File pwnAris

Size 8.8KB Resubmit sample
Type ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=13356e7e99bbad1ea48fdaaebb0238adc818913d, not stripped
MD5 c65a8603c0b1413cc76e654a06b95418
SHA1 af4769844545990cd6ce364cb79e9e6320950890
SHA256 c0cb6e4e1ae158de17a2772a090cc2f3a15cfe81f88bb5441c9533b55a298d2f
SHA512
a70050e3b6bf4e0db9ad5a55bfff4e2744be6402d72b43e2a49fb4a459e90c7f684dcb72a4d6d0b75d00381d4abc0658e0d656afa232e3a60426d3a058027089
CRC32 9DF1778E
ssdeep 96:GiT9jJIWybtRXJrwVvMRCWmVsAKmdaRk/7IauBoQUf42BeSiN5rSd:GiroBwVvrWmi9k/qCftESi
Yara
  • contentis_base64 - This rule finds for base64 strings

Score

This file appears fairly benign with a score of 0.2 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 22, 2019, 5:40 a.m. Jan. 22, 2019, 5:40 a.m. 27 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2019-01-22 05:40:31 2019-01-22 05:40:58

Analyzer Log

2019-01-21 21:40:30,015 [analyzer] DEBUG: Starting analyzer from: C:\udbluu
2019-01-21 21:40:30,062 [analyzer] DEBUG: Pipe server name: \\.\PIPE\unxahyZGQRiYZMfMXpaTxVBhSqhpJaAs
2019-01-21 21:40:30,062 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\HLskVsPioKErsOciZyUcdJpBADRXRvXl
2019-01-21 21:40:30,062 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-21 21:40:30,062 [analyzer] INFO: Automatically selected analysis package "generic"
2019-01-21 21:40:32,105 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-21 21:40:32,760 [analyzer] DEBUG: Loaded monitor into process with pid 508
2019-01-21 21:40:32,760 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-21 21:40:32,760 [analyzer] DEBUG: Started auxiliary module Human
2019-01-21 21:40:32,760 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-21 21:40:32,760 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-21 21:40:32,979 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-21 21:40:32,979 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2019-01-21 21:40:32,979 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-21 21:40:33,072 [lib.api.process] INFO: Successfully executed process from path 'C:\\Windows\\System32\\cmd.exe' with arguments ['/c', 'start', '/wait', '"OJXZoWD"', u'C:\\Users\\zamen\\AppData\\Local\\Temp\\pwnAris'] and pid 2304
2019-01-21 21:40:33,789 [analyzer] DEBUG: Loaded monitor into process with pid 2304
2019-01-21 21:40:39,203 [analyzer] INFO: Process with pid 2304 has terminated
2019-01-21 21:40:39,203 [analyzer] INFO: Process list is empty, terminating analysis.
2019-01-21 21:40:40,217 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-21 21:40:40,217 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-22 05:40:31,122 [lib.cuckoo.core.scheduler] INFO: Task #1202: acquired machine win7x64 (label=win7x64)
2019-01-22 05:40:31,204 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 12268 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/1202/dump.pcap)
2019-01-22 05:40:36,308 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2019-01-22 05:40:57,393 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2019-01-22 05:40:58,503 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-22 05:40:59,584 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f93849ab8d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 05:40:59,585 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f93849abe50>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 05:40:59,585 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f93849abdd0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 05:40:59,586 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f93849ab710>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 05:40:59,587 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f93849ab710>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f93849ab710>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

One or more processes crashed (1 event)
Time & API Arguments Status Return Repeated
Jan. 22, 2019, 12:33 a.m.
__exception__
stacktrace:
ObjectStublessClient24+0x199a CLSIDFromString-0x456 ole32+0x1022a @ 0x7feffa0022a
CoCreateInstance+0x158f CoGetContextToken-0x381 ole32+0x28a1f @ 0x7feffa18a1f
CoCreateInstance+0x1550 CoGetContextToken-0x3c0 ole32+0x289e0 @ 0x7feffa189e0
CoCreateInstance+0xbe5 CoGetContextToken-0xd2b ole32+0x28075 @ 0x7feffa18075
CoCreateInstance+0x1439 CoGetContextToken-0x4d7 ole32+0x288c9 @ 0x7feffa188c9
CoCreateInstance+0x11e7 CoGetContextToken-0x729 ole32+0x28677 @ 0x7feffa18677
CoCreateInstance+0xa5e CoGetContextToken-0xeb2 ole32+0x27eee @ 0x7feffa17eee
CoInitializeEx+0x722 CoGetMalloc-0x3ee ole32+0x23152 @ 0x7feffa13152
CoCreateInstance+0x17b CoGetContextToken-0x1795 ole32+0x2760b @ 0x7feffa1760b
New_ole32_CoCreateInstance+0x10e New_ole32_CoCreateInstanceEx-0x75 @ 0x65aa4785
SHGetSpecialFolderLocation+0x2d70 ShellExecuteExW-0x25fc shell32+0x25674 @ 0x7fefde35674
SHCLSIDFromString+0x76b SHGetFolderLocation-0x2119 shell32+0x8815b @ 0x7fefde9815b
SHCreateDirectoryExW+0x220 SHGetKnownFolderPath-0xfdc shell32+0xa3d08 @ 0x7fefdeb3d08
SHCLSIDFromString+0x6e3 SHGetFolderLocation-0x21a1 shell32+0x880d3 @ 0x7fefde980d3
SHCLSIDFromString+0x8ea SHGetFolderLocation-0x1f9a shell32+0x882da @ 0x7fefde982da
ILFindLastID+0x1013 ILCloneFirst-0xb4d shell32+0x9cae3 @ 0x7fefdeacae3
SHCLSIDFromString+0x8a2 SHGetFolderLocation-0x1fe2 shell32+0x88292 @ 0x7fefde98292
SHCLSIDFromString+0x93c SHGetFolderLocation-0x1f48 shell32+0x8832c @ 0x7fefde9832c
SHRestricted+0x897 SHGetFolderPathEx-0xf35 shell32+0x82bbf @ 0x7fefde92bbf
SHRestricted+0xc19 SHGetFolderPathEx-0xbb3 shell32+0x82f41 @ 0x7fefde92f41
SHRestricted+0x12aa SHGetFolderPathEx-0x522 shell32+0x835d2 @ 0x7fefde935d2
SHRestricted+0x27e SHGetFolderPathEx-0x154e shell32+0x825a6 @ 0x7fefde925a6
SHCLSIDFromString+0x43b SHGetFolderLocation-0x2449 shell32+0x87e2b @ 0x7fefde97e2b
SHGetFolderPathW+0x940 SHParseDisplayName-0x8c shell32+0x844e4 @ 0x7fefde944e4
SHParseDisplayName+0x25e AssocGetDetailsOfPropKey-0x2022 shell32+0x847ce @ 0x7fefde947ce
SHGetFolderPathW+0x940 SHParseDisplayName-0x8c shell32+0x844e4 @ 0x7fefde944e4
SHParseDisplayName+0xe8 AssocGetDetailsOfPropKey-0x2198 shell32+0x84658 @ 0x7fefde94658
SHCreateShellItemArrayFromIDLists+0x9be SHDefExtractIconW-0x1c82 shell32+0x68ffa @ 0x7fefde78ffa
SHCreateShellItemArrayFromIDLists+0x637 SHDefExtractIconW-0x2009 shell32+0x68c73 @ 0x7fefde78c73
SHCreateShellItemArrayFromIDLists+0x40e SHDefExtractIconW-0x2232 shell32+0x68a4a @ 0x7fefde78a4a
SHParseDisplayName+0x18f7 AssocGetDetailsOfPropKey-0x989 shell32+0x85e67 @ 0x7fefde95e67
AssocGetDetailsOfPropKey+0x1f3 SHCreateItemWithParent-0xa4d shell32+0x869e3 @ 0x7fefde969e3
SHEvaluateSystemCommandTemplate+0x8b5 SHCreateShellItemArrayFromIDLists-0x2b shell32+0x68611 @ 0x7fefde78611
SHGetFolderPathW+0x940 SHParseDisplayName-0x8c shell32+0x844e4 @ 0x7fefde944e4
SHParseDisplayName+0xe8 AssocGetDetailsOfPropKey-0x2198 shell32+0x84658 @ 0x7fefde94658
SHGetSpecialFolderLocation+0x246b ShellExecuteExW-0x2f01 shell32+0x24d6f @ 0x7fefde34d6f
SHGetSpecialFolderLocation+0x517c ShellExecuteExW-0x1f0 shell32+0x27a80 @ 0x7fefde37a80
SHGetSpecialFolderLocation+0x5111 ShellExecuteExW-0x25b shell32+0x27a15 @ 0x7fefde37a15
SHRegGetUSValueW+0x2ba SHCreateThread-0x232 shlwapi+0xc71e @ 0x7feff52c71e
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x778b652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77aec521

exception.instruction_r: 41 c6 03 00 4d 3b d3 0f 84 47 70 01 00 eb ea 90
exception.instruction: mov byte ptr [r11], 0
exception.exception_code: 0xc00000fd
exception.symbol: ObjectStublessClient24+0x199a CLSIDFromString-0x456 ole32+0x1022a
exception.address: 0x7feffa0022a
registers.r14: 0
registers.r15: 0
registers.rcx: 1032220
registers.rsi: 0
registers.r10: 36241408
registers.rbx: 0
registers.rsp: 37288592
registers.r11: 36253696
registers.r8: 4
registers.r9: 37276544
registers.rdx: 20
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1032224
registers.r13: 0
success 0 0

Screenshots

No screenshots available.

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process cmd.exe (2304)

  • Opened files

    • C:\Users\zamen\AppData\Local\
    • C:\
    • C:\Users\zamen\AppData\
    • C:\Users\
    • C:\Users\zamen\AppData\Local\Temp\
    • C:\Users\zamen\AppData\Local\Temp\pwnAris
    • C:\Users\zamen\

Process cmd.exe (2304)

  • Registry keys read

    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\AlwaysShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

Process cmd.exe (2304)

Process cmd.exe (2304)

  • Directories enumerated

    • C:\Users\zamen\AppData\Local\Temp\pwnAris.VBE
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.WSF
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.BAT
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.*
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.COM
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.CMD
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.WSH
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.EXE
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.VBS
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.JSE
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.JS
    • C:\Users\zamen\AppData\Local\Temp\pwnAris.MSC
    • C:\Users\zamen\AppData\Local\Temp\pwnAris

Process cmd.exe (2304)

  • DLLs Loaded

    • SHELL32.dll
    • ADVAPI32.dll
    • ole32.dll
    • PROPSYS.dll
    • OLEAUT32.dll
No static analysis available.
/lib64/ld-linux-x86-64.so.2
libc.so.6
__isoc99_scanf
__stack_chk_fail
stdout
system
setvbuf
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
[]A\A]A^A_
Welcome to Aris's Home!
There have some screats for you.
But first of all,you should prove yourself.
101;0<?69?
Account is your input!
But..It is all?
Sorry..
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7594
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
pwnAris.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
stdout@@GLIBC_2.2.5
puts@@GLIBC_2.2.5
stdin@@GLIBC_2.2.5
_edata
__stack_chk_fail@@GLIBC_2.4
system@@GLIBC_2.2.5
encrypt
__libc_start_main@@GLIBC_2.2.5
__data_start
strcmp@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
setvbuf@@GLIBC_2.2.5
_Jv_RegisterClasses
__isoc99_scanf@@GLIBC_2.7
__TMC_END__
_ITM_registerTMCloneTable
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.plt.got
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.comment
No antivirus signatures available.

Process Tree


cmd.exe, PID: 2304, Parent PID: 2280

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.
Task ID 1202
Mongo ID 5c46f33b11d30812ab71f23e
Cuckoo release 2.0-dev