Submission Summary:

What's been foundSeverity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.


Technical Details:


Possible Security Risk

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment


File System Modifications

#Filename(s)File SizeFile HashAlias
1 %AppData%\{cbf70787-72f9-b6ef-7e3c-8c19ccb74892}\@ 2,048 bytes MD5: 0x28D818A98C170BCA1E8D5ECD19993B12
SHA-1: 0x3C4B183D632E15585D844E656FD8ADD488971079
(not available)
2 %AppData%\{cbf70787-72f9-b6ef-7e3c-8c19ccb74892}\n
52,224 bytes MD5: 0x834ED66B186BB59FD97AEE0BCDD81244
SHA-1: 0x768763EEC7D21EB1460174C2A7C29A1F7647838C
(not available)
3 %Windir%\Installer\{cbf70787-72f9-b6ef-7e3c-8c19ccb74892}\@ 2,048 bytes MD5: 0x30ED21DF1ED97535DDBE997C2F9C5EB5
SHA-1: 0x4EA798487870CE2B937E506A79697CCFE46E8B94
(not available)
4 %Windir%\Installer\{cbf70787-72f9-b6ef-7e3c-8c19ccb74892}\U\00000001.@ 1,648 bytes MD5: 0x97054DA52301ECE758C26F5FE2682426
SHA-1: 0x0C891110EA841F1AE8A0263D743F34B431EC9031
ZeroAccess [McAfee]
Trojan.Win32.Small [Ikarus]
5 %Windir%\Installer\{cbf70787-72f9-b6ef-7e3c-8c19ccb74892}\U\80000000.@ 12,288 bytes MD5: 0x1BF005160D6C0469601128D75E8A0044
SHA-1: 0x4F83372BD54AB7BFDB4A153488F820CF00C7A89B
Trojan.Gen.2 [Symantec] [McAfee]
Trojan.Win32.Sirefef [Ikarus]
6 %Windir%\Installer\{cbf70787-72f9-b6ef-7e3c-8c19ccb74892}\U\800000cb.@ 18,944 bytes MD5: 0x7A83211285E4233E23C3C3BE3AF0010D
SHA-1: 0xA0E438BA0A1C3427E2FFA0DAF2749840C664D2DC
Trojan Horse [Symantec] [McAfee]
Trojan.Win32.Sirefef [Ikarus]
7 [file and pathname of the sample #1] 186,880 bytes MD5: 0xED56383BEC2201CFAFA38BEDF8950CFB
SHA-1: 0x9444BE15314189E9628A14B4BB0E108FC13DDD31
(not available)


Memory Modifications

Process NameProcess FilenameAllocated Size
services.exe%System%\services.exe28,672 bytes
services.exe%System%\services.exe40,960 bytes
services.exe%System%\services.exe36,864 bytes
IEXPLORE.EXE%ProgramFiles%\internet explorer\iexplore.exe307,200 bytes

Module NameModule FilenameAddress Space Details
n%System%\nProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x45670000 - 0x45680000

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe


Registry Modifications


Other details

Remote HostPort Number


Outbound traffic (potentially malicious)



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 ThreatExpert. All rights reserved.