'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-30 13:55:05.416709 2016-09-30 13:55:49.956411 44 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-09-30 13:55:06 2016-09-30 13:55:49

File Details

File name 081f46a879da4d9e79a346ff73ead30b644d4a96.zip
File size 11245231 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 2FBF3854
MD5 cd2ab92773152419b00fa6b4bc0ec8d8
SHA1 081f46a879da4d9e79a346ff73ead30b644d4a96
SHA256 5d7d0526b905ac545c7a58d189966028d36dc75202aa2cf0395f9e83887d7867
SHA512 78f7770dc193d48e6278dc5155b995a3267bb21b3d8b44d296dbfd14cfa7cd36d595cfdce6f4c143a345e41eda1fe3a4170c8b8b230c8cb64fb3d652948c02da
Ssdeep 196608:JdVTPgNRYWCAivNMCtqCZFZUdFaAGm3ssTvLvc0vQeWeFZ8Ylud/eaYPWWuSkyTD:JddINaWfivNNcaAU6LkVGlE2uSkyTD
PEiD None matched
Yara
  • shellcode (Matched shellcode byte patterns)
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=2, VT[1475243759]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
LavasoftTcpService.exe: Str_Win32_Winsock2_Library


Zipped File Yara Signatures:
Application/Lavasoft.WebBar.UI.dll: Str_Win32_Wininet_Library
Application/BCUEngineS.dll: Str_Win32_Winsock2_Library
Application/BCUSDK.dll: Str_Win32_Winsock2_Library

Signatures

recon_fingerprint details
antivm_memory_available details
antiav_detectfile details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

0aed326daf713eff_lavasofttcpservicer.log

LavasoftTcpService.exe

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\LavasoftTcpServicer.log
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\LavasoftTcpServicer.log
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LavasoftTcpService
  • HKEY_CURRENT_USER\AppID\{2CE0F1DC-C504-4B7B-A385-D94A2531DFFB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_CLASSES_ROOT\AppID
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\TcpService\2.3.4.7\LavasoftTcpService.exe" PID: 3516, Parent PID: 4148

Volatility

Nothing to display.