URL Details

URL
http://xlgvdrsartlo.com/

Score

This url appears fairly benign with a score of 0.0 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Nov. 5, 2018, 10:25 a.m. Nov. 5, 2018, 10:26 a.m. 24 seconds

Machine

Name Label Started On Shutdown On
winxpsp3x86 winxpsp3x86 2018-11-05 10:25:50 2018-11-05 10:26:12

Analyzer Log

2018-11-05 18:25:49,015 [analyzer] DEBUG: Starting analyzer from: C:\matfv
2018-11-05 18:25:49,030 [analyzer] DEBUG: Pipe server name: \\.\PIPE\ORFGKRvmKKXTddnjKJmmxWRFE
2018-11-05 18:25:49,030 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\txZJwJnFwVMbDhtyfAn
2018-11-05 18:25:50,875 [analyzer] DEBUG: Started auxiliary module Disguise
2018-11-05 18:25:51,015 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2018-11-05 18:25:51,015 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2018-11-05 18:25:51,078 [analyzer] DEBUG: Loaded monitor into process with pid 700
2018-11-05 18:25:51,078 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-11-05 18:25:51,078 [analyzer] DEBUG: Started auxiliary module Human
2018-11-05 18:25:51,078 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-11-05 18:25:51,078 [analyzer] DEBUG: Started auxiliary module Reboot
2018-11-05 18:25:51,467 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-11-05 18:25:51,467 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-11-05 18:25:51,608 [lib.api.process] INFO: Successfully executed process from path 'C:\\WINDOWS\\System32\\control.exe' with arguments ['http://xlgvdrsartlo.com/'] and pid 1628
2018-11-05 18:25:51,717 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2018-11-05 18:25:51,717 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2018-11-05 18:25:51,812 [analyzer] DEBUG: Loaded monitor into process with pid 1628
2018-11-05 18:25:51,828 [analyzer] DEBUG: Received request to inject pid=1628, but we are already injected there.
2018-11-05 18:25:52,155 [analyzer] INFO: Injected into process with pid 1784 and name u'rundll32.exe'
2018-11-05 18:25:52,250 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2018-11-05 18:25:52,250 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2018-11-05 18:25:52,328 [analyzer] DEBUG: Loaded monitor into process with pid 1784
2018-11-05 18:25:52,342 [analyzer] DEBUG: Received request to inject pid=1784, but we are already injected there.
2018-11-05 18:25:54,733 [lib.api.process] INFO: Memory dump of process with pid 1784 completed
2018-11-05 18:25:55,625 [analyzer] INFO: Process with pid 1784 has terminated
2018-11-05 18:26:03,155 [lib.api.process] INFO: Memory dump of process with pid 1628 completed
2018-11-05 18:26:03,625 [analyzer] INFO: Process with pid 1628 has terminated
2018-11-05 18:26:03,625 [analyzer] INFO: Process list is empty, terminating analysis.
2018-11-05 18:26:04,625 [analyzer] INFO: Terminating remaining processes before shutdown.
2018-11-05 18:26:04,625 [analyzer] INFO: Analysis completed.

Cuckoo Log

2018-11-05 10:25:50,216 [lib.cuckoo.core.scheduler] INFO: Task #52: acquired machine winxpsp3x86 (label=winxpsp3x86)
2018-11-05 10:25:50,243 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 6988 (interface=eth2, host=192.168.128.101, pcap=/opt/cuckoo/storage/analyses/52/dump.pcap)
2018-11-05 10:25:53,792 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3x86, ip=192.168.128.101)
2018-11-05 10:26:12,414 [lib.cuckoo.core.guest] INFO: winxpsp3x86: analysis completed successfully
2018-11-05 10:26:16,635 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2018-11-05 10:26:36,663 [modules.processing.virustotal] WARNING: Error fetching results from VirusTotal for "http://xlgvdrsartlo.com/": Unable to fetch VirusTotal results: MaxRetryError("HTTPSConnectionPool(host='www.virustotal.com', port=443): Max retries exceeded with url: /vtapi/v2/url/report (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f728c73ccd0>: Failed to establish a new connection: [Errno -2] Name or service not known',))",)
2018-11-05 10:26:37,018 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c6855d0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 10:26:37,019 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c685210>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 10:26:37,020 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c685910>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 10:26:37,020 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c685150>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 10:26:37,021 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f728c685150>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f728c685150>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

No signatures

Screenshots

Network

DNS

Name Response Post-Analysis Lookup
time.windows.com

Summary

Process rundll32.exe (1784)

Process control.exe (1628)

Process rundll32.exe (1784)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\CUAS

Process control.exe (1628)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Groove\Development
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\control.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Australia Standard Time\Dlt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Australia Standard Time\Std
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Australia Standard Time\Tzi
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\CUAS
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\TimeZoneKeyName

Process rundll32.exe (1784)

  • Mutexes accessed

    • CTF.TimListCache.FMPDefaultS-1-5-21-1844237615-1935655697-725345543-1003MUTEX.DefaultS-1-5-21-1844237615-1935655697-725345543-1003
    • CTF.LBES.MutexDefaultS-1-5-21-1844237615-1935655697-725345543-1003
    • CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1935655697-725345543-1003
    • CTF.TMD.MutexDefaultS-1-5-21-1844237615-1935655697-725345543-1003
    • CTF.Compart.MutexDefaultS-1-5-21-1844237615-1935655697-725345543-1003
    • CTF.Asm.MutexDefaultS-1-5-21-1844237615-1935655697-725345543-1003

Process control.exe (1628)

  • Mutexes accessed

    • CTF.TimListCache.FMPDefaultS-1-5-21-1844237615-1935655697-725345543-1003MUTEX.DefaultS-1-5-21-1844237615-1935655697-725345543-1003
    • CTF.LBES.MutexDefaultS-1-5-21-1844237615-1935655697-725345543-1003
    • CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1935655697-725345543-1003
    • CTF.TMD.MutexDefaultS-1-5-21-1844237615-1935655697-725345543-1003
    • CTF.Compart.MutexDefaultS-1-5-21-1844237615-1935655697-725345543-1003
    • CTF.Asm.MutexDefaultS-1-5-21-1844237615-1935655697-725345543-1003

Process rundll32.exe (1784)

Process control.exe (1628)

  • Directories enumerated

    • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
    • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
    • C:\WINDOWS
    • C:\WINDOWS\WinSxS

Process rundll32.exe (1784)

  • DLLs Loaded

    • Shell32.dll
    • C:\WINDOWS\system32\MSCTF.dll
    • uxtheme.dll
    • ole32.dll
    • C:\WINDOWS\system32\uxtheme.dll

Process control.exe (1628)

  • Processes created

    • "C:\WINDOWS\system32\rundll32.exe" Shell32.dll,Control_RunDLL http://xlgvdrsartlo.com/
    • rundll32.exe Shell32.dll,Control_RunDLL http://xlgvdrsartlo.com/
  • DLLs Loaded

    • C:\WINDOWS\system32\MSCTF.dll
    • MSImg32.dll
    • UXTHEME.DLL
    • Kernel32.DLL
    • uxtheme.dll
    • oleaut32.dll
    • C:\WINDOWS\system32\uxtheme.dll
    • user32.dll
    • Comctl32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


control.exe, PID: 1628, Parent PID: 1132

default registry file network process services synchronisation iexplore office pdf

rundll32.exe, PID: 1784, Parent PID: 1628

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

DNS

Name Response Post-Analysis Lookup
time.windows.com

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.101 1025 192.168.128.111 53
192.168.128.101 138 192.168.128.255 138
192.168.128.101 1037 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.
Task ID 52
Mongo ID 5be0612d11d30814d163dfc4
Cuckoo release 2.0-dev