File 0cf6bbb63ffe0c12777664d80b2797923844c8392d0fd81d7962ee5ee2c3c3d9_atapi.sys

Size 25.8KB Resubmit sample
Type PE32+ executable (native) x86-64, for MS Windows
MD5 74b14192cf79a72f7536b27cb8814fbd
SHA1 682d6d307311c01734aeba17df3debec272d67b0
SHA256 0cf6bbb63ffe0c12777664d80b2797923844c8392d0fd81d7962ee5ee2c3c3d9
SHA512
cdff60e98a81e6a32460398d499a2b2ae2a3ba508938bfc859846017964743501dd7b5bb0ec56ee27eaad3776eb209b4422f61f6ffa87fb5b2585311d66520e1
CRC32 834BDFFA
ssdeep 384:BzzoyRLALMDTEPU5dPIv2V1uBmm9wieS52uYRWTbUwW/oYA5vDBRJARCIleAp8xt:BzoENvEPk+v2+guemOGRh1PoCQpKZn
PDB Path atapi.pdb
Yara
  • IsPE64 -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings

Score

This file appears fairly benign with a score of 0.6 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Oct. 16, 2018, 2:08 a.m. Oct. 16, 2018, 2:08 a.m. 25 seconds
  • Error: Error from the Cuckoo Guest: Analysis failed: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted. Traceback (most recent call last): File "C:\wuspgfpnlk\analyzer.py", line 778, in <module> success = analyzer.run() File "C:\wuspgfpnlk\analyzer.py", line 626, in run (package_name, e) CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2018-10-16 02:08:27 2018-10-16 02:08:51

Analyzer Log

2018-10-15 19:08:26,046 [analyzer] DEBUG: Starting analyzer from: C:\wuspgfpnlk
2018-10-15 19:08:26,078 [analyzer] DEBUG: Pipe server name: \\.\PIPE\sKdKOokPpxYPGmwu
2018-10-15 19:08:26,078 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\orAomVkEsyLodLlzfQwWkYeakbPQbz
2018-10-15 19:08:26,078 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2018-10-15 19:08:26,078 [analyzer] INFO: Automatically selected analysis package "exe"
2018-10-15 19:08:28,931 [analyzer] DEBUG: Started auxiliary module Disguise
2018-10-15 19:08:29,276 [analyzer] DEBUG: Loaded monitor into process with pid 508
2018-10-15 19:08:29,276 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-10-15 19:08:29,276 [analyzer] DEBUG: Started auxiliary module Human
2018-10-15 19:08:29,276 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-10-15 19:08:29,276 [analyzer] DEBUG: Started auxiliary module Reboot
2018-10-15 19:08:29,493 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-10-15 19:08:29,509 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2018-10-15 19:08:29,509 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-10-15 19:08:30,430 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2018-10-15 19:08:31,474 [lib.api.process] ERROR: Failed to execute process from path u'C:\\Users\\zamen\\AppData\\Local\\Temp\\0cf6bbb63ffe0c12777664d80b2797923844c8392d0fd81d7962ee5ee2c3c3d9_atapi.sys' with arguments ['bin\\inject-x64.exe', '--app', u'C:\\Users\\zamen\\AppData\\Local\\Temp\\0CF6BB~1.SYS', '--only-start', '--curdir', u'C:\\Users\\zamen\\AppData\\Local\\Temp'] (Error: The operation completed successfully (ERROR_SUCCESS))

Cuckoo Log

2018-10-16 02:08:26,972 [lib.cuckoo.core.scheduler] INFO: Task #15: acquired machine win7x64 (label=win7x64)
2018-10-16 02:08:27,006 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 12494 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/15/dump.pcap)
2018-10-16 02:08:33,159 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2018-10-16 02:08:50,761 [lib.cuckoo.core.scheduler] ERROR: Error from the Cuckoo Guest: Analysis failed: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
Traceback (most recent call last):
  File "C:\wuspgfpnlk\analyzer.py", line 778, in <module>
    success = analyzer.run()
  File "C:\wuspgfpnlk\analyzer.py", line 626, in run
    (package_name, e)
CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.

2018-10-16 02:08:52,453 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2018-10-16 02:08:54,403 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f54bea59310>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-16 02:08:54,404 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f54bea59e50>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-16 02:08:54,405 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f54bea59350>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-16 02:08:54,406 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f54bea59bd0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-16 02:08:54,406 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f54bea59bd0>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f54bea59bd0>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable is signed
This executable has a PDB path (1 event)
pdb_path atapi.pdb
The executable has PE anomalies (could be a false positive) (1 event)
section INIT

Screenshots

No screenshots available.

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

PE Compile Time

2013-08-22 07:40:39

PDB Path

atapi.pdb

Signing Certificate

MD5 9b8768cf26b91e1c2dda86ddd8f6ac53
SHA1 812705d0eddce07c8a1dccd9dc6e50c5e3d19219
Serial Number 330000002418fc0b689e7399d0000000000024
Common Name Microsoft Windows
Country US
Locality Redmond

Version Infos

LegalCopyright \xa9 Microsoft Corporation. All rights reserved.
InternalName atapi.sys
FileVersion 6.3.9600.16384 (winblue_rtm.130821-1623)
CompanyName Microsoft Corporation
ProductName Microsoft\xae Windows\xae Operating System
ProductVersion 6.3.9600.16384
FileDescription ATAPI IDE Miniport Driver
OriginalFilename atapi.sys
Translation 0x0409 0x04b0

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00002c2f 0x00002e00 6.20617587139
.rdata 0x00004000 0x0000045c 0x00000600 3.18283211641
.data 0x00005000 0x00000010 0x00000200 0.281091870762
.pdata 0x00006000 0x000001f8 0x00000200 4.09158925225
INIT 0x00007000 0x00000394 0x00000400 4.34464858024
.rsrc 0x00008000 0x000003f8 0x00000400 3.40591769265
.reloc 0x00009000 0x00000048 0x00000200 0.138729518149

Imports


!This program cannot be run in DOS mode.
Richk)
h.rdata
H.data
.pdata
B.reloc
t$ WAVAWH
@A_A^_
UVWATAUAVAWH
0A_A^A]A\_^]
x ATAVAWH
A_A^A\
|$ AVH
t$ WATAUAVAWH
A_A^A]A\_
VWATAVAWH
A_A^A\_^
WATAUAVAWH
A_A^A]A\_H
t$ WATAUAVAWH
0A_A^A]A\_
WAVAWH
f9u"H
A_A^_
D$puH
atapi.pdb
AtaPortRequestCallback
AtaPortReleaseRequestSenseIrb
AtaPortCopyMemory
AtaPortConvertPhysicalAddressToUlong
AtaPortCompleteRequest
AtaPortNotification
AtaPortBuildRequestSenseIrb
AtaPortQuerySystemTime
AtaPortReadPortBufferUshort
AtaPortInitialize
AtaPortGetPhysicalAddress
AtaPortCompleteAllActiveRequests
AtaPortGetParentBusType
AtaPortStallExecution
AtaPortReadPortUchar
AtaPortDeviceStateChange
AtaPortWritePortUchar
AtaPortEtwTraceLog
AtaPortGetUnCachedExtension
AtaPortWritePortUlong
AtaPortWritePortBufferUshort
AtaPortGetDeviceBase
AtaPortGetScatterGatherList
ataport.SYS
Washington1
Redmond1
Microsoft Corporation1.0,
%Microsoft Windows Production PCA 20110
130617214338Z
140917214338Z0p1
Washington1
Redmond1
Microsoft Corporation1
Microsoft Windows0
MOPR1301
*31612+09a6d5f3-8125-416a-b9b1-447d2c25afa90
Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a
Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0
_eUQC{
Washington1
Redmond1
Microsoft Corporation1200
)Microsoft Root Certificate Authority 20100
111019184142Z
261019185142Z0
Washington1
Redmond1
Microsoft Corporation1.0,
%Microsoft Windows Production PCA 20110
i%(\6
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
Washington1
Redmond1
Microsoft Corporation1.0,
%Microsoft Windows Production PCA 2011
http://www.microsoft.com/windows0
G<!,Z%
20130822124433.246Z0
Washington1
Redmond1
Microsoft Corporation1
MOPR1'0%
nCipher DSE ESN:B8EC-30A4-71441%0#
Microsoft Time-Stamp Service
Washington1
Redmond1
Microsoft Corporation1200
)Microsoft Root Certificate Authority 20100
100701213655Z
250701214655Z0|1
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 20100
$`2X`F
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
oK0D$"<
r~akow
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 20100
130327201314Z
140627201314Z0
Washington1
Redmond1
Microsoft Corporation1
MOPR1'0%
nCipher DSE ESN:B8EC-30A4-71441%0#
Microsoft Time-Stamp Service0
Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
Washington1
Redmond1
Microsoft Corporation1
MOPR1'0%
nCipher DSE ESN:B8EC-30A4-71441%0#
Microsoft Time-Stamp Service
Washington1
Redmond1
Microsoft Corporation1
MOPR1'0%
nCipher NTS ESN:B027-C6F8-1D881+0)
"Microsoft Time Source Master Clock0
20130822122332Z
20130823122332Z0w0=
)uu"$#,^
i&dc!_
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 2010
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 2010
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
ATAPI IDE Miniport Driver
FileVersion
6.3.9600.16384 (winblue_rtm.130821-1623)
InternalName
atapi.sys
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
atapi.sys
ProductName
Microsoft
Windows
Operating System
ProductVersion
6.3.9600.16384
VarFileInfo
Translation
"Microsoft Window
Legal_Policy_Statement
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Clean
Cylance Clean
AegisLab Clean
TheHacker Clean
BitDefender Clean
K7GW Clean
K7AntiVirus Clean
Invincea Clean
Baidu Clean
NANO-Antivirus Clean
Cyren Clean
Symantec Clean
TotalDefense Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
Babable Clean
ViRobot Clean
Rising Clean
Ad-Aware Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Fortinet Clean
Emsisoft Clean
Ikarus Clean
F-Prot Clean
Jiangmin Clean
Webroot Clean
Avira Clean
MAX Clean
Antiy-AVL Clean
Kingsoft Clean
Endgame Clean
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm Clean
Avast-Mobile Clean
Microsoft Clean
AhnLab-V3 Clean
VBA32 Clean
ALYac Clean
TACHYON Clean
Malwarebytes Clean
Panda Clean
Zoner Clean
ESET-NOD32 Clean
Tencent Clean
Yandex Clean
SentinelOne Clean
eGambit Clean
GData Clean
AVG Clean
Cybereason Clean
Paloalto Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.
Task ID 15
Mongo ID 5bc5807611d30829883cde06
Cuckoo release 2.0-dev