ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 26 June 2012, 00:55:12
Processing time: 13 min 57 sec
Submitted sample:

File MD5: 0x436D6024DF585920BFFCB0B2E3EB6CE7
File SHA-1: 0x4FAA7FEB10E47A09D5B10E178CC6A15721DB2F0C
Filesize: 3,991,881 bytes

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	[pathname with a string SHARE]\audcache	1,572,896 bytes	MD5: 0x824C32CE09F03D5EB04B2061E623A887 SHA-1: 0x64BAF78E4DEF94714466EF29372592C197BB3428
2	[pathname with a string SHARE]\audfilter.dat [pathname with a string SHARE]\lmcache.dat [pathname with a string SHARE]\ntcache.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
3	[pathname with a string SHARE]\wavesup3.drv %System%\mssecmgr.ocx	6,166,528 bytes	MD5: 0xBDC9E04388BDA8527B398A8C34667E18 SHA-1: 0xA592D49FF32FE130591ECFDE006FFA4FB34140D5
4	[pathname with a string SHARE]\wpgfilter.dat	4,515,407 bytes	MD5: 0x8C356A5C63CAA9578A265E34445F1684 SHA-1: 0xE996D65B403D5C562BC1624230541884A2ED2ABD
5	%Windir%\Ef_trace.log	853 bytes	MD5: 0x72E98E0168750280942C23110FBCB8A8 SHA-1: 0xC71A2F20954E70C45004601C17AF334D7CD52157
6	[file and pathname of the sample #1]	3,991,881 bytes	MD5: 0x436D6024DF585920BFFCB0B2E3EB6CE7 SHA-1: 0x4FAA7FEB10E47A09D5B10E178CC6A15721DB2F0C

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

[pathname with a string SHARE]\MSAudio

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
iexplore.exe	%ProgramFiles%\Internet Explorer\iexplore.exe	102,400 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	151,552 bytes
[generic host process]	[generic host process filename]	45,056 bytes

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
[generic host process filename] is a full path filename of [generic host process].

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	303,104 bytes

Registry Modifications

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]

wave8 = ""
wave9 = "c:\progra~1\common~1\micros~1\msaudio\wavesup3.drv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit]

DefaultIdentifier = 0x000013B1
LastUsedIdentifier = 0x000200F2
DefaultEnvironment = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation]

StandardSize = 0xC58C2AF7

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation]

StandardSize = 0xC58C2AF7

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

Session\0\TH_POOL_SHD_PQOISNG_1032SYNCMTX
c__program files_common files_microsoft shared_msaudio_audcache
DVAAccessGuard51EF43_ST_2314007819
Session\0\TH_POOL_SHD_PQOISNG_1336SYNCMTX
DVAAccessGuard51EF43_ST_1523941429
_SHuassist.mtx
c__program files_common files_microsoft shared_mssecuritymgr_ssitable
DVAAccessGuard51EF43_ST_4009247439
__fajb3_i_h_s_p__
__fajb2_vz35__

The following Host Name was requested from a host database:

0.0.0.0

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
windowsupdate.microsoft.com	80	(null)	(null)
traffic-spot.com	443	(null)	(null)

The following GET request was made:

index.html

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 443:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.