'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-13 20:15:05.048942 2016-09-13 20:15:54.023572 48 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-09-13 20:15:05 2016-09-13 20:15:51

File Details

File name 1609c6da74e18dc3e0a6740bbdf980538929107b.zip
File size 384519 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 C44F2218
MD5 6d6859b3e244ad855e41cd96f4873acb
SHA1 1609c6da74e18dc3e0a6740bbdf980538929107b
SHA256 b96bdc405cfc2c355f74d71425a25f7f1c76109da7dc7af7373207eb382337d2
SHA512 0a86bec3a2b5081275dbd929450184d8e4fb7c6734ab632967abd02a9d7b982a4de06461e8b287fac63806b22cdded008e5f11efffdc1567e8d19cab9c14455b
Ssdeep 6144:ODLSFZeKJd4EIwT+G/yi4rh/qxavtaIr9n9/yVrsfxLJ4Yc0VatNDK6/xi3L:ODEbJFPH/yisixkaIB9YIfxLGxSGNa
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1473797757]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

Long_Alphanum_Exe_Name details
dropper details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

d4995bae0b15a371_dp0g1hqklhnxaxzno2wm.exe

ed4eec7d0aef1d45_tswfzwdbvjgf

jayden.exe

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

File-Read
  • c:\Users\harry dresden\AppData\Local\Temp\jayden.exe
File-Written
  • C:\htcosrkasvj\dp0g1hqklhnxaxzno2wm.exe
  • C:\htcosrkasvj\tswfzwdbvjgf
  • C:\Windows\htcosrkasvj\tswfzwdbvjgf
File-Deleted
  • C:\htcosrkasvj\dp0g1hqklhnxaxzno2wm.exe
  • C:\Windows\htcosrkasvj\tswfzwdbvjgf
File-Opened
  • c:\Users\harry dresden\AppData\Local\Temp\jayden.exe
Directory-Created
  • C:\htcosrkasvj\
  • C:\Windows\htcosrkasvj\
Directory-Removed
  • C:\Windows\
Directory-Enumerated
  • C:\htcosrkasvj\dp0*
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\kernel32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\Windows\LoadAppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\KERNELBASE.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\kernel32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\Windows\LoadAppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\KERNELBASE.dll

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\jayden.exe" PID: 2464, Parent PID: 308

"C:\htcosrkasvj\dp0g1hqklhnxaxzno2wm.exe" PID: 560, Parent PID: 2464

Volatility

Nothing to display.