ThreatExpert Report: W32.Sality.AE, BackDoor-CEP.gen.a, BKDR

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 1 July 2012, 07:25:05
Processing time: 16 min 49 sec
Submitted sample:

File MD5: 0x64578017E58D76F557CF8C2B4D71503B
File SHA-1: 0x62FB348A1C6830294E3ED6DBAE2156E238B06852
Filesize: 160,123 bytes
Alias:

W32.Sality.AE [Symantec]
BackDoor-CEP.gen.a [McAfee]
BKDR_BIFROSE.SMA [Trend Micro]
Mal/Sality-D [Sophos]
Trojan.Win32.Midgare [Ikarus]
Win-Trojan/Midgare.30208 [AhnLab]

Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Produces outbound traffic.
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\autorun.inf	221 bytes	MD5: 0x8CB52A2B235D817D5E97EEAF91BA485D SHA-1: 0x694FEEDC7DDF4742E579FAB6A4E29D3F3ACFC65C	W32/Autorun.worm!inf [McAfee] Mal/AutoInf-A [Sophos]
2	%AllUsersProfile%\svchost.exe	112,128 bytes	MD5: 0x9D3A392DA961BFA73278E43AD2210167 SHA-1: 0x674C32AC7ECCB63C96FF9798EEC64683580011A1	W32.Sality.AE [Symantec] W32/Sality.gen.z [McAfee] Mal/Sality-D [Sophos] Trojan.Win32.Spy [Ikarus] Win32/Kashu.E [AhnLab]
3	%AppData%\addons.dat	25,442 bytes	MD5: 0x242F5B3F55BCD11E76E11262D0F3A0FD SHA-1: 0xC203F1FEBE41EBB8A43B3D445542A52F617291D1	(not available)
4	%AppData%\audiomgr.exe	60,928 bytes	MD5: 0x749DF791A6B4AF69CD109CCAE0861726 SHA-1: 0x5974AD1CCE5119A1414EBB505B2CF5231D9D7887	Trojan.Gen.2 [Symantec] Generic BackDoor!1ut [McAfee] Backdoor.Win32.RDPopen [Ikarus]
5	%AppData%\hook.dll	19,456 bytes	MD5: 0x1A594FB1F5ACDE092D6BB77B77D57486 SHA-1: 0xB62118D65DD9ACF873C055AFA3F9CDB9CB57A850	Mal/PWS-I [Sophos] Trojan-Spy.Win32.Pophot [Ikarus]
6	%AppData%\msstart.exe	63,488 bytes	MD5: 0x8E3562E7644D8FDF133F5A3C1991ADD3 SHA-1: 0xD683F15FB2B5C82CDACDB4E535FE52B197F1A5D3	W32.Virut.CF [Symantec] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Trojan.Win32.VB [Ikarus]
7	%AppData%\Plug.bat	110 bytes	MD5: 0x65665C18A13B28554B34EBF4C5F75987 SHA-1: 0x1EFF465A0CF636ADAD3688A6ED77C17893BF0353	Generic BackDoor.se!bat [McAfee] Troj/Runstub-A [Sophos]
8	%AppData%\PluginDriver.exe	53,760 bytes	MD5: 0xFAE2277FD36D99BE985D3613F90230EC SHA-1: 0xF79AFF0BBD7B3FFBA7DDF9C5EF28E1A47ED04BD5	W32.Virut.CF [Symantec] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Backdoor.Win32.VB [Ikarus]
9	%AppData%\s4clak.exe	35,840 bytes	MD5: 0x42A516255168F18CC7A5746C8566A584 SHA-1: 0xD410B5E5AF327250EEB5B08333278018928C72AE	Trojan.Gen [Symantec] Generic BackDoor!1ut [McAfee] Backdoor.Win32.RDPopen [Ikarus]
10	%AppData%\tnsb	16 bytes	MD5: 0x9EBB82399CDAE5748093C187A473468E SHA-1: 0x666653C6E4D336FFD837FF4DB8A8BE46ACFEB30A	(not available)
11	%AppData%\tonysba.exe	59,392 bytes	MD5: 0xC659637FD5BAA9C94A7E61F4B44DE4BC SHA-1: 0x9651DB7F80E618C527A5BD59885CF419115D70B1	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Trojan-Downloader.Win32.Genome [Ikarus]
12	c:\pbwb.exe	130,787 bytes	MD5: 0x2B16D33A42BE58F30B5F9BA4D8F88D37 SHA-1: 0x0870795B63F3AA8FC266CF16F2CA56A02A61FCC4	W32.Sality!dr [Symantec] Virus.Win32.Sality.bh [Kaspersky Lab] W32/Sality.gen.z [McAfee] Mal/Sality-D [Sophos] Trojan.Sality [Ikarus] Win32/Kashu.E [AhnLab]
13	%ProgramFiles%\Bifrost\server.exe [file and pathname of the sample #1]	160,123 bytes	MD5: 0x64578017E58D76F557CF8C2B4D71503B SHA-1: 0x62FB348A1C6830294E3ED6DBAE2156E238B06852	W32.Sality.AE [Symantec] Backdoor.Win32.Bifrose.fxv [Kaspersky Lab] BackDoor-CEP.gen.a [McAfee] BKDR_BIFROSE.SMA [Trend Micro] Mal/Sality-D [Sophos] Trojan.Win32.Midgare [Ikarus] Win-Trojan/Midgare.30208 [AhnLab]
14	%System%\nwcwks.dll	8,192 bytes	MD5: 0x560F8147E9BB5A728D8715120D2F7E7F SHA-1: 0xBBE08F172EAE8F6E49A6E1B8BB121816C326F8E3	Trojan.Gen [Symantec] Generic BackDoor.s [McAfee] Troj/Inject-OJ [Sophos] Trojan.Win32.Inject [Ikarus]
15	%Windir%\Temp\datafile1	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
16	%Windir%\Temp\VRT1.tmp	204 bytes	MD5: 0x720462F5E2A2CAC1C18F229F923428A3 SHA-1: 0x55332D5A6782EE80B76E410624B217D38FF748A5	(not available)
17	%Windir%\Temp\VRT2.tmp	8,192 bytes	MD5: 0x00531FC563A3AFBA4E39AF9F1BA160CC SHA-1: 0x864385CE1F464A620A5B4E761119B4B58517C858	Generic.tfr!cm [McAfee] Trojan-PWS.Win32.VB [Ikarus]
18	%Windir%\Temp\VRT3.tmp	13,824 bytes	MD5: 0xFF5F5BC2340A93642E0CA8D336255139 SHA-1: 0xD0F7AE09770E487F2A7C0F829DCBB7E37925E444	Trojan.Gen.2 [Symantec] Backdoor-FGP [McAfee] Mal/Generic-L [Sophos] Trojan.Win32.Spy [Ikarus]
19	%Windir%\Temp\VRT5.tmp %Windir%\VRT5.tmp	153,600 bytes	MD5: 0xCA9F262EDE523369B5338E49E23F9705 SHA-1: 0x54C54CAEFD5C9DD4320B781D25C760EFE9804B91	Trojan.Gen.2 [Symantec] Generic.dx!b2ux [McAfee] Trojan.SuspectCRC [Ikarus]

Notes:

%AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%ProgramFiles%\Bifrost

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SOFTWARE\mdlwe42dgd
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSHOST_MANAGER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSHOST_MANAGER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_AMSINT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_AMSINT32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPFILTERDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSHOST_MANAGER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSHOST_MANAGER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\amsint32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\amsint32\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Mshost Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Mshost Manager\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation\Security
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
HKEY_USERS\.DEFAULT\Software\tcpudp
HKEY_USERS\.DEFAULT\Software\tnsbinstalled
HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
HKEY_CURRENT_USER\Software\Apcrmkeh
HKEY_CURRENT_USER\Software\Apcrmkeh\-72398023
HKEY_CURRENT_USER\Software\Bifrost

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}]

stubpath = "%ProgramFiles%\Bifrost\server.exe s"

so that server.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Use FormSuggest = "yes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

UacDisableNotify = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

AntiVirusOverride = 0x00000001
AntiVirusDisableNotify = 0x00000001
FirewallDisableNotify = 0x00000001
FirewallOverride = 0x00000001
UpdatesDisableNotify = 0x00000001
UacDisableNotify = 0x00000001

to disable notification of firewall, antivirus and/or update status through the Windows Security Center

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

EnableLUA = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SunJavaUpdateSched = "%AllUsersProfile%\svchost.exe"
Mshost Manager = "%AppData%\msstart.exe"

so that svchost.exe runs every time Windows starts

so that msstart.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]

Auto = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute]

values = 2A 3D F7 67 64 67 67 67 63 67 67 67 98 98 67 67 DF 67 67 67 67 67 67 67 27 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 66 67 67 69 78 DD 69 67 D3 6E AA 46 DF 66 2B AA 46 33 0F 0E 14 47 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]

nck = ED 1B E6 27 B9 28 D6 32 74 C3 CD 74 FA 93 5B 67

[HKEY_LOCAL_MACHINE\SOFTWARE\mdlwe42dgd]

mdlwe42dgdpath = "%AppData%\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000]

Service = "amsint32"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "amsint32"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000]

Service = "IpFilterDriver"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "IP Traffic Filter Driver"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSHOST_MANAGER\0000]

Service = "Mshost Manager"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Mshost Manager"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSHOST_MANAGER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000]

Service = "NWCWorkstation"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Client Service for NetWare"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\ghmmm.sys"
DisplayName = "amsint32"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\Plug.bat"
DisplayName = "Mshost Manager"
ObjectName = "LocalSystem"
Description = "Provides network host signaling and local traffic control setup functionality for network programs and control applets."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters]

ServiceDll = "%System%\nwcwks.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "Client Service for NetWare"
ObjectName = "LocalSystem"
Description = "Provides access to file and print resources on NetWare networks."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_AMSINT32\0000]

Service = "amsint32"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "amsint32"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_AMSINT32]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPFILTERDRIVER\0000]

Service = "IpFilterDriver"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "IP Traffic Filter Driver"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPFILTERDRIVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSHOST_MANAGER\0000]

Service = "Mshost Manager"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Mshost Manager"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSHOST_MANAGER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION\0000]

Service = "NWCWorkstation"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Client Service for NetWare"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\amsint32\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Germany
	China

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
114.112.255.81	80
188.121.230.65	81

The following HTTP URL was started reading:

http://absurdistan.unas.cz/xs.jpg?6806d=2556558

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 80:

There was an outbound traffic produced on port 81:

00000000 | E400 0000 994F B974 E275 940A 5AF2 F543 | .....O.t.u..Z..C
00000010 | D4A2 695F 7622 8E4A 0E12 1387 DBE6 3221 | ..i_v".J......2!
00000020 | 246A 8298 ED4F 5982 F8F5 80A0 25AE 7FE5 | $j...OY.....%...
00000030 | 17AD 2B9B E826 5775 8D89 0C4C C223 4B26 | ..+..&Wu...L.#K&
00000040 | 1D0B 6642 D4D7 D6F7 5944 162A 8C69 4EE0 | ..fB....YD.*.iN.
00000050 | 98D2 29C6 104A 1B3E 87E3 13E6 4193 46B1 | ..)..J.>....A.F.
00000060 | 84FF BD98 2964 EC67 66F4 2EBB 9A90 4D9A | ....)d.gf.....M.
00000070 | 714F 4DA5 BDB6 9B00 6FAD 6E36 F8DC 0513 | qOM.....o.n6....
00000080 | 33C7 21E0 64A8 6DF6 2CD1 0A1E 8046 02E5 | 3.!.d.m.,....F..
00000090 | 08FC AC31 7FF8 25C4 3D44 8BF5 6ADB B0FA | ...1..%.=D..j...
000000A0 | 4359 00DF 908A 07F6 9D92 5ED3 B92E D8A7 | CY........^.....
000000B0 | B690 E230 D33D C859 869A 708B 0388 25E7 | ...0.=.Y..p...%.
000000C0 | 5B03 C118 244E 77DC A6D2 62F9 8CE5 BCCF | [...$Nw...b.....
000000D0 | 7BBD A8D7 3A16 22AC B144 76D1 7019 357E | {...:."..Dv.p.5~
000000E0 | 0066 E111 1A1B E72A 0A00 0000 F948 B476 | .f.....*.....H.v
000000F0 | B070 9A02 08C3 0A00 0000 9AE0 3956 CC95 | .p..........9V..
00000100 | A230 74C3 0A00 0000 9AB3 E656 CCDB 0A33 | .0t........V...3
00000110 | 74C3 0A00 0000 9A80 FE56 CC8F 6233 74C3 | t........V..b3t.
00000120 | 0200 0000 EF7E 0200 0000 8A7E 0400 0000 | .....~.....~....
00000130 | F44F FC46                               | .O.F

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.