'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-02-09 16:17:42.418570 2018-02-09 16:19:34.607118 112 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-02-09 16:17:42 2018-02-09 16:19:34

File Details

File name c28d96bbabf5818d8ad737e4112ff62c4fcdfff8.zip
File size 48651 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 77800763
MD5 88184139442bbcb9caab1a484902e602
SHA1 c28d96bbabf5818d8ad737e4112ff62c4fcdfff8
SHA256 2160d297c21a4758e540ea5291c6d4df4bce74c2dab85647a8a1a875fcf49ccc
SHA512 d1c6da93c58c590905a2ac68ab1f7b2595729283ebf9a94439dd9b2a5f33237eff63c0b4d80272aa00106de56db5a17173adc924e6907cf622106d5cf75f8523
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2018-01-23 10:33:24
Detection Rate: 1/60 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1518211184]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

openprocess_nonchild details
allocates_rwx details
privilege_luid_check details
memdump_urls details
injection_modifies_memory details
injection_resumethread details
injection_write_memory details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

b14f927e6f5b71ed_socketsniffhelper.dll

SocketSniff.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\SocketSniffHelper.dll
File-Opened
  • C:\Python27\python.exe
  • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
  • C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Reader_sl.exe
  • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  • C:\Windows\Globalization\Sorting\sortdefault.nls
Registry Key-Opened
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\SocketSniff.exe
  • HKEY_CURRENT_USER\Control Panel\Desktop
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
  • HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\SocketSniff.exe" PID: 2328, Parent PID: 2212

Volatility

Nothing to display.