URL Details

URL
http://jaogfdbxczqj.com/

Score

This url appears fairly benign with a score of 0.6 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Nov. 5, 2018, 5:45 p.m. Nov. 5, 2018, 5:49 p.m. 267 seconds

Machine

Name Label Started On Shutdown On
win7x32 win7x32 2018-11-05 17:45:17 2018-11-05 17:49:41

Analyzer Log

2018-11-05 09:45:16,187 [analyzer] DEBUG: Starting analyzer from: C:\dohckxe
2018-11-05 09:45:16,187 [analyzer] DEBUG: Pipe server name: \\.\PIPE\PYLUcvkDrAoHnrrMQTCnqtXpqbNvN
2018-11-05 09:45:16,187 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\tYsOfGGlJulkprMdWLANhSCtERLzKByl
2018-11-05 09:45:19,680 [analyzer] DEBUG: Started auxiliary module Disguise
2018-11-05 09:45:19,946 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2018-11-05 09:45:19,961 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2018-11-05 09:45:20,023 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2018-11-05 09:45:20,023 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2018-11-05 09:45:20,023 [analyzer] DEBUG: Loaded monitor into process with pid 476
2018-11-05 09:45:20,039 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-11-05 09:45:20,039 [analyzer] DEBUG: Started auxiliary module Human
2018-11-05 09:45:20,039 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-11-05 09:45:20,039 [analyzer] DEBUG: Started auxiliary module Reboot
2018-11-05 09:45:20,243 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-11-05 09:45:20,243 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-11-05 09:45:20,476 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments ['http://jaogfdbxczqj.com/'] and pid 2860
2018-11-05 09:45:21,194 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2018-11-05 09:45:21,194 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2018-11-05 09:45:21,272 [analyzer] DEBUG: Loaded monitor into process with pid 2860
2018-11-05 09:45:22,223 [analyzer] DEBUG: Ignoring process "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon!
2018-11-05 09:45:24,361 [analyzer] INFO: Added new file to list with pid 2860 and path \Device\NamedPipe\wkssvc
2018-11-05 09:45:24,953 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{91358EF5-E122-11E8-93EF-00505693AED0}.dat
2018-11-05 09:45:24,953 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\~DF6BC684386CFD469A.TMP
2018-11-05 09:45:25,250 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{91358EF7-E122-11E8-93EF-00505693AED0}.dat
2018-11-05 09:45:25,266 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\~DFC740D9A12C80E36C.TMP
2018-11-05 09:45:25,344 [analyzer] DEBUG: Following legitimate iexplore process: "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2860 CREDAT:209921 /prefetch:2!
2018-11-05 09:45:25,421 [analyzer] INFO: Injected into process with pid 3040 and name u'iexplore.exe'
2018-11-05 09:45:25,562 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2018-11-05 09:45:25,562 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2018-11-05 09:45:25,625 [analyzer] DEBUG: Loaded monitor into process with pid 3040
2018-11-05 09:45:25,828 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2018-11-05 09:45:25,828 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-11-05 09:45:25,828 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2018-11-05 09:45:25,828 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-11-05 09:45:25,828 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2018-11-05 09:45:25,828 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-11-05 09:45:25,828 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2018-11-05 09:45:25,828 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-11-05 09:45:25,828 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2018-11-05 09:45:25,842 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-11-05 09:45:25,842 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2018-11-05 09:45:25,842 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-11-05 09:45:25,842 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2018-11-05 09:45:25,842 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-11-05 09:45:40,803 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9C0D1373-E122-11E8-93EF-00505693AED0}.dat
2018-11-05 09:45:40,803 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\~DFA5A7DF9FE0222F83.TMP
2018-11-05 09:45:55,576 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\Favorites\Links\Suggested Sites.url
2018-11-05 09:45:55,592 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
2018-11-05 09:45:55,717 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
2018-11-05 09:45:55,779 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
2018-11-05 09:45:55,842 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\www4384.tmp
2018-11-05 09:45:55,858 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\www4395.tmp
2018-11-05 09:45:55,872 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\www43A6.tmp
2018-11-05 09:49:26,723 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-11-05 09:49:30,015 [lib.api.process] INFO: Memory dump of process with pid 2860 completed
2018-11-05 09:49:32,012 [lib.common.results] ERROR: Exception uploading file c:\users\admin\appdata\local\temp\tmpe7ihta to host: [Errno 9] Bad file descriptor
2018-11-05 09:49:32,213 [lib.api.process] INFO: Memory dump of process with pid 3040 completed
2018-11-05 09:49:32,213 [analyzer] INFO: Terminating remaining processes before shutdown.
2018-11-05 09:49:32,230 [lib.api.process] INFO: Successfully terminated process with pid 2860.
2018-11-05 09:49:32,230 [lib.api.process] INFO: Successfully terminated process with pid 3040.
2018-11-05 09:49:32,230 [analyzer] INFO: Error dumping file from path "c:\users\admin\appdata\local\temp\~dfc740d9a12c80e36c.tmp": [Errno 13] Permission denied: u'c:\\users\\admin\\appdata\\local\\temp\\~dfc740d9a12c80e36c.tmp'
2018-11-05 09:49:32,230 [analyzer] INFO: Error dumping file from path "c:\users\admin\appdata\local\temp\~df6bc684386cfd469a.tmp": [Errno 13] Permission denied: u'c:\\users\\admin\\appdata\\local\\temp\\~df6bc684386cfd469a.tmp'
2018-11-05 09:49:32,230 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\www4384.tmp'" does not exist, skip.
2018-11-05 09:49:32,292 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\www4395.tmp'" does not exist, skip.
2018-11-05 09:49:32,292 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\wkssvc'" does not exist, skip.
2018-11-05 09:49:32,292 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\www43a6.tmp'" does not exist, skip.
2018-11-05 09:49:32,308 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\~dfa5a7df9fe0222f83.tmp'" does not exist, skip.
2018-11-05 09:49:32,308 [analyzer] INFO: Analysis completed.

Cuckoo Log

2018-11-05 17:45:16,792 [lib.cuckoo.core.scheduler] INFO: Task #66: acquired machine win7x32 (label=win7x32)
2018-11-05 17:45:17,068 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 7401 (interface=eth2, host=192.168.128.112, pcap=/opt/cuckoo/storage/analyses/66/dump.pcap)
2018-11-05 17:45:27,637 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x32, ip=192.168.128.112)
2018-11-05 17:49:40,076 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2018-11-05 17:49:40,762 [lib.cuckoo.core.guest] INFO: win7x32: analysis completed successfully
2018-11-05 17:49:54,424 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2018-11-05 17:50:44,488 [modules.processing.virustotal] WARNING: Error fetching results from VirusTotal for "http://jaogfdbxczqj.com/": Unable to fetch VirusTotal results: MaxRetryError("HTTPSConnectionPool(host='www.virustotal.com', port=443): Max retries exceeded with url: /vtapi/v2/url/report (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f728c9c5250>: Failed to establish a new connection: [Errno -2] Name or service not known',))",)
2018-11-05 17:50:44,846 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c6382d0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 17:50:44,847 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c638e50>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 17:50:44,847 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c638710>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 17:50:44,848 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c638a10>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 17:50:44,849 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f728c638a10>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f728c638a10>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Internet Explorer creates one or more martian processes (1 event)
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2860 CREDAT:209921 /prefetch:2

Screenshots

Network

Summary

Process iexplore.exe (2860)

  • Opened files

    • C:\
    • C:\Users\admin\AppData\Local\Microsoft
    • C:\Windows\System32\sspicli.dll
    • C:\Users\admin\AppData\Local\Temp\www43A6.tmp
    • C:\Users\admin\Favorites\desktop.ini
    • C:\Windows\System32\en-US\MSCTF.dll.mui
    • C:\Users\admin\Favorites\Microsoft Websites\
    • C:\Users\admin\Favorites\
    • C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
    • C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache
    • C:\Windows\System32\shell32.dll
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
    • C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active
    • C:\Program Files\
    • C:\Users\admin\AppData\Local\Microsoft\Windows
    • C:\Users\admin\Favorites\MSN Websites\MSN.url
    • C:\Windows\Globalization\Sorting\sortdefault.nls
    • C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
    • C:\Users\admin\Favorites\MSN Websites\
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tracking Protection
    • C:\Users\admin\AppData\Local\Temp\www4395.tmp
    • C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low
    • C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
    • C:\Windows\System32\ieframe.dll
    • C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
    • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
    • C:\Windows\System32\en-US\IEFRAME.dll.mui
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
    • C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    • C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\DNTException\Low
    • C:\Program Files\Microsoft Office\Office12\
    • C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
    • C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
    • C:\Program Files\Common Files\Adobe\Acrobat\
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low
    • C:\Program Files\Common Files\Adobe\
    • C:\Windows\Fonts\staticcache.dat
    • C:\Users\admin\Favorites\Links\Web Slice Gallery.url
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low
    • C:\Users\admin\AppData\Local\Microsoft\PlayReady
    • C:\Users\admin\Favorites
    • C:\Users\admin
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
    • \\?\PIPE\wkssvc
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db
    • C:\Users\admin\AppData\Local\Microsoft\Feeds
    • C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\
    • C:\Users\admin\AppData\Local\Microsoft\Windows\History\desktop.ini
    • C:\Users\admin\Favorites\Links for United States\
    • C:\Users\admin\AppData\Local
    • C:\Users
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
    • C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
    • C:\Users\desktop.ini
    • C:\Users\admin\AppData\Local\Temp\www4384.tmp
    • C:\Program Files\Common Files\
    • C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
    • \??\FDC#GENERIC_FLOPPY_DRIVE#6&3b4c39bd&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    • C:\Users\admin\Favorites\Links\Suggested Sites.url
    • C:\Users\admin\Favorites\Windows Live\
    • C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
    • C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
    • C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
    • C:\Users\admin\AppData\Local\Temp\Low
    • C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\
    • C:\Users\admin\Favorites\Links\desktop.ini
    • C:\Users\admin\Favorites\Links for United States\USA.gov.url
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
    • C:\Users\admin\Desktop\desktop.ini
    • C:\Users\admin\Desktop
    • C:\Windows\System32\en-US\shell32.DLL.mui
    • C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
    • C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
    • C:\Program Files\Microsoft Office\
    • C:\Users\admin\Favorites\Links\
    • C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
    • C:\Users\admin\Favorites\MSN Websites\MSN Money.url
    • C:\Windows\System32\en-US\SETUPAPI.dll.mui
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
    • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
    • C:\Users\admin\AppData
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
  • Written files

    • C:\Users\admin\AppData\Local\Temp\~DFC740D9A12C80E36C.TMP
    • C:\Users\admin\AppData\Local\Temp\www43A6.tmp
    • C:\Users\admin\AppData\Local\Temp\~DF6BC684386CFD469A.TMP
    • C:\Users\admin\Favorites\Links\Suggested Sites.url
    • \\?\PIPE\wkssvc
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9C0D1373-E122-11E8-93EF-00505693AED0}.dat
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{91358EF7-E122-11E8-93EF-00505693AED0}.dat
    • C:\Users\admin\AppData\Local\Temp\www4395.tmp
    • C:\Users\admin\AppData\Local\Temp\www4384.tmp
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{91358EF5-E122-11E8-93EF-00505693AED0}.dat
    • C:\Users\admin\AppData\Local\Temp\~DFA5A7DF9FE0222F83.TMP

Process iexplore.exe (2860)

Process iexplore.exe (2860)

Process iexplore.exe (2860)

Process iexplore.exe (2860)

  • Processes created

    • "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2860 CREDAT:209921 /prefetch:2
  • DLLs Loaded

    • IEFRAME.dll
    • C:\Windows\System32\mswsock.dll
    • urlmon.dll
    • apphelp.dll
    • CRYPT32.dll
    • DNSAPI.dll
    • C:\Program Files\Internet Explorer\ieproxy.dll
    • kernel32.dll
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • CRYPTBASE.dll
    • C:\Windows\system32\ole32.dll
    • RPCRT4.dll
    • dwmapi.dll
    • NTDLL.DLL
    • dhcpcsvc.DLL
    • winhttp.dll
    • ntmarta.dll
    • api-ms-win-downlevel-advapi32-l1-1-0.dll
    • api-ms-win-downlevel-advapi32-l2-1-0.dll
    • rasadhlp.dll
    • C:\Windows\system32\MSCTF.dll
    • PROPSYS.dll
    • WININET.dll
    • msfeeds.dll
    • API-MS-Win-Core-LocalRegistry-L1-1-0.dll
    • api-ms-win-downlevel-ole32-l1-1-0.dll
    • Secur32.dll
    • OLEAUT32.DLL
    • MLANG.dll
    • IPHLPAPI.DLL
    • API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0.DLL
    • cryptbase.dll
    • ole32.dll
    • USERENV.dll
    • CRYPTSP.dll
    • USER32.dll
    • IMM32.dll
    • C:\Program Files\Internet Explorer\sqmapi.dll
    • comdlg32.dll
    • NETAPI32.dll
    • SspiCli.dll
    • api-ms-win-downlevel-shell32-l1-1-0.dll
    • USP10.DLL
    • C:\Program Files\Internet Explorer\suspend.dll
    • IEUI.dll
    • WindowsCodecs.dll
    • OLEAUT32.dll
    • profapi.dll
    • SHELL32.dll
    • IEShims.dll
    • C:\Windows\System32\wship6.dll
    • comctl32.dll
    • C:\Windows\system32\oleaut32.dll
    • api-ms-win-core-winrt-string-l1-1-0.dll
    • C:\Windows\system32\IEUI.dll
    • dhcpcsvc6.DLL
    • UxTheme.dll
    • CRYPTBASE.DLL
    • C:\Windows\system32\mswsock.dll
    • api-ms-win-downlevel-shlwapi-l2-1-0.dll
    • ADVAPI32.dll
    • rpcrt4.dll
    • C:\Windows\System32\wshtcpip.dll
    • SETUPAPI.dll
    • WS2_32.dll
    • user32.dll
    • MSIMG32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


iexplore.exe, PID: 2860, Parent PID: 2836

default registry file network process services synchronisation iexplore office pdf

iexplore.exe, PID: 3040, Parent PID: 2860

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.112 49208 192.168.128.111 53
192.168.128.112 49254 192.168.128.111 53
192.168.128.112 50804 192.168.128.111 53
192.168.128.112 51336 192.168.128.111 53
192.168.128.112 51778 192.168.128.111 53
192.168.128.112 52039 192.168.128.111 53
192.168.128.112 52481 192.168.128.111 53
192.168.128.112 53921 192.168.128.111 53
192.168.128.112 56984 192.168.128.111 53
192.168.128.112 58297 192.168.128.111 53
192.168.128.112 58300 192.168.128.111 53
192.168.128.112 62123 192.168.128.111 53
192.168.128.112 62873 192.168.128.111 53
192.168.128.112 63356 192.168.128.111 53
192.168.128.112 63597 192.168.128.111 53
192.168.128.112 137 192.168.128.255 137
192.168.128.112 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name d6356cbce8fafa4e_msapplication.xml
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
Size 385.0B
Processes 2860 (iexplore.exe)
Type XML document text
MD5 dcb8a571d1f6b13ac5dda0880b7f4452
SHA1 d56d93443ff13851541b608a3542650dfe24b69c
SHA256 d6356cbce8fafa4e585d0296a55a96b00a665847da4a2f2ca923289a56ddbc5b
CRC32 9C7D12FD
ssdeep 6:TMVBdc9EMdLD5LtRDGZch+C+dTD90/QL3WIZK0QhPPJJBMbZq5EtMjwu:TMHdNMNxvDGXNdnWimI00OhJabU5EtMb
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name ec603d1d25806657_{91358ef7-e122-11e8-93ef-00505693aed0}.dat
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{91358EF7-E122-11E8-93EF-00505693AED0}.dat
Size 3.5KB
Processes 2860 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 98cbd00265314d8f6b2bb506fdb94eff
SHA1 1b2941815681aa83b174e3fa2b2de870a1b2a242
SHA256 ec603d1d25806657a453a4889f207f1b239143252941a7bbed944f3ea302a576
CRC32 9F35621E
ssdeep 12:rlxAFn0WrEgmfkx76FQkxrEgmfkx7qjNlMcadEXcNpb9CZ:rq7GM4xGMCNlMxEMNp5Q
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name c733acc0b51b90a6_suggested sites~.feed-ms
Filepath C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
Size 32.0KB
Processes 2860 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 555616bd18b66b41442b3ac34376f469
SHA1 801b768c022d9942acc5b303a4d9d5140b5d729f
SHA256 c733acc0b51b90a6ad5855be671c9b3ab028bd2b6ff48de881ce2c45952ac0d0
CRC32 99601D40
ssdeep 24:JSbf+8zbf+8z2ACtrJbASotfjOACtrJbASot:cf++f+KGtrJC+trJ
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name 7b6765b728006a06_{9c0d1373-e122-11e8-93ef-00505693aed0}.dat
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9C0D1373-E122-11E8-93EF-00505693AED0}.dat
Size 3.5KB
Processes 2860 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 8bbece4b98ec87c2fbb020c4caf86ae8
SHA1 7e04da2d3c8917922a4fc5b3846f42753b6f52e9
SHA256 7b6765b728006a0633d9bf802cc7a98f2a47887f0d6c4a2cd057927cc3f092bb
CRC32 410002C3
ssdeep 12:rlxAFcsDrEgm8GD7KFkxklXDrEgm8GD7qjNlpQA9dI:rLYG8BlTG8NNlaAg
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name 74d791b206b45495_recoverystore.{91358ef5-e122-11e8-93ef-00505693aed0}.dat
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{91358EF5-E122-11E8-93EF-00505693AED0}.dat
Size 5.5KB
Processes 2860 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 d8a93cafacb46ef01149a7eb75ce3044
SHA1 07221730fea468e3249cab1df7f9cd61f093f6cf
SHA256 74d791b206b45495dfa552d20e297bc2aa9bb64beb496aaaed3e1fc106b08082
CRC32 DA59A44A
ssdeep 24:rvaGW/NUplXdGo/Q5UplX19NlW9FYQ+gbZdbKUplXAUplXyNlW9FYQ+gbZdbZ:riGWF+NGo45+FobT2+Q+7bT
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name e3ab045d746a0821_suggested sites.url
Filepath C:\Users\admin\Favorites\Links\Suggested Sites.url
Size 236.0B
Processes 2860 (iexplore.exe)
Type ASCII text, with CRLF line terminators
MD5 11cede0563d1d61930e433cd638d6419
SHA1 366b26547292482b871404b33930cefca8810dbd
SHA256 e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9
CRC32 2C9F5B4E
ssdeep 6:J254vVG/4xPpuFVm4ADGZslbQKeADGZsuGsW/k2:3VW4x8FVmZDGilMKTDGj7W/k2
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name c4dd23eacc460e48_feedsstore.feedsdb-ms
Filepath C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
Size 7.0KB
Processes 2860 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 d85b6e1d888347a50d3411edc6be40b8
SHA1 dc2ac4ae4392d24bf8fb8adf6618097ef1b3e33f
SHA256 c4dd23eacc460e48ba848dd05e2263818a1ad3b489d5727f38ea83c3a97295c2
CRC32 4CDF17CA
ssdeep 192:gJYLjPHAmjPHaw+ipw+i6Z/cASgUbwRwKI3:gJOjPHAmjPHaw+ipw+i6Z/c3gUbwRBI3
Yara
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 66
Mongo ID 5be0c94511d30814d163e042
Cuckoo release 2.0-dev