytes	MD5: 0xBCAE33AE6E5C56D63FB9A7074D61C9BD SHA-1: 0x7A11D91721F23DA48E3F8F0C38A9E34C0F9DCB61	(not available)
40	%Windir%\Tasks\At42.job	418 bytes	MD5: 0x447149ED2947E3A318AE9CCDFB9DD03D SHA-1: 0x0F774ECEC040368BF6CE01673EB8869C29FC5024	(not available)
41	%Windir%\Tasks\At43.job	418 bytes	MD5: 0x3DE86E42F4CE4397D401EC24A08BE62A SHA-1: 0x96B0EAAD0B9C1D7325B9E8321535401F88A472D3	(not available)
42	%Windir%\Tasks\At44.job	418 bytes	MD5: 0xD29086532E62FE94F8246B394F32BB6F SHA-1: 0x3C3DEE4274F118FE36BCB31042F30418D7E1E9BE	(not available)
43	%Windir%\Tasks\At45.job	418 bytes	MD5: 0xE4F737D0316C82C39050418546E8B128 SHA-1: 0xFA3C05DD2C73879B44E3F2A8E9392650B17FC9A7	(not available)
44	%Windir%\Tasks\At46.job	418 bytes	MD5: 0x8A221331318A969185C4B9886B0AF17C SHA-1: 0x9BC1840FE800A32E514B8D4FFB912DCEEA2CE058	(not available)
45	%Windir%\Tasks\At47.job	418 bytes	MD5: 0x0D9D76FAC330F72FC2CE7113AD15B0D9 SHA-1: 0x0B78BA3CA378ECBFBD7B8D7065604A6476835D2C	(not available)
46	%Windir%\Tasks\At48.job	418 bytes	MD5: 0xB9610E27A993F5FBAE5C08A66B55397F SHA-1: 0xB1C58AF8A365933A9CA7F7DB08E89E686323F93D	(not available)
47	%Windir%\Tasks\At5.job	416 bytes	MD5: 0xF6F43C153C876DF71485889F98CA5D93 SHA-1: 0x307CDD1890C2F82512A5E9FB635D8EDF5EDA0D6D	(not available)
48	%Windir%\Tasks\At6.job	416 bytes	MD5: 0x8D24A30BEC1A880729860F3D02B27881 SHA-1: 0xBCD31E8F26FF61325423672CD17855B2E83AFF30	(not available)
49	%Windir%\Tasks\At7.job	416 bytes	MD5: 0x7F4E5CC544C6DC415AF02C917A44BB4F SHA-1: 0x609A05019262790AFC8BA7E952A23B9667BD3F65	(not available)
50	%Windir%\Tasks\At8.job	416 bytes	MD5: 0x55322247159CC87282F2868BE9429AFF SHA-1: 0x0829E6C304E1F2D0A425591A56D642275EC6A062	(not available)
51	%Windir%\Tasks\At9.job	416 bytes	MD5: 0x39AE5FB613C1ED4354597B1EBAFF713C SHA-1: 0x7F1B1DABEED45CC7497E1DF6D96758E90B6B580F	(not available)

• Notes:
• %CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

• There was a new process created in the system:

Registry Modifications

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D]
• LRC = 0x000000D3
• BLRC = 70 5C 9D 20 89 4F CD 01
• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
• DisableScriptDebuggerIE = "yes"
• Error Dlg Displayed On Every Error = "no"
• NoProtectedModeBanner = 0x00000001
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
• 2500 = 0x00000003

Other details

• There were registered attempts to establish connection with the remote hosts. The connection details are:

• The data identified by the following URLs was then requested from the remote web server:
• http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=26826&s=27860
• http://ads.pubmatic.com/AdServer/js/adtrack3f956a53dccff26daaaa1e5b25e1dfdf.js
• http://ads.pubmatic.com/AdServer/js/cutildee6d705a5077f097c8c64e02d002b24.js
• http://ads.pubmatic.com/AdServer/js/freq.html
• http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=26826&s=27861
• http://ads.pubmatic.com/AdServer/js/dppix.html?p=26826&s=27861&a=23118
• http://ads.pubmatic.com/AdServer/js/adtrackJ96d70a01ff7d18e221e32fc459fa3166.js
• http://ads.pubmatic.com/AdServer/js/showad.js
• http://ads.pubmatic.com/AdServer/js/dppix.html?p=26826&s=27860&a=23115
• http://uat-net.technoratimedia.com/00/63/76/adserv_17663.js?ad_size=728x90&referrer=&referrer=http%3A//ib.adnxs.com/bounce%3F%252Ftt%253Fid%253D826653&nsafe=general&reftype=adnetwork&disp=iframe&tmiv=1&tcb=0.8024391687799836
• http://api.bizographics.com/v2/profile.redirect?api_key=1be3a6866fd64648a7b0c808e8551702&group_delimiter=,&industry_delimiter=,&functional_area_delimiter=,&callback_url=http://aud.pubmatic.com/AdServer/Artemis?dpid=7
• http://pixel.invitemedia.com/pubmatic_sync?pubmatic_callback=http://image2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTM5MCZ0bD0xMjk2MDA=&piggybackCookie=
• http://ads.reduxmediagroup.com/tt?id=770816
• http://ads.yieldads.com/tt?id=826653
• http://pixel.quantserve.com/pixel/p-5aWVS_roA1dVM.gif?labels=Gaming
• http://pixel.quantserve.com/pixel/p-cb6C0zFF7dWjI.gif
• http://pixel.quantserve.com/pixel/p-b87YHM5GmIQE6.gif
• http://aud.pubmatic.com/AdServer/Artemis?dpid=7&industry=business_services&location=texas
• http://image4.pubmatic.com/AdServer/SPug
• http://image2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTM5MCZ0bD0xMjk2MDA%3D&piggybackCookie=6218ea8b-783a-44d3-b2ef-ced5e7c3cb77.
• http://ad.yieldmanager.com/cms/v1?esig=1~17e68b1b86afcfd8436104fe567484ccc2161b0f&nwid=10000602235&sigv=1
• http://ib.adnxs.com/ymapuid?xid=E0
• http://ib.adnxs.com/tt?id=760218
• http://ib.adnxs.com/tt?id=826653
• http://ib.adnxs.com/tt?id=770816
• http://ib.adnxs.com/tt?id=760215
• http://ib.adnxs.com/bounce?%2Ftt%3Fid%3D826653
• http://ib.adnxs.com/seg?add=289740&t=2
• http://ib.adnxs.com/seg?add=328453&t=2
• http://ib.adnxs.com/bounce?%2Ftt%3Fid%3D770816
• http://ib.adnxs.com/pxj?bidder=55&action=SetAdMarketCookies(%22AA002%3d1340260662-3264751%7cMUID%3d2366f749c6b664310460f4cfc5b664a2%7cTOptOut%3d0%7cEANON%3dA%253d0%2526E%253dFFF%2526W%253d1%22);
• http://ad-cdn.technoratimedia.com/00/63/76/uat_17663.js?ad_size=728x90&referrer=
• http://b.scorecardresearch.com/beacon.js?c1=8&c2=6036211&c3=&c4=&c5=&c6=&c10=
• http://b.scorecardresearch.com/p?c1=1&c2=6000006&c3=&c4=ts&c5=010000&c6=6666666&c10=&cA1=8&cA2=6000006&cA3=3845011&cA4=&cA5=757&cA6=6666666&cA10=&cv=1.7&cj=&rn=1340260654
• http://d.agkn.com/iframe!t=1209!?che=54855&ent=092611&camid=032112&plaid=737669&adgid=4061
• http://d.agkn.com/pixel/1701/!?che=7424860&camid=061512&plaid=14&attr=&uuid=4fe2c134fb0b0cb2
• http://d.agkn.com/pixel/1697/!?uuid=c4185ef20b63baa134fded5332a5c061dde26dc0&che=01366602&camid=060812&plaid=1

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 80: