Category |
Started On |
Completed On |
Duration |
Cuckoo Version |
FILE |
2016-12-01 00:54:59.062363 |
2016-12-01 00:58:07.193584 |
188 seconds |
2.0-dev |
Machine |
Label |
Manager |
Started On |
Shutdown On |
win7cuckoo |
win7 Clone 1 |
VirtualBox |
2016-12-01 00:54:59 |
2016-12-01 00:58:06 |
File Details
File name |
d68f3d4757f1ec12b963b56a2bdb13dd4c0b2c52.zip |
File size |
3172 bytes |
File type |
Zip archive data, at least v2.0 to extract |
CRC32 |
BE68436F |
MD5 |
6d6c8722b9920190a7550887ed79d491 |
SHA1 |
d68f3d4757f1ec12b963b56a2bdb13dd4c0b2c52 |
SHA256 |
cccf7d7e99e93acd79f0316cec232294bd1fe33db918f11cb61fc532e9cd4b9d |
SHA512 |
8d11ec190193fc5e168bd8550554dd20cec0af3263169c34c288ec446af22ad507724db24e81fada43911ba5a782e7f1305cc5107dd21b1cb9e1572e0a8f604a |
Ssdeep |
96:bC+Bxk9oHNnQJBHfnJocpMFqcgluGQF7d9p:bC+Bxk4BQJB/GcpiqcauGIdj |
PEiD |
None matched
|
Yara |
|
VirusTotal |
File not found on VirusTotal
|
Signatures
recon_fingerprint details
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
antivm_memory_available details
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
dumped_buffer details
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
antivm_network_adapters details
Checks adapter addresses which can be used to detect virtual network interfaces
Windows_Proxy_Tinkering details
Accesses or modifies proxy settings
network_wscript_downloader details
Wscript.exe initiated network communications indicative of a script based payload download
malicious_document_urls details
Potentially malicious URL found in document
network_document_file details
Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
Screenshots
No screenshots available.
Static Analysis
Nothing to display.
Dropped Files
File name |
66fdca4060f52d0a_irlaqi[1].txt |
File size |
282318 bytes |
File type |
data |
MD5 |
e5bd58445d8e1572040fa91231b7d6e0 |
SHA1 |
f21aa3b373c507897ddb1f2e631105cc782bf4da |
SHA256 |
66fdca4060f52d0af6d02144b137b4961e3adcd1bd841d569d4a4debf5f0be30 |
SHA512 |
b37e33d6b86bdaa2c814bf5313c77609747614dac3431494d0b0665c020f86761eb1f6215bcc24eeb99078afda829a93c6171d2cb937dfe1f4902361713b230b |
Ssdeep |
3072:fBQzXIWzemvQ/dhyxVj9wRbHjZmRB8DGmT5mTf0XfcbjU7SqRZ3rVSagUbOq:JQzdfvOhyxR+Hj2E5mTcX5DRZZWip |
Yara |
None matched
|
File name |
-3u79h90i06n.js |
File size |
18516 bytes |
File type |
ASCII C++ program text, with very long lines |
MD5 |
9a773c998da1dcc11517ffef640c7f65 |
SHA1 |
75f11985728386563f01414d26033cf396956a9d |
SHA256 |
d8299c0911048e689ce21f91c1229290676cf50c04706d739b3d661904f1fdb1 |
SHA512 |
2c4993b2c6a8a052c494c6ac3eb89d5443e47dfc5d6b0e7197e323942723bf3fb6719d0ffa56085d1c275b139aac5344a84ab69fefe1d5a4038307f78017105c |
Ssdeep |
96:jXolefvLyAMG1zQAUjsdACy7bRpvt/2E4nQujo6HtqJNrmtj5w7C82z:jXxfvVdUjs6hpJ4dRjttapqj5w7C8O |
Yara |
None matched
|
Network Analysis
IP Address |
109.232.220.235 |
23.41.186.226 |
40.118.103.7 |
64.4.54.253 |
64.4.54.254 |
8.8.8.8 |
Domain |
IP Address |
www.microsoft.com |
104.75.131.184 |
dns.msftncsi.com |
131.107.255.255 |
vortex-win.data.microsoft.com |
64.4.54.254 |
skyaksesuar.com |
109.232.220.235 |
settings-win.data.microsoft.com |
64.4.54.253 |
teredo.ipv6.microsoft.com |
67.195.61.46 |
ctldl.windowsupdate.com |
70.186.27.9 |
crl.microsoft.com |
70.186.27.32 |
ipv6.msftncsi.com |
|
URL |
Data |
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl |
GET /pkiops/crl/MicSecSerCA2011_2011-10-18.crl HTTP/1.1
Cache-Control: max-age = 572
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 12 May 2016 02:00:44 GMT
If-None-Match: "202c18f2abd11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
|
http://skyaksesuar.com/irlaqi |
GET /irlaqi HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: skyaksesuar.com
Connection: Keep-Alive
|
Volatility
Nothing to display.