'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-07-19 08:41:48.732885 2018-07-19 08:43:42.223812 113 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-07-19 08:41:49 2018-07-19 08:43:39

File Details

File name c287846d8177f169c5c7dc7e7c6b776a67730482.zip
File size 212574 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 5443B5C7
MD5 ed683f9ef644ba8abb8d56f03cc316e6
SHA1 c287846d8177f169c5c7dc7e7c6b776a67730482
SHA256 5d24e091dfa0256938e00c3f7be8a56c3d2a94476c7bc6834c28cdbcbf7be5db
SHA512 213979346825e106c4b3a7c531fc2649bbaa319b009388a08baad30875cf772462ca0c7bc50ab579d91a6f2e834dadc8b0d1ff02011e1d95c4765fb3c27ab06c
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=125, Anomalies=0, PEiD=0, Yara=0, VT[1532004269]=0): Snort Events=2, AV Events=0
Total Score=125

SNORT EVENTS:
ET TROJAN Fareit/Pony Loader User-Agent
ETPRO TROJAN Win32.Pony/Fareit Checkin 3

Signatures

antivm_queries_computername details
recon_fingerprint details
locates_browser details
antivm_memory_available details
raises_exception details
create_process_suspended details
openprocess_nonchild details
Roaming_Profile_Modified details
Attempt_to_open_VBA_AutoRun details
allocates_rwx details
infostealer_browser details
privilege_luid_check details
infostealer_ftp details
MF_Heuristic details
Jalik_Trojan_Behavior details
nolookup_communication details
infostealer_ftp details
infostealer_im details
infostealer_mail details
process_interest details
detect_putty details
injection_runpe details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

b8960ab86047e730_F783C6CE5FB53B50158326C65C9E2A8B_dec

6b86b273ff34fce1_895AA0.lck

16fa92a17f50c51d_895aa0.hdb

Invoices and Pending Orders.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\signons.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\F783C6CE5FB53B50158326C65C9E2A8B_dec
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\F783C6CE5FB53B50158326C65C9E2A8B
File-Written
  • C:\Users\Harry Dresden\AppData\Roaming\6AA008\895AA0.lck
  • C:\Users\Harry Dresden\AppData\Roaming\6AA008\895AA0.hdb
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\F783C6CE5FB53B50158326C65C9E2A8B_dec
  • C:\Users\Harry Dresden\AppData\Roaming\6AA008\895AA0.lck
  • C:\Users\Harry Dresden\AppData\Roaming\6AA008\895AA0.hdb
File-Opened
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\signons.sqlite
  • C:\
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\F783C6CE5FB53B50158326C65C9E2A8B_dec
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\F783C6CE5FB53B50158326C65C9E2A8B
File-Moved
  • C:\Users\Harry Dresden\AppData\Local\Temp\invoices and pending orders.exe -> C:\Users\Harry Dresden\AppData\Roaming\6AA008\895AA0.exe
Network-Connects IP
  • 94.102.60.3
Directory-Created
  • C:\Users\Harry Dresden\AppData\Roaming\6AA008
Directory-Enumerated
  • C:\Users\Harry Dresden\Desktop\*.kdbx
  • C:\Users\Harry Dresden\Documents\*.vnc
  • C:\Foxmail*
  • C:\Users\Harry Dresden\Documents\*.bscp
  • C:\Users\Harry Dresden\Documents\*.tlp
  • C:\Users\Harry Dresden\Documents\*Mailbox.ini
  • C:\Users\Harry Dresden\Desktop\*.spn
  • C:\Users\Harry Dresden\Documents\*.kdb
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Credentials\*
  • C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Local\PokerStars*
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Credentials\*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\Desktop\*.vnc
  • C:\Users\Harry Dresden\Documents\*.spn
  • C:\Windows
  • C:\Windows\winsxs
  • C:\Users\Harry Dresden\Documents\*.kdbx
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\Desktop\*.kdb
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
  • HKEY_CURRENT_USER\Software
  • HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  • HKEY_CURRENT_USER\Software\Bitvise\BvSshClient
  • HKEY_CURRENT_USER\Software\WinChips\UserAccounts
  • HKEY_CURRENT_USER\Software\Netscape
  • HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon
  • HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup
  • HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox
  • HKEY_CURRENT_USER\Software\7-Zip
  • HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
  • HKEY_CURRENT_USER\Software\VanDyke\SecureFX
  • HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  • HKEY_CURRENT_USER\Software\Foxit Software
  • HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
  • HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox
  • HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86
  • HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_CURRENT_USER\Software\Adobe
  • HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\12.0 (en-US)\Main
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock
  • HKEY_LOCAL_MACHINE\Software\Martin Prikryl
  • HKEY_CURRENT_USER\Software\Microsoft
  • HKEY_CURRENT_USER\Software\Policies
  • HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
  • HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts
  • HKEY_CURRENT_USER\Software\Ghisler\Total Commander
  • HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale Moon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
  • HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
  • HKEY_CURRENT_USER\Software\Classes
  • HKEY_CURRENT_USER\Software\Macromedia
  • HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
  • HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
  • HKEY_CURRENT_USER\Software\Clients
  • HKEY_CURRENT_USER\Software\Martin Prikryl
  • HKEY_CURRENT_USER\Software\IncrediMail\Identities
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
  • HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
  • HKEY_CURRENT_USER\Software\ODBC
  • HKEY_LOCAL_MACHINE\������������������Ё��������Ћ����Я����Й���Й��я��
  • HKEY_CURRENT_USER\Software\AppDataLow
  • HKEY_CURRENT_USER\Software\Wow6432Node
  • HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
  • HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
  • HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
  • HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\12.0 (en-US)\Main\Install Directory
Mutex-Accessed
  • 92090E26AA00895AA0B3F6C0

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\Invoices and Pending Orders.exe" PID: 1064, Parent PID: 2408

"C:\Users\Harry Dresden\AppData\Local\Temp\Invoices and Pending Orders.exe" PID: 3844, Parent PID: 1064

Volatility

Nothing to display.