Category |
Started On |
Completed On |
Duration |
Cuckoo Version |
FILE |
2016-09-23 02:05:05.246105 |
2016-09-23 02:07:26.396492 |
141 seconds |
2.0-dev |
Machine |
Label |
Manager |
Started On |
Shutdown On |
win7cuckoo |
win7 Clone 1 |
VirtualBox |
2016-09-23 02:05:05 |
2016-09-23 02:07:25 |
File Details
File name |
499b79a8c5a254826b50208013e1a6cd6aec4041.zip |
File size |
10902 bytes |
File type |
Zip archive data, at least v2.0 to extract |
CRC32 |
68AC83D9 |
MD5 |
35dd2257159543f5d52a60006feb85d9 |
SHA1 |
499b79a8c5a254826b50208013e1a6cd6aec4041 |
SHA256 |
2a749e52594b417384a005134603346c665ead501640a21147d1ea9514604d11 |
SHA512 |
61f69be54bf2d762513f27c442961e1b3dbd85b5ef76dfd0a54aae09185ab79ebdd32ee90b95d01aecc552e7d4c72c129a80fd2a145c8254e36c16fe2ac586d4 |
Ssdeep |
192:ZEjyu6fCCf3QPWF6HYy6Bc8tugH9nEftpNpFucVGJIqlcNaa74Tw3KeRNuTz7U6k:JCCfJkHYyGc8f9Eftz/BqyEaNHRKPUJ |
PEiD |
None matched
|
Yara |
|
VirusTotal |
File not found on VirusTotal
|
Signatures
recon_fingerprint details
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
antivm_memory_available details
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
dumped_buffer details
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
antivm_network_adapters details
Checks adapter addresses which can be used to detect virtual network interfaces
Windows_Proxy_Tinkering details
Accesses or modifies proxy settings
network_wscript_downloader details
Wscript.exe initiated network communications indicative of a script based payload download
malicious_document_urls details
Potentially malicious URL found in document
network_document_file details
Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
Screenshots
No screenshots available.
Static Analysis
Nothing to display.
Dropped Files
File name |
1fb9f339b6cb2147_jq2sklh7y |
File size |
207992 bytes |
File type |
Sendmail frozen configuration - version \202\006\003fF\0101\300\271\342\204'\023\234\341\020\205\265 |
MD5 |
07930a93b7232893457e53d0961a1c45 |
SHA1 |
f23ee12e16b972198e6ab003a587ae185524a07a |
SHA256 |
1fb9f339b6cb21473d5a87889b5f145902315e16307bd38ec5ce624104b3fc2b |
SHA512 |
acbe36a556f8c9c7bc862448a7907e87687b19c9f87d90efce7dcd2d94c07f254751efd0cb7ce4f9c1690e949ae132757f3d58f083ace86bcac2cc452fb9d276 |
Ssdeep |
3072:nDDRHxN6aA/L10AiD1m5484RKfYU6V/SJRJE73uqQt93XonZWhgD5EyTbKcwEemm:n1xm0AP4CTc/SJTCQt9nRO5EyTbKE0 |
Yara |
None matched
|
File name |
delivery details scan A05C0.js |
File size |
62682 bytes |
File type |
ASCII text, with very long lines |
MD5 |
018b0f5621c8db5478f742ed78783271 |
SHA1 |
f295db7385e2938dec9883863c5f603a07690930 |
SHA256 |
ff77a8f390f02fd11cc85425aeab720d16f872c8d3379f2b51430db4adeb8768 |
SHA512 |
04ee967c33b44dbfa99d69f170c66f4113d502442fcda5f07b35fb3e938f4036686641b5be8ebf507184cb76c4300b92462fb3a3504ce2e2920bd334172b0cbb |
Ssdeep |
384:4zfpOW7dPz4s+9cAmA4tE3F9qV6QJ9nH6o3PscwaB:Sfp5Pz4hytE3F9qVJJ9nHR3PdwaB |
Yara |
None matched
|
Network Analysis
IP Address |
104.126.143.3 |
13.85.70.43 |
64.4.54.253 |
64.4.54.254 |
8.8.8.8 |
95.173.164.205 |
23.63.188.67 |
70.186.25.19 |
Domain |
IP Address |
dns.msftncsi.com |
131.107.255.255 |
onmunrebut.com |
190.147.38.2 |
settings-win.data.microsoft.com |
64.4.54.253 |
teredo.ipv6.microsoft.com |
67.195.61.46 |
vortex-win.data.microsoft.com |
64.4.54.254 |
crl.microsoft.com |
70.186.27.32 |
ctldl.windowsupdate.com |
70.186.27.16 |
ipv6.msftncsi.com |
|
www.microsoft.com |
104.75.131.184 |
URL |
Data |
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl |
GET /pkiops/crl/MicSecSerCA2011_2011-10-18.crl HTTP/1.1
Cache-Control: max-age = 572
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 12 May 2016 02:00:44 GMT
If-None-Match: "202c18f2abd11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
|
http://onmunrebut.com/24hydk |
GET /24hydk HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: onmunrebut.com
Connection: Keep-Alive
|
Volatility
Nothing to display.