'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-07-19 08:44:30.408365 2018-07-19 08:46:20.060760 109 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-07-19 08:44:31 2018-07-19 08:46:19

File Details

File name Invoices and Pending Orders.exe
File size 520192 bytes
File type PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 C223AC95
MD5 d97b62708d531abdf385bc3e4d33f9b2
SHA1 73a45a108d854764b5685f0d85178dd6a1430d3f
SHA256 80f9994c7715cf8194a53ce01d093d267c66ea845df0cae22926f67ec65f58ba
SHA512 b24676d19f9c960c1abf4ef2f343d08e6ae116ec3807ab7488739d995c3508061566b50fa0b3c418fb37b44abc1b04a162c06b666506c5de73efbe1215491d03
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=125, Anomalies=0, PEiD=0, Yara=0, VT[1532004387]=0): Snort Events=2, AV Events=0
Total Score=125

SNORT EVENTS:
ET TROJAN Fareit/Pony Loader User-Agent
ETPRO TROJAN Win32.Pony/Fareit Checkin 3

Signatures

antivm_queries_computername details
recon_fingerprint details
locates_browser details
antivm_memory_available details
raises_exception details
create_process_suspended details
openprocess_nonchild details
Roaming_Profile_Modified details
Attempt_to_open_VBA_AutoRun details
allocates_rwx details
infostealer_browser details
packer_entropy details
privilege_luid_check details
infostealer_ftp details
Jalik_Trojan_Behavior details
nolookup_communication details
infostealer_ftp details
infostealer_im details
infostealer_mail details
process_interest details
detect_putty details
injection_runpe details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

b8960ab86047e730_F783C6CE5FB53B50158326C65C9E2A8B_dec

6b86b273ff34fce1_895AA0.lck

16fa92a17f50c51d_895aa0.hdb

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\signons.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\F783C6CE5FB53B50158326C65C9E2A8B_dec
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\F783C6CE5FB53B50158326C65C9E2A8B
  • C:\Windows\Fonts\staticcache.dat
File-Written
  • C:\Users\Harry Dresden\AppData\Roaming\6AA008\895AA0.lck
  • C:\Users\Harry Dresden\AppData\Roaming\6AA008\895AA0.hdb
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\F783C6CE5FB53B50158326C65C9E2A8B_dec
  • C:\Users\Harry Dresden\AppData\Roaming\6AA008\895AA0.lck
  • C:\Users\Harry Dresden\AppData\Roaming\6AA008\895AA0.hdb
File-Opened
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\signons.sqlite
  • C:\
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\F783C6CE5FB53B50158326C65C9E2A8B_dec
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\F783C6CE5FB53B50158326C65C9E2A8B
  • C:\Windows\Fonts\staticcache.dat
File-Moved
  • C:\Users\Harry Dresden\AppData\Local\Temp\invoices and pending orders.exe -> C:\Users\Harry Dresden\AppData\Roaming\6AA008\895AA0.exe
Network-Connects IP
  • 94.102.60.3
Directory-Created
  • C:\Users\Harry Dresden\AppData\Roaming\6AA008
Directory-Enumerated
  • C:\Users\Harry Dresden\Desktop\*.kdbx
  • C:\Users\Harry Dresden\Documents\*.vnc
  • C:\Foxmail*
  • C:\Users\Harry Dresden\Documents\*.bscp
  • C:\Users\Harry Dresden\Documents\*.tlp
  • C:\Users\Harry Dresden\Documents\*Mailbox.ini
  • C:\Users\Harry Dresden\Desktop\*.spn
  • C:\Users\Harry Dresden\Documents\*.kdb
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\*
  • C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Local\PokerStars*
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Credentials\*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\Desktop\*.vnc
  • C:\Users\Harry Dresden\Documents\*.spn
  • C:\Windows
  • C:\Windows\winsxs
  • C:\Users\Harry Dresden\Documents\*.kdbx
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\Desktop\*.kdb
Registry Key-Opened
  • HKEY_CURRENT_USER\Software
  • HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  • HKEY_CURRENT_USER\Software\Bitvise\BvSshClient
  • HKEY_CURRENT_USER\Software\WinChips\UserAccounts
  • HKEY_CURRENT_USER\Software\Netscape
  • HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon
  • HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup
  • HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox
  • HKEY_CURRENT_USER\Software\7-Zip
  • HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
  • HKEY_CURRENT_USER\Software\VanDyke\SecureFX
  • HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  • HKEY_CURRENT_USER\Software\Foxit Software
  • HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
  • HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox
  • HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86
  • HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_CURRENT_USER\Software\Adobe
  • HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\12.0 (en-US)\Main
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock
  • HKEY_LOCAL_MACHINE\Software\Martin Prikryl
  • HKEY_CURRENT_USER\Software\Microsoft
  • HKEY_CURRENT_USER\Software\Policies
  • HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
  • HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts
  • HKEY_CURRENT_USER\Software\Ghisler\Total Commander
  • HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale Moon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
  • HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
  • HKEY_CURRENT_USER\Software\Classes
  • HKEY_CURRENT_USER\Software\Macromedia
  • HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
  • HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
  • HKEY_CURRENT_USER\Software\Clients
  • HKEY_CURRENT_USER\Software\Martin Prikryl
  • HKEY_CURRENT_USER\Software\IncrediMail\Identities
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
  • HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
  • HKEY_CURRENT_USER\Software\ODBC
  • HKEY_LOCAL_MACHINE\������������������Ё��������Ћ����Я����Й���Й��я��
  • HKEY_CURRENT_USER\Software\AppDataLow
  • HKEY_CURRENT_USER\Software\Wow6432Node
  • HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
  • HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
  • HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
  • HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\12.0 (en-US)\Main\Install Directory
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
Mutex-Accessed
  • 92090E26AA00895AA0B3F6C0

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\Invoices and Pending Orders.exe" PID: 2212, Parent PID: 4076

"C:\Users\Harry Dresden\AppData\Local\Temp\Invoices and Pending Orders.exe" PID: 2928, Parent PID: 2212

Volatility

Nothing to display.