URL Details

URL
http://jtphqbsjpxjd.com/

Score

This url shows numerous signs of malicious behavior.

The score of this url is 2.2 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Jan. 22, 2019, 8:02 a.m. Jan. 22, 2019, 8:06 a.m. 262 seconds

Machine

Name Label Started On Shutdown On
win7x32 win7x32 2019-01-22 08:02:13 2019-01-22 08:06:36

Analyzer Log

2019-01-22 00:02:13,155 [analyzer] DEBUG: Starting analyzer from: C:\jgxmfkjrq
2019-01-22 00:02:13,155 [analyzer] DEBUG: Pipe server name: \\.\PIPE\XxUJhFPEbjKwGNhr
2019-01-22 00:02:13,155 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\puLLFmteYKJCxCGpUSHOanQDIjQQTcM
2019-01-22 00:02:17,118 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-22 00:02:17,382 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-22 00:02:17,382 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-22 00:02:17,446 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2019-01-22 00:02:17,446 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2019-01-22 00:02:17,446 [analyzer] DEBUG: Loaded monitor into process with pid 476
2019-01-22 00:02:17,446 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-22 00:02:17,460 [analyzer] DEBUG: Started auxiliary module Human
2019-01-22 00:02:17,460 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-22 00:02:17,460 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-22 00:02:17,632 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-22 00:02:17,632 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-22 00:02:17,898 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments ['http://jtphqbsjpxjd.com/'] and pid 2872
2019-01-22 00:02:18,647 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-22 00:02:18,647 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-22 00:02:18,740 [analyzer] DEBUG: Loaded monitor into process with pid 2872
2019-01-22 00:02:19,427 [analyzer] DEBUG: Ignoring process "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon!
2019-01-22 00:02:22,157 [analyzer] INFO: Added new file to list with pid 2872 and path \Device\NamedPipe\wkssvc
2019-01-22 00:02:22,655 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A13961A-1E1C-11E9-93EF-00505693AED0}.dat
2019-01-22 00:02:22,671 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Temp\~DF20C6232FDEDE7F8A.TMP
2019-01-22 00:02:23,029 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0A13961C-1E1C-11E9-93EF-00505693AED0}.dat
2019-01-22 00:02:23,046 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Temp\~DFC43B18348407ECFC.TMP
2019-01-22 00:02:23,124 [analyzer] DEBUG: Following legitimate iexplore process: "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2872 CREDAT:209921 /prefetch:2!
2019-01-22 00:02:23,171 [analyzer] INFO: Injected into process with pid 3052 and name u'iexplore.exe'
2019-01-22 00:02:23,311 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-22 00:02:23,311 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-22 00:02:23,374 [analyzer] DEBUG: Loaded monitor into process with pid 3052
2019-01-22 00:02:23,451 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-01-22 00:02:23,467 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2019-01-22 00:02:23,467 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-01-22 00:02:23,467 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2019-01-22 00:02:23,467 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-01-22 00:02:23,467 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2019-01-22 00:02:23,467 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-01-22 00:02:23,467 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2019-01-22 00:02:23,467 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-01-22 00:02:23,467 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2019-01-22 00:02:23,467 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-01-22 00:02:23,467 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2019-01-22 00:02:23,467 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-01-22 00:02:23,467 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2019-01-22 00:02:38,520 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1534E541-1E1C-11E9-93EF-00505693AED0}.dat
2019-01-22 00:02:38,520 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Temp\~DFF9835651C9EB57F2.TMP
2019-01-22 00:02:52,670 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\Favorites\Links\Suggested Sites.url
2019-01-22 00:02:52,686 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
2019-01-22 00:02:52,858 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
2019-01-22 00:02:52,904 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
2019-01-22 00:02:52,982 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Temp\www41C0.tmp
2019-01-22 00:02:52,982 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Temp\www41C1.tmp
2019-01-22 00:02:52,997 [analyzer] INFO: Added new file to list with pid 2872 and path C:\Users\admin\AppData\Local\Temp\www41D2.tmp
2019-01-22 00:06:21,492 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-22 00:06:24,581 [lib.api.process] INFO: Memory dump of process with pid 2872 completed
2019-01-22 00:06:27,201 [lib.common.results] ERROR: Exception uploading file c:\users\admin\appdata\local\temp\tmphniohy to host: [Errno 9] Bad file descriptor
2019-01-22 00:06:27,388 [lib.api.process] INFO: Memory dump of process with pid 3052 completed
2019-01-22 00:06:27,388 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-22 00:06:27,404 [lib.api.process] INFO: Successfully terminated process with pid 2872.
2019-01-22 00:06:27,404 [lib.api.process] INFO: Successfully terminated process with pid 3052.
2019-01-22 00:06:27,404 [analyzer] INFO: Error dumping file from path "c:\users\admin\appdata\local\temp\~dfc43b18348407ecfc.tmp": [Errno 13] Permission denied: u'c:\\users\\admin\\appdata\\local\\temp\\~dfc43b18348407ecfc.tmp'
2019-01-22 00:06:27,420 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\www41d2.tmp'" does not exist, skip.
2019-01-22 00:06:27,451 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\www41c0.tmp'" does not exist, skip.
2019-01-22 00:06:27,451 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\wkssvc'" does not exist, skip.
2019-01-22 00:06:27,451 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\~df20c6232fdede7f8a.tmp'" does not exist, skip.
2019-01-22 00:06:27,451 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\www41c1.tmp'" does not exist, skip.
2019-01-22 00:06:27,451 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\~dff9835651c9eb57f2.tmp'" does not exist, skip.
2019-01-22 00:06:27,451 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-22 08:02:13,547 [lib.cuckoo.core.scheduler] INFO: Task #1214: acquired machine win7x32 (label=win7x32)
2019-01-22 08:02:13,570 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 13034 (interface=eth2, host=192.168.128.112, pcap=/opt/cuckoo/storage/analyses/1214/dump.pcap)
2019-01-22 08:02:21,914 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x32, ip=192.168.128.112)
2019-01-22 08:06:34,096 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2019-01-22 08:06:35,024 [lib.cuckoo.core.guest] INFO: win7x32: analysis completed successfully
2019-01-22 08:06:46,622 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-22 08:06:48,617 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f8cd590>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 08:06:48,618 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f8cd710>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 08:06:48,619 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f8cd310>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 08:06:48,620 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f8cddd0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 08:06:48,620 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f8cddd0>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f8cddd0>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Internet Explorer creates one or more martian processes (1 event)
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2872 CREDAT:209921 /prefetch:2
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)
dead_host 192.168.168.38:2869
dead_host 192.168.12.22:2869
dead_host 192.168.12.14:2869

Screenshots

Network

Summary

Process iexplore.exe (2872)

  • Opened files

    • C:\
    • C:\Users\admin\AppData\Local\Microsoft
    • C:\Windows\System32\sspicli.dll
    • C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    • C:\Users\admin\Favorites\desktop.ini
    • C:\Windows\System32\en-US\MSCTF.dll.mui
    • C:\Users\admin\Favorites\Microsoft Websites\
    • C:\Users\admin\Favorites\
    • C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
    • C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache
    • C:\Windows\System32\shell32.dll
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
    • C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active
    • C:\Users\admin\AppData\Local\Temp\www41C0.tmp
    • C:\Program Files\
    • C:\Users\admin\AppData\Local\Microsoft\Windows
    • C:\Users\admin\Favorites\MSN Websites\MSN.url
    • C:\Windows\Globalization\Sorting\sortdefault.nls
    • C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
    • C:\Users\admin\Favorites\MSN Websites\
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tracking Protection
    • C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low
    • C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
    • C:\Windows\System32\ieframe.dll
    • C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
    • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
    • C:\Windows\System32\en-US\IEFRAME.dll.mui
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
    • C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\DNTException\Low
    • C:\Program Files\Microsoft Office\Office12\
    • C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
    • C:\Users\admin\AppData\Local\Temp\www41C1.tmp
    • C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
    • C:\Program Files\Common Files\Adobe\Acrobat\
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low
    • C:\Program Files\Common Files\Adobe\
    • C:\Windows\Fonts\staticcache.dat
    • C:\Users\admin\Favorites\Links\Web Slice Gallery.url
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low
    • C:\Users\admin\AppData\Local\Microsoft\PlayReady
    • C:\Users\admin\Favorites
    • C:\Users\admin
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
    • \\?\PIPE\wkssvc
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db
    • C:\Users\admin\AppData\Local\Microsoft\Feeds
    • C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\
    • C:\Users\admin\AppData\Local\Microsoft\Windows\History\desktop.ini
    • C:\Users\admin\Favorites\Links for United States\
    • C:\Users\admin\AppData\Local
    • C:\Users
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
    • C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
    • C:\Users\desktop.ini
    • C:\Program Files\Common Files\
    • C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
    • \??\FDC#GENERIC_FLOPPY_DRIVE#6&3b4c39bd&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    • C:\Users\admin\Favorites\Links\Suggested Sites.url
    • C:\Users\admin\Favorites\Windows Live\
    • C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
    • C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
    • C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
    • C:\Users\admin\AppData\Local\Temp\Low
    • C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\
    • C:\Users\admin\AppData\Local\Temp\www41D2.tmp
    • C:\Users\admin\Favorites\Links\desktop.ini
    • C:\Users\admin\Favorites\Links for United States\USA.gov.url
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
    • C:\Users\admin\Desktop\desktop.ini
    • C:\Users\admin\Desktop
    • C:\Windows\System32\en-US\shell32.DLL.mui
    • C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
    • C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
    • C:\Program Files\Microsoft Office\
    • C:\Users\admin\Favorites\Links\
    • C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
    • C:\Users\admin\Favorites\MSN Websites\MSN Money.url
    • C:\Windows\System32\en-US\SETUPAPI.dll.mui
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
    • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
    • C:\Users\admin\AppData
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
  • Written files

    • C:\Users\admin\AppData\Local\Temp\~DFC43B18348407ECFC.TMP
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A13961A-1E1C-11E9-93EF-00505693AED0}.dat
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
    • C:\Users\admin\AppData\Local\Temp\www41D2.tmp
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
    • C:\Users\admin\Favorites\Links\Suggested Sites.url
    • \\?\PIPE\wkssvc
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0A13961C-1E1C-11E9-93EF-00505693AED0}.dat
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1534E541-1E1C-11E9-93EF-00505693AED0}.dat
    • C:\Users\admin\AppData\Local\Temp\www41C0.tmp
    • C:\Users\admin\AppData\Local\Temp\~DF20C6232FDEDE7F8A.TMP
    • C:\Users\admin\AppData\Local\Temp\www41C1.tmp
    • C:\Users\admin\AppData\Local\Temp\~DFF9835651C9EB57F2.TMP

Process iexplore.exe (2872)

Process iexplore.exe (2872)

Process iexplore.exe (2872)

Process iexplore.exe (2872)

  • Processes created

    • "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2872 CREDAT:209921 /prefetch:2
  • DLLs Loaded

    • IEFRAME.dll
    • C:\Windows\System32\mswsock.dll
    • urlmon.dll
    • apphelp.dll
    • CRYPT32.dll
    • DNSAPI.dll
    • C:\Program Files\Internet Explorer\ieproxy.dll
    • kernel32.dll
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • CRYPTBASE.dll
    • C:\Windows\system32\ole32.dll
    • RPCRT4.dll
    • dwmapi.dll
    • rasadhlp.dll
    • dhcpcsvc.DLL
    • winhttp.dll
    • ntmarta.dll
    • api-ms-win-downlevel-advapi32-l1-1-0.dll
    • api-ms-win-downlevel-advapi32-l2-1-0.dll
    • C:\Windows\system32\MSCTF.dll
    • PROPSYS.dll
    • NTDLL.DLL
    • WININET.dll
    • msfeeds.dll
    • API-MS-Win-Core-LocalRegistry-L1-1-0.dll
    • api-ms-win-downlevel-ole32-l1-1-0.dll
    • Secur32.dll
    • OLEAUT32.DLL
    • MLANG.dll
    • IPHLPAPI.DLL
    • API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0.DLL
    • cryptbase.dll
    • ole32.dll
    • USERENV.dll
    • CRYPTSP.dll
    • USER32.dll
    • IMM32.dll
    • C:\Program Files\Internet Explorer\sqmapi.dll
    • comdlg32.dll
    • NETAPI32.dll
    • SspiCli.dll
    • api-ms-win-downlevel-shell32-l1-1-0.dll
    • USP10.DLL
    • C:\Program Files\Internet Explorer\suspend.dll
    • IEUI.dll
    • WindowsCodecs.dll
    • OLEAUT32.dll
    • profapi.dll
    • SHELL32.dll
    • IEShims.dll
    • C:\Windows\System32\wship6.dll
    • comctl32.dll
    • C:\Windows\system32\oleaut32.dll
    • api-ms-win-core-winrt-string-l1-1-0.dll
    • C:\Windows\system32\IEUI.dll
    • dhcpcsvc6.DLL
    • UxTheme.dll
    • CRYPTBASE.DLL
    • C:\Windows\system32\mswsock.dll
    • api-ms-win-downlevel-shlwapi-l2-1-0.dll
    • ADVAPI32.dll
    • rpcrt4.dll
    • C:\Windows\System32\wshtcpip.dll
    • SETUPAPI.dll
    • WS2_32.dll
    • user32.dll
    • MSIMG32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


iexplore.exe, PID: 2872, Parent PID: 2844

default registry file network process services synchronisation iexplore office pdf

iexplore.exe, PID: 3052, Parent PID: 2872

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.112 49208 192.168.128.111 53
192.168.128.112 49254 192.168.128.111 53
192.168.128.112 50804 192.168.128.111 53
192.168.128.112 51336 192.168.128.111 53
192.168.128.112 51778 192.168.128.111 53
192.168.128.112 52039 192.168.128.111 53
192.168.128.112 52481 192.168.128.111 53
192.168.128.112 53921 192.168.128.111 53
192.168.128.112 56984 192.168.128.111 53
192.168.128.112 58297 192.168.128.111 53
192.168.128.112 58300 192.168.128.111 53
192.168.128.112 62123 192.168.128.111 53
192.168.128.112 62873 192.168.128.111 53
192.168.128.112 63356 192.168.128.111 53
192.168.128.112 63597 192.168.128.111 53
192.168.128.112 137 192.168.128.255 137
192.168.128.112 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name f21b503955e31034_feedsstore.feedsdb-ms
Filepath C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
Size 7.0KB
Processes 2872 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 b55397a6254da55ea342766948db6053
SHA1 b7aafcd7c22d70ea6f15d0aaed66c5532716f65a
SHA256 f21b503955e310347de74b1e5c60a6062bde6dfc5bcd5830b7a00cd2b36eaa78
CRC32 3FBE5805
ssdeep 192:Wxb3LjPH0wjPHaw+tupw+tu6Z/cASgUbwRwKI3:WxXjPH0wjPHaw+spw+s6Z/c3gUbwRBI3
Yara
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name df8092351e1d54b7_suggested sites~.feed-ms
Filepath C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
Size 32.0KB
Processes 2872 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 7e5c3339faecdfe8a3623a7ebcbad5aa
SHA1 0030653779892663e84ad4d90939cbba09ce88fe
SHA256 df8092351e1d54b7d0098fef1c79102dc6d8f75ed125e33aa53939b20d6e6808
CRC32 9D9A5B87
ssdeep 24:Jo3hbf+8Mbf+8z2ACh6JbASOtfjOACh6JbASOt:C3tf+pf+KGkJ8+kJ
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name c61cf6878520addf_{1534e541-1e1c-11e9-93ef-00505693aed0}.dat
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1534E541-1E1C-11E9-93EF-00505693AED0}.dat
Size 3.5KB
Processes 2872 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 69112ba35a09ec314af85d6d0369096c
SHA1 e79c1319ea7c6c1d532264fad2877cfb8a2db281
SHA256 c61cf6878520addf3c0e3a19605d6096551eb0022a88aed244f91e204cc74023
CRC32 505B800B
ssdeep 12:rlxAFrsDrEgm8GD7KFEklXDrEgm8GD7qjNlpQA9dI:rEYG8llTG8NNlaAg
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name e3ab045d746a0821_suggested sites.url
Filepath C:\Users\admin\Favorites\Links\Suggested Sites.url
Size 236.0B
Processes 2872 (iexplore.exe)
Type ASCII text, with CRLF line terminators
MD5 11cede0563d1d61930e433cd638d6419
SHA1 366b26547292482b871404b33930cefca8810dbd
SHA256 e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9
CRC32 2C9F5B4E
ssdeep 6:J254vVG/4xPpuFVm4ADGZslbQKeADGZsuGsW/k2:3VW4x8FVmZDGilMKTDGj7W/k2
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e037340355f642e8_msapplication.xml
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
Size 385.0B
Processes 2872 (iexplore.exe)
Type XML document text
MD5 67d7decf16377a24dff39698c2bd7139
SHA1 791a44f06fdcbcffd80dbc1de0db3a1d4674a251
SHA256 e037340355f642e884812cc102da2ce905398888d7cca3df5cdc6347370666fc
CRC32 F16EEED3
ssdeep 12:TMHdNMNxvDGwd3Did31nWimI00OhJabU5EtMb:2d6NxvJdudlSZ7Paeb
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name bb701f399cf6d44e_{0a13961c-1e1c-11e9-93ef-00505693aed0}.dat
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0A13961C-1E1C-11E9-93EF-00505693AED0}.dat
Size 4.0KB
Processes 2872 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 c96dd8638aa604620da540924595f66b
SHA1 ded02380c445cff5c18fcb776fa14ab41da05593
SHA256 bb701f399cf6d44e5883b4e2ec01afda871897150330a0996b6859639317d45f
CRC32 FAC8B830
ssdeep 12:rl0oXGFAnrEgmfkx76FmSkxrEgmfkx7qjNlMcadEXTthlC7NlMcadEXTtnLs:r5GMdxGMCNlMxE7WNlMxEN
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name e233213c41489eb8_recoverystore.{0a13961a-1e1c-11e9-93ef-00505693aed0}.dat
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A13961A-1E1C-11E9-93EF-00505693AED0}.dat
Size 5.5KB
Processes 2872 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 374ee74d2726ae90c36275f36bc88715
SHA1 50aec080aa679f099948414a090f557ec681535e
SHA256 e233213c41489eb898ea12da73411a5939fba3e226484bfd262bbbb4bb9bf429
CRC32 CA60397B
ssdeep 24:rVHGW/QIplXXEWGo/QEIplX19NlWVIplXlIplXyNlW:r5GWDLGo4HFocc7
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1214
Mongo ID 5c47156911d30812ab71f345
Cuckoo release 2.0-dev