Descriptioon

• Probable name: Arid Viper
• MD5: 7534f93bef405cb041652bbdb1067548
• SHA1: eb149ae16abffe6b7ff2a520762aad886d3e133d
  
• SHA256: 28fecc85a347cf0782a06db9782f75df91934c338c77fbb587f56bb02a27dc83
  
• File Name: Angelina_Jolie_Sex.scr
• VirusTotal
• HybridAnalysis
• RobotHash

Timeline

Thu Sep 17 10:46:37 CEST 2015

started win3

Thu Sep 17 10:50:07 CEST 2015

infected

Fri Sep 25 10:49:50 CEST 2015

We copied some fake documents in C:/Users/Administrator/Documents/ of the Administrator user to see if the malware is doing something with them. We copied using the shared folders, so no traffic was generated.

Fri Sep 25 13:04:01 CEST 2015

Up to now, nothing new happened

Fri Sep 25 13:04:31 CEST 2015

I rebooted the vm to see if something new would happen.

Wed, 14 Oct 2015 10:46:32 GMT

This is the time of the last communication with the CC. From this moment there were no packets send.

I will reboot the machine now to see what happens.

Thu Oct 15 12:07:22 CEST 2015

Rebooted the vm.

After the reboot it started working again. Not sure what happened.

Thu Oct 22 18:50:00 CEST 2015 approx

Vm stopped