'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-08-22 13:35:09.057325 2016-08-22 13:37:46.006314 156 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-08-22 13:35:09 2016-08-22 13:37:44

File Details

File name 2d68afd031c5f91c39df1e37ee7bcbbad6d178e9.zip
File size 1547346 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 C8E6FB07
MD5 bf9a1aebb8601fb38a23c474d90d0f4a
SHA1 2d68afd031c5f91c39df1e37ee7bcbbad6d178e9
SHA256 670e8146ecc065a34442487508b5111229206a953b465fbe20a745d7971043e5
SHA512 2fa396e11af94eb92f5b64b041d10d19fbb90cd7b550b307cc5ce3aa224cc9af65f46496098a3e3df4a1f353f1af461b3be0d951d43af0e87353e5a86021f808
Ssdeep 24576:QinTVjrmUmEb8SDhLzXT/ax+No11sw9neL5JKeSD91wrrmjXAZhVDXm+1cb:QyN5mZ2h/XT/akks4gXt9M
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2016-08-20 21:23:56
Detection Rate: 1/56 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1471873097]=0): Snort Events=0, AV Events=0
Total Score=75

Zipped File Yara Signatures:
PUTTY.CNT: Str_Win32_Winsock2_Library
PLINK.EXE: Str_Win32_Winsock2_Library
PUTTY.HLP: Str_Win32_Winsock2_Library
PSCP.EXE: Str_Win32_Winsock2_Library
PUTTY.EXE: Str_Win32_Winsock2_Library
PSFTP.EXE: Str_Win32_Winsock2_Library

Signatures

infostealer_ftp details
detect_putty details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

PUTTYGEN.EXE

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\Fonts\staticcache.dat
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\PUTTY.CHM
  • C:\Users\Harry Dresden\AppData\Local\Temp\PUTTY.HLP
  • C:\Users\Harry Dresden\AppData\Local\Temp\PUTTY.CNT
  • C:\Windows\Fonts\staticcache.dat
Directory-Enumerated
  • C:\Windows\*
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
  • HKEY_CURRENT_USER\Software\SimonTatham\PuTTY
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\PUTTYGEN.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\PUTTYGEN.EXE" PID: 3760, Parent PID: 4908

Volatility

Nothing to display.