'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-07-10 08:25:32.514548 2017-07-10 08:26:55.051862 82 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2017-07-10 08:25:32 2017-07-10 08:26:54

File Details

File name 2912eb8a939262fad786bb3c12938a5d56e44a54.zip
File size 89724 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 00D34465
MD5 df6f46fdd14dfbc22a68e809e66e3bd4
SHA1 2912eb8a939262fad786bb3c12938a5d56e44a54
SHA256 bef6c642061379c59b7a4416497da27448c81404b276e2717777908611a6eb61
SHA512 332b926da38a06c9c3ed757a53577b67b038bf2d0684bb9900552e66121095851d069152b4c7b0ce94f0fa5b618a73b60b98d0166eab1fc31bde7ad39f7d8bb3
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1499689668]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

Attempt_to_open_VBA_AutoRun details
Jalik_Trojan_Behavior details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

RbtScan.exe

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

Registry Key-Opened
  • HKEY_CURRENT_USER\CLSID\{D08CAA79-AEC3-4648-8A8A-E577C1F58F6F}
  • HKEY_CURRENT_USER\CLSID\{A6C3DD41-35EA-40D4-AA9B-B097BBE192E2}
  • HKEY_LOCAL_MACHINE\SOFTWARE\SAAZOD
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\HTML Help
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Help
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
Registry Key-Read
  • \InstallationPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\HTML Help\.HLP
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • \RegID
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\RbtScan.exe" PID: 2952, Parent PID: 1556

Volatility

Nothing to display.