'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-07-10 08:27:02.283189 2017-07-10 08:28:21.268965 78 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2017-07-10 08:27:02 2017-07-10 08:28:20

File Details

File name 6b20ee3415c83f78fd8a29549be6245ade197fd0.zip
File size 17462 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 8B3B0258
MD5 366924a20ae6936317ce21fa575e4681
SHA1 6b20ee3415c83f78fd8a29549be6245ade197fd0
SHA256 ed931dd3f550c1b7ff3f6c4e508f13b39b322a0d5c5d61c5402603b0fd200da8
SHA512 9b365b06e6ec29203bf7f59323650258e1b372f75f5df4ab93ceab637bd8d36f632f6b9469238c6b05dee98bffd24adc16535f52fa68de3cf0884acfa91c03a4
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1499689746]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

Attempt_to_open_VBA_AutoRun details
Jalik_Trojan_Behavior details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

ClearLogs.exe

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

Registry Key-Opened
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Help
  • HKEY_LOCAL_MACHINE\SOFTWARE\SAAZOD
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\HTML Help
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\HTML Help\.HLP
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Users\Harry Dresden\AppData\Local\Temp\ClearLogs.exe" PID: 5792, Parent PID: 3684

Volatility

Nothing to display.