'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-07-10 08:25:33.884160 2017-07-10 08:27:01.609152 87 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2017-07-10 08:25:34 2017-07-10 08:27:01

File Details

File name 2fad05a7b3eafc7d67631f9aeeea4a076851be41.zip
File size 39523 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 5E122BCC
MD5 0d87da74716397636d7c167e0c1a98d3
SHA1 2fad05a7b3eafc7d67631f9aeeea4a076851be41
SHA256 7648714870048aeba96024e67ba474e308eb9c4a94bd1a97444a1672f7acec3d
SHA512 1aa65c9940106067c2e58b9c67287aa57d34f1b3fd85777895d93acdf4ad6021dff29ca508c2c1cf73dc90e2969cc9f187119a55d5fa74147529fda26e140150
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1499689671]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

Attempt_to_open_VBA_AutoRun details
Jalik_Trojan_Behavior details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

RbtSch.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

Registry Key-Opened
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Help
  • HKEY_LOCAL_MACHINE\SOFTWARE\SAAZOD
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\HTML Help
Registry Key-Read
  • \InstallationPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\HTML Help\.HLP
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • \RegID
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Users\Harry Dresden\AppData\Local\Temp\RbtSch.exe" PID: 4956, Parent PID: 3204

Volatility

Nothing to display.