'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-13 06:21:10.075998 2016-09-13 06:24:00.955815 170 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2016-09-13 06:21:12 2016-09-13 06:23:59

File Details

File name aeafb2686650395bc7a9efc6c3ae241b3474b108.exe
File size 21967704 bytes
File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
CRC32 C5E46E5B
MD5 e2126908b125d9e8bb6e345d18ef07c5
SHA1 aeafb2686650395bc7a9efc6c3ae241b3474b108
SHA256 7c56818acd4f14fe876f63605c17d068da7592633422400076563f370ad14da6
SHA512 5b616c2123524cebd52712cc1d9c135c0f2d699afd1b897f1f94c271c30ea8441c9c4a1867f797429b7c4ed4696f5b381fca5cd46e8922eb7787425f148855f3
Ssdeep 393216:RlUMo0W81mhInyXy/FRPpG/v3rzu+96/5aUJESdX1jbNXVfmHmJEl0J:40W8hn5RBG/Przu+9q1OSbbNymJE+
PEiD None matched
Yara
  • Str_Win32_Winsock2_Library (Match Winsock 2 API library declaration)
  • Str_Win32_Wininet_Library (Match Windows Inet API library declaration)
  • Str_Win32_Http_API (Match Windows Http API call)
  • vmdetect (Possibly employs anti-virtualization techniques)
VirusTotal VirusTotal lookup disabled, add your API key to the module

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=8, VT[1473747945]=0): Snort Events=19, AV Events=0
Total Score=75

SNORT EVENTS:
ETPRO MALWARE W32/Kingsoft Checkin
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET INFO Packed Executable Download
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)

Dropped File/Buffer Yara Signatures:
94f9b424d7e4bf9b_kcmpp.exe: GenerateTLSClientHelloPacket_Test
7f92709f9102c055_kisfdpro64.dll: Str_Win32_Wininet_Library
2a1e856aa151a0de_ksdectrl.dll: Str_Win32_Winsock2_Library
7a2bed0546612d15_kupdata.exe: Str_Win32_Winsock2_Library
64cd05e1322c83cd_kstools.dll: Str_Win32_Winsock2_Library
63e7470143dcd1b2_ksbwdet2.dll: Str_Win32_Winsock2_Library
44ee0a5fb1fce9c0_kxe2tray.exe.bak: Str_Win32_Winsock2_Library
87d2689d060ee5c5_kinst.exe: Str_Win32_Winsock2_Library
12e241b21fd8a9a7_lblocker.dll: GenerateTLSClientHelloPacket_Test
25f4afb2a0f7c068_ksreng3.dll: Str_Win32_Winsock2_Library
6469597ef60862bb_kxesansp.dll: Str_Win32_Wininet_Library
fe68087b3f822834_ks3rdhmpg.dll: Str_Win32_Wininet_Library
0e9c276248c2ba38_kscanner.dll: Str_Win32_Winsock2_Library
b7e1d0e51a014201_kxe2score.exe.bak: Str_Win32_Winsock2_Library
c7f8a5e4cb8f6c79_ksscore.dll: Str_Win32_Winsock2_Library
874c703c7f08a785_kdefendpop.dll: Str_Win32_Winsock2_Library
68ca5d10d32a1cf5_ksdecs.dll: Str_Win32_Winsock2_Library
bc51e8ad954fd22e_kspupwnd.dll: Str_Win32_Winsock2_Library
514595069cf21e6e_kis2live.exe.bak: Str_Win32_Winsock2_Library
f49e4e861c7fd148_ks3rdhmpg64.dll: Str_Win32_Wininet_Library
ecafa835206d9fcb_kfcdetect.dll: Str_Win32_Winsock2_Library
48dc0cfdf9024840_krcmdbase.dll: Str_Win32_Winsock2_Library
07701312e91df4e8_kswscxex.dll: Str_Win32_Winsock2_Library
1da9261ffae16ba0_klengine.dll: Str_Win32_Winsock2_Library
55f5704fb33835d7_netbuyprot.dll: Str_Win32_Wininet_Library
1cd38317b93fd576_kcddltool.exe: Str_Win32_Winsock2_Library
4d6b72d6b85cd0f9_kwhrequestor.dll: Str_Win32_Winsock2_Library
dc8c4db1daaca0a2_ktoolupd.dll: Str_Win32_Winsock2_Library
2ac3a3f70b16c6bb_knetworkpanel.dll: Str_Win32_Winsock2_Library
8538ff2ffe9ba319_uni0nst.exe: Str_Win32_Winsock2_Library
88d13ec52f8ff6f1_kswebshield.dll: Str_Win32_Winsock2_Library
f52443f43d2018d9_kshmpg.dll: Str_Win32_Winsock2_Library
9c5078a7dfe3fd9c_ksysopteng.dll: Str_Win32_Winsock2_Library
47da0d5e797d976b_ks3rdhmpg32.dll: Str_Win32_Wininet_Library
2fe2b0b9280adcc5_defendmon.dll: Str_Win32_Winsock2_Library
ee544d1d9d0a8178_sqlite.dll: with_sqlite
3c962994899b9195_kwssp.dll: Str_Win32_Winsock2_Library
796bdab0baed2d50_kfloatmain.dll: Str_Win32_Winsock2_Library
2383b5c746117244_kcctrl.dll: Str_Win32_Winsock2_Library
7cb3ea72f25b43da_kupdatesp.dll: Str_Win32_Winsock2_Library
95868a4a9c6ca4ca_ktrashscan.dll: Str_Win32_Winsock2_Library
ef81bd9b59eac3c5_kdgui2.dll: Str_Win32_Winsock2_Library
7241e28894565061_kcleaner.exe: Str_Win32_Winsock2_Library
8c8e81693e880a262e7c378e95763fff405c2699 [BUFFER]: embedded_pe
8c8e81693e880a262e7c378e95763fff405c2699 [BUFFER]: shellcode
ea997b0a23c7909e6bb15f18ec42011365ee60b5 [BUFFER]: embedded_win_api

Signatures

antivm_queries_computername details
has_pdb details
locates_browser details
antivm_memory_available details
dumped_buffer details
av_detect_china_key details
antivm_disk_size details
creates_service details
process_interest details
antiav_detectfile details
antiav_detectreg details
antivm_generic_cpu details
banker_zeus_p2p details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings