Category |
Started On |
Completed On |
Duration |
Cuckoo Version |
FILE |
2016-12-01 21:25:06.611366 |
2016-12-01 21:27:12.081602 |
125 seconds |
2.0-dev |
Machine |
Label |
Manager |
Started On |
Shutdown On |
win7cuckoo |
win7 Clone 1 |
VirtualBox |
2016-12-01 21:25:06 |
2016-12-01 21:27:11 |
File Details
File name |
0f5c620cc7de348333769e909a77c42e1497f502.zip |
File size |
2750 bytes |
File type |
Zip archive data, at least v2.0 to extract |
CRC32 |
4AAEDD22 |
MD5 |
8460f17f21843ee99ea44af407914257 |
SHA1 |
0f5c620cc7de348333769e909a77c42e1497f502 |
SHA256 |
52d5ec0137dc01ae1cadef9bfb2fd542ef4e2261074e7fb43844559688cd7087 |
SHA512 |
435c5093e1af83872e6040cfd5860426e16b103cfd77c0c09b3b8f0c29ec74073f8017120399b7208e63522cb8fcdec1f6d4fc30c24c72fb5310a6e86869d0cf |
Ssdeep |
48:9HB8M8LPByak6LbbSv0KRrRMDVmj1Ygnf3/H2maiS0VdZd2QiSO5UbqG5hcth+V1:FBurBEvHHUm+gnv+Wzs5UvhXs7BFm |
PEiD |
None matched
|
Yara |
|
VirusTotal |
File not found on VirusTotal
|
Signatures
recon_fingerprint details
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
antivm_memory_available details
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
dumped_buffer details
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
antivm_network_adapters details
Checks adapter addresses which can be used to detect virtual network interfaces
dumped_buffer2 details
One or more of the buffers contains an embedded PE file
Windows_Proxy_Tinkering details
Accesses or modifies proxy settings
network_wscript_downloader details
Wscript.exe initiated network communications indicative of a script based payload download
persistence_ads details
Creates an Alternate Data Stream (ADS)
malicious_document_urls details
Potentially malicious URL found in document
network_document_file details
Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
Screenshots
No screenshots available.
Static Analysis
Nothing to display.
Dropped Files
File name |
a84d21d74f0c1cf3_zjmpwcxpckpv.zk |
File size |
149337 bytes |
File type |
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit |
MD5 |
c8ac6f144b855d8cdee9636282cdafb4 |
SHA1 |
985aeee9876486dddff6543362f9d2edf6925b36 |
SHA256 |
a84d21d74f0c1cf32e92192bde2d354b6cbb6107c03aa342028840a60e2e1874 |
SHA512 |
9f0c6d1b01df9c379e710dd09885be7fc73247508b2203451327db68911f9c84bb57d1026fdaf426e3541c841072ad29092eb0c6bfe4374767b9e5b27680c68a |
Ssdeep |
3072:Uv+c1pFGZ3oaDag4FforWIZc8pxSMIQUycKmVLQ8Ax4nEnjC/P:Uv+c1pODagAQr/ZcChIQUswQWEGH |
Yara |
None matched
|
File name |
cc6a5ad2dce405b9_7mo0pu9nzq[1].txt |
File size |
149337 bytes |
File type |
data |
MD5 |
c2e4c07892d5e82285c1d2ce0128601e |
SHA1 |
2892cf1b7c1f92750bbfba46bee41ba926880294 |
SHA256 |
cc6a5ad2dce405b9130ef126c0b0895c488082f5477fc61e993dbaeeb4d29b00 |
SHA512 |
eed4666c19afdc52b89501010cd8af58930dad13090570f42043de24a224dea553e1cddc2465612555e8ad4f5ddd291e12a683a34cf7a61ae5867e5f9cf6fefb |
Ssdeep |
3072:nNqz4ZenUEX9a064eiEMfODWNjfJXXNXtTtUO8GqJE1Ew:nNOxUEX9a0WiEqQ6XXptTtUO87+5 |
Yara |
None matched
|
File name |
-dk111143745f.js |
File size |
7035 bytes |
File type |
ASCII C++ program text |
MD5 |
86bc6f6a0d0cf192f6ef1a918ee739a9 |
SHA1 |
f076adc5b2035bd220e1ebe60382af1d9a4a30af |
SHA256 |
b9f3da2a457c521689c29b485ce68e8130af9a186009414a3d010cd348d0a973 |
SHA512 |
b12fa0abaf5e162504965839c06d80467ed2a648beb721e704e092633654e759009d073c71f4ef8c7de8898897e0c6df79e25e90b4c22ca965af67c807cc9aee |
Ssdeep |
192:DXxeeVjZhuQy6qqO1Rt/epSPuho0pUS42WStTqOfa8nCFk8Lm:DIeVjZhuV6qqOlkTXWSo4s2F |
Yara |
None matched
|
Network Analysis
IP Address |
162.213.255.30 |
23.41.186.226 |
52.169.179.91 |
64.4.54.253 |
64.4.54.254 |
8.8.8.8 |
Domain |
IP Address |
crl.microsoft.com |
70.186.27.32 |
ctldl.windowsupdate.com |
70.186.27.16 |
settings-win.data.microsoft.com |
64.4.54.253 |
www.microsoft.com |
104.75.131.184 |
teredo.ipv6.microsoft.com |
67.195.61.46 |
dns.msftncsi.com |
131.107.255.255 |
ipv6.msftncsi.com |
|
vortex-win.data.microsoft.com |
64.4.54.254 |
senabel.com |
162.213.255.30 |
URL |
Data |
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl |
GET /pkiops/crl/MicSecSerCA2011_2011-10-18.crl HTTP/1.1
Cache-Control: max-age = 572
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 12 May 2016 02:00:44 GMT
If-None-Match: "202c18f2abd11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
|
http://senabel.com/7mo0pu9nzq |
GET /7mo0pu9nzq HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: senabel.com
Connection: Keep-Alive
|
Volatility
Nothing to display.