Skip to content

Instantly share code, notes, and snippets.

@ryanbekabe

ryanbekabe/cuckoo-analysis.json

Last active June 28, 2019 03:11
Show Gist options
  • Save ryanbekabe/cc49d150e155326ec5c9063d5e206cb6 to your computer and use it in GitHub Desktop.
Save ryanbekabe/cc49d150e155326ec5c9063d5e206cb6 to your computer and use it in GitHub Desktop.
Download ZIP
Sample Report Cuckoo Sandbox with MongoDB
Raw
cuckoo-analysis.json
{
"_id": "5d02dd4559bfaf1280fee9c9",
"info": {
"added": "2019-06-14T06:30:44.142Z",
"started": "2019-06-14T06:30:45.788Z",
"duration": 157,
"analysis_path": "/home/cuckoo/.cuckoo/storage/analyses/1180",
"ended": "2019-06-14T06:33:23.091Z",
"owner": null,
"score": 11,
"id": 1180,
"category": "file",
"git": {
"head": "c41c7c5cb09416b7cfc6159811792679e20762f2",
"fetch_head": "c41c7c5cb09416b7cfc6159811792679e20762f2"
},
"monitor": "e071e63a66e831163a40abc45109fdf71fee829e",
"package": "exe",
"route": "none",
"custom": null,
"machine": {
"status": "stopped",
"name": "cuckoo",
"label": "cuckoo",
"manager": "VirtualBox",
"started_on": "2019-06-14 06:30:45",
"shutdown_on": "2019-06-14 06:33:23"
},
"platform": "windows",
"version": "2.0.6",
"options": "procmemdump=yes,route=none"
},
"procmemory": [{
"regions": [{
"protect": "rw",
"end": "0x00020000",
"addr": "0x00010000",
"state": 4096,
"offset": 24,
"type": 262144,
"size": 65536
}, {
"protect": "rw",
"end": "0x00030000",
"addr": "0x00020000",
"state": 4096,
"offset": 65584,
"type": 262144,
"size": 65536
}, {
"protect": "rw",
"end": "0x00230000",
"addr": "0x0022c000",
"state": 4096,
"offset": 131144,
"type": 131072,
"size": 16384
}, {
"protect": "r",
"end": "0x00234000",
"addr": "0x00230000",
"state": 4096,
"offset": 147552,
"type": 262144,
"size": 16384
}, {
"protect": "rw",
"end": "0x00241000",
"addr": "0x00240000",
"state": 4096,
"offset": 163960,
"type": 131072,
"size": 4096
}, {
"protect": "rwx",
"end": "0x00251000",
"addr": "0x00250000",
"state": 4096,
"offset": 168080,
"type": 131072,
"size": 4096
}, {
"protect": "rwx",
"end": "0x00261000",
"addr": "0x00260000",
"state": 4096,
"offset": 172200,
"type": 131072,
"size": 4096
}, {
"protect": "rwx",
"end": "0x00271000",
"addr": "0x00270000",
"state": 4096,
"offset": 176320,
"type": 131072,
"size": 4096
}, {
"protect": "r",
"end": "0x002e7000",
"addr": "0x00280000",
"state": 4096,
"offset": 180440,
"type": 262144,
"size": 421888
}, {
"protect": "r",
"end": "0x002f2000",
"addr": "0x002f0000",
"state": 4096,
"offset": 602352,
"type": 262144,
"size": 8192
}, {
"protect": "r",
"end": "0x003b3000",
"addr": "0x003b0000",
"state": 4096,
"offset": 610568,
"type": 262144,
"size": 12288
}, {
"protect": "rw",
"end": "0x003d0000",
"addr": "0x003c0000",
"state": 4096,
"offset": 622880,
"type": 131072,
"size": 65536
}, {
"protect": "rw",
"end": "0x003d1000",
"addr": "0x003d0000",
"state": 4096,
"offset": 688440,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x003e1000",
"addr": "0x003e0000",
"state": 4096,
"offset": 692560,
"type": 131072,
"size": 4096
}, {
"protect": "rx",
"end": "0x003f1000",
"addr": "0x003f0000",
"state": 4096,
"offset": 696680,
"type": 131072,
"size": 4096
}, {
"protect": "r",
"end": "0x00401000",
"addr": "0x00400000",
"state": 4096,
"offset": 700800,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x00406000",
"addr": "0x00401000",
"state": 4096,
"offset": 704920,
"type": 16777216,
"size": 20480
}, {
"protect": "rw",
"end": "0x00407000",
"addr": "0x00406000",
"state": 4096,
"offset": 725424,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x0040b000",
"addr": "0x00407000",
"state": 4096,
"offset": 729544,
"type": 16777216,
"size": 16384
}, {
"protect": "rw",
"end": "0x0040d000",
"addr": "0x0040b000",
"state": 4096,
"offset": 745952,
"type": 16777216,
"size": 8192
}, {
"protect": "rwc",
"end": "0x00418000",
"addr": "0x0040d000",
"state": 4096,
"offset": 754168,
"type": 16777216,
"size": 45056
}, {
"protect": "rw",
"end": "0x00421000",
"addr": "0x00420000",
"state": 4096,
"offset": 799248,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x00431000",
"addr": "0x00430000",
"state": 4096,
"offset": 803368,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x00441000",
"addr": "0x00440000",
"state": 4096,
"offset": 807488,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x00451000",
"addr": "0x00450000",
"state": 4096,
"offset": 811608,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x00462000",
"addr": "0x00460000",
"state": 4096,
"offset": 815728,
"type": 131072,
"size": 8192
}, {
"protect": "rw",
"end": "0x00472000",
"addr": "0x00470000",
"state": 4096,
"offset": 823944,
"type": 131072,
"size": 8192
}, {
"protect": "rw",
"end": "0x00490000",
"addr": "0x00480000",
"state": 4096,
"offset": 832160,
"type": 131072,
"size": 65536
}, {
"protect": "rwx",
"end": "0x00494000",
"addr": "0x00490000",
"state": 4096,
"offset": 897720,
"type": 131072,
"size": 16384
}, {
"protect": "rw",
"end": "0x004a1000",
"addr": "0x004a0000",
"state": 4096,
"offset": 914128,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x004b1000",
"addr": "0x004b0000",
"state": 4096,
"offset": 918248,
"type": 131072,
"size": 4096
}, {
"protect": "rwx",
"end": "0x004c4000",
"addr": "0x004c0000",
"state": 4096,
"offset": 922368,
"type": 131072,
"size": 16384
}, {
"protect": "rw",
"end": "0x004d1000",
"addr": "0x004d0000",
"state": 4096,
"offset": 938776,
"type": 131072,
"size": 4096
}, {
"protect": "rwx",
"end": "0x004e4000",
"addr": "0x004e0000",
"state": 4096,
"offset": 942896,
"type": 131072,
"size": 16384
}, {
"protect": "rw",
"end": "0x00500000",
"addr": "0x004f0000",
"state": 4096,
"offset": 959304,
"type": 131072,
"size": 65536
}, {
"protect": "rw",
"end": "0x0055a000",
"addr": "0x00500000",
"state": 4096,
"offset": 1024864,
"type": 131072,
"size": 368640
}, {
"protect": "r",
"end": "0x00701000",
"addr": "0x00600000",
"state": 4096,
"offset": 1393528,
"type": 262144,
"size": 1052672
}, {
"protect": "r",
"end": "0x00723000",
"addr": "0x00710000",
"state": 4096,
"offset": 2446224,
"type": 262144,
"size": 77824
}, {
"protect": "rw",
"end": "0x01320000",
"addr": "0x01310000",
"state": 4096,
"offset": 2524072,
"type": 131072,
"size": 65536
}, {
"protect": "rw",
"end": "0x01330000",
"addr": "0x01320000",
"state": 4096,
"offset": 2589632,
"type": 131072,
"size": 65536
}, {
"protect": "rw",
"end": "0x01530000",
"addr": "0x0152f000",
"state": 4096,
"offset": 2655192,
"type": 131072,
"size": 4096
}, {
"protect": "r",
"end": "0x01536000",
"addr": "0x01530000",
"state": 4096,
"offset": 2659312,
"type": 262144,
"size": 24576
}, {
"protect": "rw",
"end": "0x01541000",
"addr": "0x01540000",
"state": 4096,
"offset": 2683912,
"type": 262144,
"size": 4096
}, {
"protect": "r",
"end": "0x01945000",
"addr": "0x01550000",
"state": 4096,
"offset": 2688032,
"type": 262144,
"size": 4149248
}, {
"protect": "r",
"end": "0x01c1f000",
"addr": "0x01950000",
"state": 4096,
"offset": 6837304,
"type": 262144,
"size": 2945024
}, {
"protect": "r",
"end": "0x01c31000",
"addr": "0x01c30000",
"state": 4096,
"offset": 9782352,
"type": 262144,
"size": 4096
}, {
"protect": "rw",
"end": "0x01c41000",
"addr": "0x01c40000",
"state": 4096,
"offset": 9786472,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x01c51000",
"addr": "0x01c50000",
"state": 4096,
"offset": 9790592,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x01c61000",
"addr": "0x01c60000",
"state": 4096,
"offset": 9794712,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x01cb3000",
"addr": "0x01cb0000",
"state": 4096,
"offset": 9798832,
"type": 131072,
"size": 12288
}, {
"protect": "rw",
"end": "0x021b0000",
"addr": "0x021af000",
"state": 4096,
"offset": 9811144,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x025b0000",
"addr": "0x025af000",
"state": 4096,
"offset": 9815264,
"type": 131072,
"size": 4096
}, {
"protect": "r",
"end": "0x63dc1000",
"addr": "0x63dc0000",
"state": 4096,
"offset": 9819384,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x63dfa000",
"addr": "0x63dc1000",
"state": 4096,
"offset": 9823504,
"type": 16777216,
"size": 233472
}, {
"protect": "rwc",
"end": "0x63e01000",
"addr": "0x63dfa000",
"state": 4096,
"offset": 10057000,
"type": 16777216,
"size": 28672
}, {
"protect": "rw",
"end": "0x63e08000",
"addr": "0x63e01000",
"state": 4096,
"offset": 10085696,
"type": 16777216,
"size": 28672
}, {
"protect": "rwc",
"end": "0x63e0a000",
"addr": "0x63e08000",
"state": 4096,
"offset": 10114392,
"type": 16777216,
"size": 8192
}, {
"protect": "rw",
"end": "0x63e0b000",
"addr": "0x63e0a000",
"state": 4096,
"offset": 10122608,
"type": 16777216,
"size": 4096
}, {
"protect": "rwc",
"end": "0x63e1f000",
"addr": "0x63e0b000",
"state": 4096,
"offset": 10126728,
"type": 16777216,
"size": 81920
}, {
"protect": "rw",
"end": "0x63e20000",
"addr": "0x63e1f000",
"state": 4096,
"offset": 10208672,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x63e57000",
"addr": "0x63e20000",
"state": 4096,
"offset": 10212792,
"type": 16777216,
"size": 225280
}, {
"protect": "rw",
"end": "0x63e58000",
"addr": "0x63e57000",
"state": 4096,
"offset": 10438096,
"type": 16777216,
"size": 4096
}, {
"protect": "rwc",
"end": "0x63e5b000",
"addr": "0x63e58000",
"state": 4096,
"offset": 10442216,
"type": 16777216,
"size": 12288
}, {
"protect": "rw",
"end": "0x63e6c000",
"addr": "0x63e5b000",
"state": 4096,
"offset": 10454528,
"type": 16777216,
"size": 69632
}, {
"protect": "rwc",
"end": "0x63e7b000",
"addr": "0x63e6c000",
"state": 4096,
"offset": 10524184,
"type": 16777216,
"size": 61440
}, {
"protect": "rw",
"end": "0x63e7d000",
"addr": "0x63e7b000",
"state": 4096,
"offset": 10585648,
"type": 16777216,
"size": 8192
}, {
"protect": "rwc",
"end": "0x63e8b000",
"addr": "0x63e7d000",
"state": 4096,
"offset": 10593864,
"type": 16777216,
"size": 57344
}, {
"protect": "rw",
"end": "0x63ed5000",
"addr": "0x63e8b000",
"state": 4096,
"offset": 10651232,
"type": 16777216,
"size": 303104
}, {
"protect": "rwc",
"end": "0x63fb3000",
"addr": "0x63ed5000",
"state": 4096,
"offset": 10954360,
"type": 16777216,
"size": 909312
}, {
"protect": "rw",
"end": "0x63fb4000",
"addr": "0x63fb3000",
"state": 4096,
"offset": 11863696,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x63fbc000",
"addr": "0x63fb4000",
"state": 4096,
"offset": 11867816,
"type": 16777216,
"size": 32768
}, {
"protect": "rw",
"end": "0x63fbd000",
"addr": "0x63fbc000",
"state": 4096,
"offset": 11900608,
"type": 16777216,
"size": 4096
}, {
"protect": "rwc",
"end": "0x63fbf000",
"addr": "0x63fbd000",
"state": 4096,
"offset": 11904728,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x63fc5000",
"addr": "0x63fbf000",
"state": 4096,
"offset": 11912944,
"type": 16777216,
"size": 24576
}, {
"protect": "r",
"end": "0x70eb1000",
"addr": "0x70eb0000",
"state": 4096,
"offset": 11937544,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x70eb5000",
"addr": "0x70eb1000",
"state": 4096,
"offset": 11941664,
"type": 16777216,
"size": 16384
}, {
"protect": "rw",
"end": "0x70eb6000",
"addr": "0x70eb5000",
"state": 4096,
"offset": 11958072,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x70eb8000",
"addr": "0x70eb6000",
"state": 4096,
"offset": 11962192,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x70ec1000",
"addr": "0x70ec0000",
"state": 4096,
"offset": 11970408,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x70ed1000",
"addr": "0x70ec1000",
"state": 4096,
"offset": 11974528,
"type": 16777216,
"size": 65536
}, {
"protect": "rw",
"end": "0x70ed2000",
"addr": "0x70ed1000",
"state": 4096,
"offset": 12040088,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x70ed4000",
"addr": "0x70ed2000",
"state": 4096,
"offset": 12044208,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x723e1000",
"addr": "0x723e0000",
"state": 4096,
"offset": 12052424,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x723ef000",
"addr": "0x723e1000",
"state": 4096,
"offset": 12056544,
"type": 16777216,
"size": 57344
}, {
"protect": "rw",
"end": "0x723f0000",
"addr": "0x723ef000",
"state": 4096,
"offset": 12113912,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x723f2000",
"addr": "0x723f0000",
"state": 4096,
"offset": 12118032,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x725b1000",
"addr": "0x725b0000",
"state": 4096,
"offset": 12126248,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x725bf000",
"addr": "0x725b1000",
"state": 4096,
"offset": 12130368,
"type": 16777216,
"size": 57344
}, {
"protect": "rw",
"end": "0x725c0000",
"addr": "0x725bf000",
"state": 4096,
"offset": 12187736,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x725c2000",
"addr": "0x725c0000",
"state": 4096,
"offset": 12191856,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x72701000",
"addr": "0x72700000",
"state": 4096,
"offset": 12200072,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x72706000",
"addr": "0x72701000",
"state": 4096,
"offset": 12204192,
"type": 16777216,
"size": 20480
}, {
"protect": "rw",
"end": "0x72707000",
"addr": "0x72706000",
"state": 4096,
"offset": 12224696,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x7270d000",
"addr": "0x72707000",
"state": 4096,
"offset": 12228816,
"type": 16777216,
"size": 24576
}, {
"protect": "r",
"end": "0x72731000",
"addr": "0x72730000",
"state": 4096,
"offset": 12253416,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x72734000",
"addr": "0x72731000",
"state": 4096,
"offset": 12257536,
"type": 16777216,
"size": 12288
}, {
"protect": "rw",
"end": "0x72735000",
"addr": "0x72734000",
"state": 4096,
"offset": 12269848,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x72737000",
"addr": "0x72735000",
"state": 4096,
"offset": 12273968,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x72741000",
"addr": "0x72740000",
"state": 4096,
"offset": 12282184,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x72759000",
"addr": "0x72741000",
"state": 4096,
"offset": 12286304,
"type": 16777216,
"size": 98304
}, {
"protect": "rw",
"end": "0x7275a000",
"addr": "0x72759000",
"state": 4096,
"offset": 12384632,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x7275c000",
"addr": "0x7275a000",
"state": 4096,
"offset": 12388752,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x73cb1000",
"addr": "0x73cb0000",
"state": 4096,
"offset": 12396968,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x73cc2000",
"addr": "0x73cb1000",
"state": 4096,
"offset": 12401088,
"type": 16777216,
"size": 69632
}, {
"protect": "rw",
"end": "0x73cc3000",
"addr": "0x73cc2000",
"state": 4096,
"offset": 12470744,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x73cc6000",
"addr": "0x73cc3000",
"state": 4096,
"offset": 12474864,
"type": 16777216,
"size": 12288
}, {
"protect": "r",
"end": "0x74eb1000",
"addr": "0x74eb0000",
"state": 4096,
"offset": 12487176,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x74ee5000",
"addr": "0x74eb1000",
"state": 4096,
"offset": 12491296,
"type": 16777216,
"size": 212992
}, {
"protect": "rw",
"end": "0x74ee6000",
"addr": "0x74ee5000",
"state": 4096,
"offset": 12704312,
"type": 16777216,
"size": 4096
}, {
"protect": "rwc",
"end": "0x74ee7000",
"addr": "0x74ee6000",
"state": 4096,
"offset": 12708432,
"type": 16777216,
"size": 4096
}, {
"protect": "rw",
"end": "0x74ee8000",
"addr": "0x74ee7000",
"state": 4096,
"offset": 12712552,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x74eeb000",
"addr": "0x74ee8000",
"state": 4096,
"offset": 12716672,
"type": 16777216,
"size": 12288
}, {
"protect": "r",
"end": "0x75111000",
"addr": "0x75110000",
"state": 4096,
"offset": 12728984,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x75123000",
"addr": "0x75111000",
"state": 4096,
"offset": 12733104,
"type": 16777216,
"size": 73728
}, {
"protect": "rw",
"end": "0x75124000",
"addr": "0x75123000",
"state": 4096,
"offset": 12806856,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x75126000",
"addr": "0x75124000",
"state": 4096,
"offset": 12810976,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x754e1000",
"addr": "0x754e0000",
"state": 4096,
"offset": 12819192,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x754f7000",
"addr": "0x754e1000",
"state": 4096,
"offset": 12823312,
"type": 16777216,
"size": 90112
}, {
"protect": "rw",
"end": "0x754f8000",
"addr": "0x754f7000",
"state": 4096,
"offset": 12913448,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x754fa000",
"addr": "0x754f8000",
"state": 4096,
"offset": 12917568,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x75561000",
"addr": "0x75560000",
"state": 4096,
"offset": 12925784,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x75569000",
"addr": "0x75561000",
"state": 4096,
"offset": 12929904,
"type": 16777216,
"size": 32768
}, {
"protect": "rw",
"end": "0x7556a000",
"addr": "0x75569000",
"state": 4096,
"offset": 12962696,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x7556c000",
"addr": "0x7556a000",
"state": 4096,
"offset": 12966816,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x75601000",
"addr": "0x75600000",
"state": 4096,
"offset": 12975032,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x7560b000",
"addr": "0x75601000",
"state": 4096,
"offset": 12979152,
"type": 16777216,
"size": 40960
}, {
"protect": "rw",
"end": "0x7560c000",
"addr": "0x7560b000",
"state": 4096,
"offset": 13020136,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x7560e000",
"addr": "0x7560c000",
"state": 4096,
"offset": 13024256,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x75891000",
"addr": "0x75890000",
"state": 4096,
"offset": 13032472,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x758d4000",
"addr": "0x75891000",
"state": 4096,
"offset": 13036592,
"type": 16777216,
"size": 274432
}, {
"protect": "rw",
"end": "0x758d6000",
"addr": "0x758d4000",
"state": 4096,
"offset": 13311048,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x758da000",
"addr": "0x758d6000",
"state": 4096,
"offset": 13319264,
"type": 16777216,
"size": 16384
}, {
"protect": "r",
"end": "0x75911000",
"addr": "0x75910000",
"state": 4096,
"offset": 13335672,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x75983000",
"addr": "0x75911000",
"state": 4096,
"offset": 13339792,
"type": 16777216,
"size": 466944
}, {
"protect": "rw",
"end": "0x75984000",
"addr": "0x75983000",
"state": 4096,
"offset": 13806760,
"type": 16777216,
"size": 4096
}, {
"protect": "rwc",
"end": "0x75987000",
"addr": "0x75984000",
"state": 4096,
"offset": 13810880,
"type": 16777216,
"size": 12288
}, {
"protect": "r",
"end": "0x759b0000",
"addr": "0x75987000",
"state": 4096,
"offset": 13823192,
"type": 16777216,
"size": 167936
}, {
"protect": "r",
"end": "0x759b1000",
"addr": "0x759b0000",
"state": 4096,
"offset": 13991152,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x75af6000",
"addr": "0x759b1000",
"state": 4096,
"offset": 13995272,
"type": 16777216,
"size": 1331200
}, {
"protect": "rw",
"end": "0x75afa000",
"addr": "0x75af6000",
"state": 4096,
"offset": 15326496,
"type": 16777216,
"size": 16384
}, {
"protect": "r",
"end": "0x75b0c000",
"addr": "0x75afa000",
"state": 4096,
"offset": 15342904,
"type": 16777216,
"size": 73728
}, {
"protect": "r",
"end": "0x75b11000",
"addr": "0x75b10000",
"state": 4096,
"offset": 15416656,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x75bd6000",
"addr": "0x75b11000",
"state": 4096,
"offset": 15420776,
"type": 16777216,
"size": 806912
}, {
"protect": "rw",
"end": "0x75bd7000",
"addr": "0x75bd6000",
"state": 4096,
"offset": 16227712,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x75be4000",
"addr": "0x75bd7000",
"state": 4096,
"offset": 16231832,
"type": 16777216,
"size": 53248
}, {
"protect": "r",
"end": "0x75bf1000",
"addr": "0x75bf0000",
"state": 4096,
"offset": 16285104,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x75c87000",
"addr": "0x75bf1000",
"state": 4096,
"offset": 16289224,
"type": 16777216,
"size": 614400
}, {
"protect": "rw",
"end": "0x75c88000",
"addr": "0x75c87000",
"state": 4096,
"offset": 16903648,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x75c91000",
"addr": "0x75c88000",
"state": 4096,
"offset": 16907768,
"type": 16777216,
"size": 36864
}, {
"protect": "r",
"end": "0x75ca1000",
"addr": "0x75ca0000",
"state": 4096,
"offset": 16944656,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x75ca7000",
"addr": "0x75ca1000",
"state": 4096,
"offset": 16948776,
"type": 16777216,
"size": 24576
}, {
"protect": "rw",
"end": "0x75ca8000",
"addr": "0x75ca7000",
"state": 4096,
"offset": 16973376,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x75caa000",
"addr": "0x75ca8000",
"state": 4096,
"offset": 16977496,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x75cb1000",
"addr": "0x75cb0000",
"state": 4096,
"offset": 16985712,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x75cc4000",
"addr": "0x75cb1000",
"state": 4096,
"offset": 16989832,
"type": 16777216,
"size": 77824
}, {
"protect": "rw",
"end": "0x75cc5000",
"addr": "0x75cc4000",
"state": 4096,
"offset": 17067680,
"type": 16777216,
"size": 4096
}, {
"protect": "rwc",
"end": "0x75cc7000",
"addr": "0x75cc5000",
"state": 4096,
"offset": 17071800,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x75cc9000",
"addr": "0x75cc7000",
"state": 4096,
"offset": 17080016,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x75ce1000",
"addr": "0x75ce0000",
"state": 4096,
"offset": 17088232,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x75d49000",
"addr": "0x75ce1000",
"state": 4096,
"offset": 17092352,
"type": 16777216,
"size": 425984
}, {
"protect": "rw",
"end": "0x75d4a000",
"addr": "0x75d49000",
"state": 4096,
"offset": 17518360,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x75da9000",
"addr": "0x75d4a000",
"state": 4096,
"offset": 17522480,
"type": 16777216,
"size": 389120
}, {
"protect": "r",
"end": "0x75f51000",
"addr": "0x75f50000",
"state": 4096,
"offset": 17911624,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x75fab000",
"addr": "0x75f51000",
"state": 4096,
"offset": 17915744,
"type": 16777216,
"size": 368640
}, {
"protect": "rw",
"end": "0x75fad000",
"addr": "0x75fab000",
"state": 4096,
"offset": 18284408,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x75fed000",
"addr": "0x75fad000",
"state": 4096,
"offset": 18292624,
"type": 16777216,
"size": 262144
}, {
"protect": "r",
"end": "0x75ff1000",
"addr": "0x75ff0000",
"state": 4096,
"offset": 18554792,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x76068000",
"addr": "0x75ff1000",
"state": 4096,
"offset": 18558912,
"type": 16777216,
"size": 487424
}, {
"protect": "rw",
"end": "0x7606a000",
"addr": "0x76068000",
"state": 4096,
"offset": 19046360,
"type": 16777216,
"size": 8192
}, {
"protect": "rwc",
"end": "0x7606c000",
"addr": "0x7606a000",
"state": 4096,
"offset": 19054576,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x76073000",
"addr": "0x7606c000",
"state": 4096,
"offset": 19062792,
"type": 16777216,
"size": 28672
}, {
"protect": "r",
"end": "0x760b1000",
"addr": "0x760b0000",
"state": 4096,
"offset": 19091488,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x76479000",
"addr": "0x760b1000",
"state": 4096,
"offset": 19095608,
"type": 16777216,
"size": 3964928
}, {
"protect": "rw",
"end": "0x7647d000",
"addr": "0x76479000",
"state": 4096,
"offset": 23060560,
"type": 16777216,
"size": 16384
}, {
"protect": "rwc",
"end": "0x76480000",
"addr": "0x7647d000",
"state": 4096,
"offset": 23076968,
"type": 16777216,
"size": 12288
}, {
"protect": "r",
"end": "0x76cf9000",
"addr": "0x76480000",
"state": 4096,
"offset": 23089280,
"type": 16777216,
"size": 8884224
}, {
"protect": "r",
"end": "0x76f01000",
"addr": "0x76f00000",
"state": 4096,
"offset": 31973528,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x76f84000",
"addr": "0x76f01000",
"state": 4096,
"offset": 31977648,
"type": 16777216,
"size": 536576
}, {
"protect": "rw",
"end": "0x76f85000",
"addr": "0x76f84000",
"state": 4096,
"offset": 32514248,
"type": 16777216,
"size": 4096
}, {
"protect": "rwc",
"end": "0x76f86000",
"addr": "0x76f85000",
"state": 4096,
"offset": 32518368,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x76fcc000",
"addr": "0x76f86000",
"state": 4096,
"offset": 32522488,
"type": 16777216,
"size": 286720
}, {
"protect": "r",
"end": "0x76fd1000",
"addr": "0x76fd0000",
"state": 4096,
"offset": 32809232,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x76fd3000",
"addr": "0x76fd1000",
"state": 4096,
"offset": 32813352,
"type": 16777216,
"size": 8192
}, {
"protect": "rw",
"end": "0x76fd4000",
"addr": "0x76fd3000",
"state": 4096,
"offset": 32821568,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x76fd6000",
"addr": "0x76fd4000",
"state": 4096,
"offset": 32825688,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x772a1000",
"addr": "0x772a0000",
"state": 4096,
"offset": 32833904,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x77326000",
"addr": "0x772a1000",
"state": 4096,
"offset": 32838024,
"type": 16777216,
"size": 544768
}, {
"protect": "rw",
"end": "0x77328000",
"addr": "0x77326000",
"state": 4096,
"offset": 33382816,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x7732f000",
"addr": "0x77328000",
"state": 4096,
"offset": 33391032,
"type": 16777216,
"size": 28672
}, {
"protect": "r",
"end": "0x77341000",
"addr": "0x77340000",
"state": 4096,
"offset": 33419728,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x77358000",
"addr": "0x77341000",
"state": 4096,
"offset": 33423848,
"type": 16777216,
"size": 94208
}, {
"protect": "rw",
"end": "0x77359000",
"addr": "0x77358000",
"state": 4096,
"offset": 33518080,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x7735f000",
"addr": "0x77359000",
"state": 4096,
"offset": 33522200,
"type": 16777216,
"size": 24576
}, {
"protect": "r",
"end": "0x77361000",
"addr": "0x77360000",
"state": 4096,
"offset": 33546800,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x773a9000",
"addr": "0x77361000",
"state": 4096,
"offset": 33550920,
"type": 16777216,
"size": 294912
}, {
"protect": "rw",
"end": "0x773aa000",
"addr": "0x773a9000",
"state": 4096,
"offset": 33845856,
"type": 16777216,
"size": 4096
}, {
"protect": "rwc",
"end": "0x773ab000",
"addr": "0x773aa000",
"state": 4096,
"offset": 33849976,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x773ae000",
"addr": "0x773ab000",
"state": 4096,
"offset": 33854096,
"type": 16777216,
"size": 12288
}, {
"protect": "r",
"end": "0x773b1000",
"addr": "0x773b0000",
"state": 4096,
"offset": 33866408,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x77450000",
"addr": "0x773b1000",
"state": 4096,
"offset": 33870528,
"type": 16777216,
"size": 651264
}, {
"protect": "rw",
"end": "0x77451000",
"addr": "0x77450000",
"state": 4096,
"offset": 34521816,
"type": 16777216,
"size": 4096
}, {
"protect": "rwc",
"end": "0x77452000",
"addr": "0x77451000",
"state": 4096,
"offset": 34525936,
"type": 16777216,
"size": 4096
}, {
"protect": "rw",
"end": "0x77454000",
"addr": "0x77452000",
"state": 4096,
"offset": 34530056,
"type": 16777216,
"size": 8192
}, {
"protect": "rwc",
"end": "0x77457000",
"addr": "0x77454000",
"state": 4096,
"offset": 34538272,
"type": 16777216,
"size": 12288
}, {
"protect": "r",
"end": "0x7745c000",
"addr": "0x77457000",
"state": 4096,
"offset": 34550584,
"type": 16777216,
"size": 20480
}, {
"protect": "r",
"end": "0x774c1000",
"addr": "0x774c0000",
"state": 4096,
"offset": 34571088,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x77597000",
"addr": "0x774c1000",
"state": 4096,
"offset": 34575208,
"type": 16777216,
"size": 876544
}, {
"protect": "rw",
"end": "0x77598000",
"addr": "0x77597000",
"state": 4096,
"offset": 35451776,
"type": 16777216,
"size": 4096
}, {
"protect": "rwc",
"end": "0x77599000",
"addr": "0x77598000",
"state": 4096,
"offset": 35455896,
"type": 16777216,
"size": 4096
}, {
"protect": "rw",
"end": "0x7759b000",
"addr": "0x77599000",
"state": 4096,
"offset": 35460016,
"type": 16777216,
"size": 8192
}, {
"protect": "rwc",
"end": "0x7759c000",
"addr": "0x7759b000",
"state": 4096,
"offset": 35468232,
"type": 16777216,
"size": 4096
}, {
"protect": "rw",
"end": "0x7759e000",
"addr": "0x7759c000",
"state": 4096,
"offset": 35472352,
"type": 16777216,
"size": 8192
}, {
"protect": "rwc",
"end": "0x775a0000",
"addr": "0x7759e000",
"state": 4096,
"offset": 35480568,
"type": 16777216,
"size": 8192
}, {
"protect": "r",
"end": "0x775fc000",
"addr": "0x775a0000",
"state": 4096,
"offset": 35488784,
"type": 16777216,
"size": 376832
}, {
"protect": "r",
"end": "0x77651000",
"addr": "0x77650000",
"state": 4096,
"offset": 35865640,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x77677000",
"addr": "0x77651000",
"state": 4096,
"offset": 35869760,
"type": 16777216,
"size": 155648
}, {
"protect": "rw",
"end": "0x77678000",
"addr": "0x77677000",
"state": 4096,
"offset": 36025432,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x77685000",
"addr": "0x77678000",
"state": 4096,
"offset": 36029552,
"type": 16777216,
"size": 53248
}, {
"protect": "r",
"end": "0x77691000",
"addr": "0x77690000",
"state": 4096,
"offset": 36082824,
"type": 16777216,
"size": 4096
}, {
"protect": "rx",
"end": "0x776e2000",
"addr": "0x77691000",
"state": 4096,
"offset": 36086944,
"type": 16777216,
"size": 331776
}, {
"protect": "rw",
"end": "0x776e3000",
"addr": "0x776e2000",
"state": 4096,
"offset": 36418744,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x776e7000",
"addr": "0x776e3000",
"state": 4096,
"offset": 36422864,
"type": 16777216,
"size": 16384
}, {
"protect": "r",
"end": "0x77701000",
"addr": "0x77700000",
"state": 4096,
"offset": 36439272,
"type": 16777216,
"size": 4096
}, {
"protect": "r",
"end": "0x7f6f5000",
"addr": "0x7f6f0000",
"state": 4096,
"offset": 36443392,
"type": 262144,
"size": 20480
}, {
"protect": "r",
"end": "0x7ffd3000",
"addr": "0x7ffb0000",
"state": 4096,
"offset": 36463896,
"type": 262144,
"size": 143360
}, {
"protect": "rw",
"end": "0x7ffda000",
"addr": "0x7ffd9000",
"state": 4096,
"offset": 36607280,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x7ffdb000",
"addr": "0x7ffda000",
"state": 4096,
"offset": 36611400,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x7ffdd000",
"addr": "0x7ffdc000",
"state": 4096,
"offset": 36615520,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x7ffdf000",
"addr": "0x7ffde000",
"state": 4096,
"offset": 36619640,
"type": 131072,
"size": 4096
}, {
"protect": "rw",
"end": "0x7ffe0000",
"addr": "0x7ffdf000",
"state": 4096,
"offset": 36623760,
"type": 131072,
"size": 4096
}, {
"protect": "r",
"end": "0x7ffe1000",
"addr": "0x7ffe0000",
"state": 4096,
"offset": 36627880,
"type": 131072,
"size": 4096
}],
"yara": [],
"num": 1,
"file": "/home/cuckoo/.cuckoo/storage/analyses/1180/memory/1008-1.dmp",
"urls": ["http://www.expedia.com/favicon.ico", "http://uk.ask.com/favicon.ico", "http://www.priceminister.com/", "http://www.iask.com/favicon.ico", "http://www.merlin.com.pl/favicon.ico", "http://www.cnet.com/favicon.ico", "http://search.nifty.com/", "http://ns.adobe.com/exif/1.0/", "http://www.etmall.com.tw/", "http://search.goo.ne.jp/", "http://fr.wikipedia.org/favicon.ico", "http://busca.estadao.com.br/favicon.ico", "http://search.hanafos.com/favicon.ico", "http://search.chol.com/favicon.ico", "http://amazon.fr/", "http://www.amazon.co.jp/", "http://www.mtv.com/favicon.ico", "http://busqueda.aol.com.mx/", "http://search.live.com/results.aspx?FORM=SOLTDF", "http://msdn.microsoft.com/", "http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp)", "http://www.sify.com/favicon.ico", "http://yellowpages.superpages.com/", "http://suche.freenet.de/", "http://search.aol.com/", "http://browse.guardian.co.uk/", "http://www.mercadolibre.com.mx/", "http://www.asharqalawsat.com/", "http://www.facebook.com/", "http://si.wikipedia.org/favicon.ico", "http://www.rtl.de/favicon.ico", "http://search.msn.com/results.aspx?q=", "http://www.microsoft.com.", "http://search.naver.com/favicon.ico", "http://en.wikipedia.org/favicon.ico", "http://si.wikipedia.org/w/api.php?action=opensearch", "http://udn.com/favicon.ico", "http://rover.ebay.com", "http://search.ebay.fr/", "http://www.univision.com/", "http://pt.wikipedia.org/w/api.php?action=opensearch", "http://it.wikipedia.org/favicon.ico", "http://uk.ask.com/", "http://www.google.co.uk/", "http://cnweb.search.live.com/results.aspx?q=", "http://www.google.cz/", "http://www.google.co.jp/", "http://search.ebay.co.uk/", "http://www.weather.com/", "http://www.taobao.com/favicon.ico", "http://www.news.com.au/favicon.ico", "http://search.orange.co.uk/favicon.ico", "http://video.globo.com/", "http://search.ebay.de/", "http://www.taobao.com/", "http://corp.naukri.com/favicon.ico", "http://www.servicios.clarin.com/", "http://localhost", "http://www.rambler.ru/favicon.ico", "http://www.linternaute.com/favicon.ico", "http://ns.adobe.com/photoshop/1.0/", "http://www.shopzilla.com/", "http://www.amazon.com/gp/search?ie=UTF8", "http://search.live.com/results.aspx?FORM=SO2TDF", "http://busca.orange.es/", "http://www.excite.co.jp/", "http://cs.wikipedia.org/", "http://www.gismeteo.ru/favicon.ico", "http://www.cjmall.com/favicon.ico", "http://suche.t-online.de/", "http://www.ya.com/favicon.ico", "http://www.priceminister.com/favicon.ico", "http://www.mercadolibre.com.mx/favicon.ico", "http://ns.adobe.com/tiff/1.0/", "http://www.otto.de/favicon.ico", "http://www.iask.com/", "http://www.arrakis.com/", "http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity", "http://search.hanafos.com/", "http://search.gamer.com.tw/", "http://www.tiscali.it/favicon.ico", "http://ns.adobe.com/xap/1.0/", "http://www.soso.com/favicon.ico", "http://recherche.tf1.fr/", "http://si.wikipedia.org/", "http://search.livedoor.com/", "http://search.centrum.cz/", "http://www.auction.co.kr/auction.ico", "http://www.t-online.de/favicon.ico", "http://ja.wikipedia.org/favicon.ico", "http://www.abril.com.br/favicon.ico", "http://clients5.google.com/complete/search?hl=", "http://www.ozon.ru/", "http://search.alice.it/", "http://www.microsoft.com/windowsxp/expertzone/", "http://search.yahoo.co.jp/favicon.ico", "http://cnet.search.com/", "http://www.walmart.com/", "http://espn.go.com/favicon.ico", "http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp)", "http://search.interpark.com/", "http://www.gmarket.co.kr/favicon.ico", "http://www.neckermann.de/favicon.ico", "http://sitesearch.timesonline.co.uk/", "http://cn.bing.com/search?q=", "http://video.globo.com/favicon.ico", "http://es.wikipedia.org/", "http://img.atlas.cz/favicon.ico", "http://searchresults.news.com.au/", "http://search.rediff.com/", "http://search.lycos.co.uk/", "http://en.wikipedia.org/", "http://www.google.com.tw/", "http://www.tchibo.de/", "http://www.google.com/", "http://buscador.terra.es/", "http://search.msn.co.jp/results.aspx?q=", "http://www.mercadolivre.com.br/favicon.ico", "http://ja.wikipedia.org/", "http://search.chol.com/", "http://search.espn.go.com/", "http://www.google.com.sa/", "http://jobsearch.monster.com/", "http://buscador.terra.com/", "http://www.google.co.in/", "http://www.google.fr/", "http://www.cdiscount.com/favicon.ico", "http://asp.usatoday.com/", "http://vachercher.lycos.fr/", "http://www.yam.com/favicon.ico", "http://search.sify.com/", "http://search.ebay.com/favicon.ico", "http://www.paginasamarillas.es/", "http://nl.wikipedia.org/", "http://search.alice.it/favicon.ico", "http://www.ask.com/", "http://www.so-net.ne.jp/share/favicon.ico", "http://espanol.search.yahoo.com/", "http://www.alarabiya.net/favicon.ico", "http://ocnsearch.goo.ne.jp/", "http://list.taobao.com/", "http://buscador.terra.com.br/", "http://search.msn.co.uk/results.aspx?q=", "http://www.google.de/", "http://busca.igbusca.com.br//app/static/images/favicon.ico", "http://www.rambler.ru/", "http://purl.org/dc/elements/1.1/", "http://www.cdiscount.com/", "http://www.mercadolivre.com.br/", "http://www.facebook.com/favicon.ico", "http://search.ebay.es/", "http://sads.myspace.com/", "http://suche.web.de/", "http://recherche.tf1.fr/favicon.ico", "http://cs.wikipedia.org/w/api.php?action=opensearch", "http://search.dreamwiz.com/", "http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService", "http://www.yandex.ru/", "http://www.baidu.com/favicon.ico", "http://ariadna.elmundo.es/", "http://www.rtl.de/", "http://es.search.yahoo.com/", "http://p.zhongsou.com/", "http://es.wikipedia.org/favicon.ico", "http://www.timesonline.co.uk/img/favicon.ico", "http://buscar.ozu.es/", "http://so-net.search.goo.ne.jp/", "http://cgi.search.biglobe.ne.jp/favicon.ico", "http://list.taobao.com/browse/search_visual.htm?n=15", "http://www.soso.com/", "http://www.afisha.ru/App_Themes/Default/images/favicon.ico", "http://img.shopzilla.com/shopzilla/shopzilla.ico", "http://wellformedweb.org/CommentAPI/", "http://search.orange.co.uk/", "http://ariadna.elmundo.es/favicon.ico", "http://it.wikipedia.org/", "http://www3.fnac.com/favicon.ico", "http://en.wikipedia.org/w/api.php?action=opensearch", "http://support.microsoft.com", "http://in.search.yahoo.com/", "http://www.etmall.com.tw/favicon.ico", "http://www.ceneo.pl/favicon.ico", "http://service2.bfast.com/", "http://tw.search.yahoo.com/", "http://es.ask.com/", "http://www.ozu.es/favicon.ico", "http://ru.wikipedia.org/", "http://google.pchome.com.tw/", "http://p.zhongsou.com/favicon.ico", "http://search.ebay.com/", "http://search1.taobao.com/", "http://br.search.yahoo.com/", "http://suche.lycos.de/", "http://www.asharqalawsat.com/favicon.ico", "http://mail.live.com/", "http://ru.search.yahoo.com", "http://de.wikipedia.org/", "http://find.joins.com/", "http://ns.adobe.com/xap/1.0/mm/", "http://www.google.ru/", "http://busca.uol.com.br/favicon.ico", "http://search.seznam.cz/", "http://de.wikipedia.org/w/api.php?action=opensearch", "http://www.expedia.com/", "http://www.clarin.com/favicon.ico", "http://busca.uol.com.br/", "http://mail.live.com/?rru=compose%3Fsubject%3D", "http://buscador.terra.com/favicon.ico", "http://search.nate.com/", "http://purl.org/rss/1.0/modules/slash/", "http://ie8.ebay.com/open-search/output-xml.php?q=", "http://www.kkbox.com.tw/favicon.ico", "http://www.ocn.ne.jp/favicon.ico", "http://corp.naukri.com/", "http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended", "http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity", "http://www.recherche.aol.fr/", "http://pl.wikipedia.org/w/api.php?action=opensearch", "http://www.weather.com/favicon.ico", "http://search.centrum.cz/favicon.ico", "http://search.yam.com/", "http://search.live.com/results.aspx?q=", "http://search.empas.com/favicon.ico", "http://images.joins.com/ui_c/fvc_joins.ico", "http://cgi.search.biglobe.ne.jp/", "http://msk.afisha.ru/", "http://es.wikipedia.org/w/api.php?action=opensearch", "http://www.google.pl/", "http://www.arrakis.com/favicon.ico", "http://search.microsoft.com/", "http://search.goo.ne.jp/favicon.ico", "http://image.excite.co.jp/jp/favicon/lep.ico", "http://www.merlin.com.pl/", "http://www.amazon.de/", "http://www.sogou.com/", "http://cerca.lycos.it/", "http://www.orange.fr/", "http://spaces.live.com/BlogIt.aspx", "http://www.microsofttranslator.com/?ref=IE8Activity", "http://www.rakuten.co.jp/favicon.ico", "http://www.nate.com/favicon.ico", "http://de.wikipedia.org/favicon.ico", "http://ru.wikipedia.org/w/api.php?action=opensearch", "http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity", "http://search.daum.net/favicon.ico", "http://nl.wikipedia.org/favicon.ico", "http://it.search.yahoo.com/", "http://www.google.it/", "http://suche.web.de/favicon.ico", "http://www.paginasamarillas.es/favicon.ico", "http://search.seznam.cz/favicon.ico", "http://search.livedoor.com/favicon.ico", "http://search.lycos.com/", "http://fr.wikipedia.org/w/api.php?action=opensearch", "http://search.dreamwiz.com/favicon.ico", "http://www.kkbox.com.tw/", "http://suche.aol.de/", "http://it.search.dada.net/", "http://search.empas.com/", "http://yellowpages.superpages.com/favicon.ico", "http://arianna.libero.it/", "http://www.dailymail.co.uk/", "http://ru.wikipedia.org/favicon.ico", "http://search.auction.co.kr/", "http://search.lycos.com/favicon.ico", "http://www3.fnac.com/", "http://search.yahoo.co.jp", "http://asp.usatoday.com/favicon.ico", "http://search.msn.com.cn/results.aspx?q=", "http://cn.bing.com/favicon.ico", "http://search2.estadao.com.br/", "http://search.cn.yahoo.com/", "http://ie.search.yahoo.com/os?command=", "http://www.tesco.com/", "http://search-dyn.tiscali.it/", "http://search.ipop.co.kr/favicon.ico", "http://arianna.libero.it/favicon.ico", "http://www.myspace.com/favicon.ico", "http://search.gismeteo.ru/", "http://www.dailymail.co.uk/favicon.ico", "http://www.microsoft.com/schemas/rss/core/2005/internal", "http://home.altervista.org/", "http://it.search.dada.net/favicon.ico", "http://www.gmarket.co.kr/", "http://price.ru/favicon.ico", "http://www.google.com.br/", "http://buscar.ya.com/", "http://images.monster.com/favicon.ico", "http://search.ebay.it/", "http://www.alarabiya.net/", "http://www.najdi.si/", "http://www.maktoob.com/favicon.ico", "http://purl.org/rss/1.0/modules/content/", "http://ns.adobe.com/pdf/1.3/", "http://price.ru/", "http://www.najdi.si/favicon.ico", "http://kr.search.yahoo.com/", "http://www.aol.com/favicon.ico", "http://www.ozon.ru/favicon.ico", "http://pl.wikipedia.org/", "http://www.target.com/favicon.ico", "http://fr.search.yahoo.com/", "http://search.daum.net/", "http://de.search.yahoo.com/", "http://suche.freenet.de/favicon.ico", "http://busca.buscape.com.br/favicon.ico", "http://www.microsoft.com/favicon.ico", "http://auone.jp/favicon.ico", "http://buscador.lycos.es/", "http://search.yahoo.com/", "http://www.sogou.com/favicon.ico", "http://search.rediff.com/favicon.ico", "http://search.auone.jp/", "http://web.ask.com/", "http://search.books.com.tw/", "http://search.ebay.in/", "http://search.about.com/", "http://www.neckermann.de/", "http://browse.guardian.co.uk/favicon.ico", "http://www.tesco.com/favicon.ico", "http://ns.adobe.com/iX/1.0/", "https://www.example.com.", "http://www.target.com/", "http://www.amazon.com/favicon.ico", "http://recherche.linternaute.com/", "http://pt.wikipedia.org/favicon.ico", "http://openimage.interpark.com/interpark.ico", "http://www.google.si/", "http://www.yandex.ru/favicon.ico", "http://www.google.com/favicon.ico", "http://www.walmart.com/favicon.ico", "http://udn.com/", "http://esearch.rakuten.co.jp/", "http://www.google.es/", "http://www.cnet.co.uk/", "http://www.mtv.com/", "http://search.live.com/results.aspx?FORM=IEFM1", "http://www.abril.com.br/", "http://www.baidu.com/", "http://www.amazon.co.uk/", "http://it.wikipedia.org/w/api.php?action=opensearch", "http://www.tchibo.de/favicon.ico", "http://www.pchome.com.tw/favicon.ico", "http://pt.wikipedia.org/", "http://fr.wikipedia.org/", "http://ja.wikipedia.org/w/api.php?action=opensearch", "http://www.chennaionline.com/ncommon/images/collogo.ico", "http://www.cjmall.com/", "http://uk.search.yahoo.com/", "http://search.yahoo.com/favicon.ico", "http://busca.igbusca.com.br/", "https://localhost", "http://www.nifty.com/favicon.ico", "http://search.naver.com/", "http://home.altervista.org/favicon.ico", "http://search.gamer.com.tw/favicon.ico", "http://busca.buscape.com.br/", "http://search.atlas.cz/", "http://www.ceneo.pl/", "http://search.aol.co.uk/", "http://pl.wikipedia.org/favicon.ico", "http://search.ipop.co.kr/", "http://search.books.com.tw/favicon.ico", "http://search.aol.in/", "https://example.com", "http://cs.wikipedia.org/favicon.ico", "http://spaces.live.com/", "http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity", "http://z.about.com/m/a08.ico", "http://www.univision.com/favicon.ico", "http://nl.wikipedia.org/w/api.php?action=opensearch"],
"extracted": [{
"yara": [{
"meta": {
"description": "Possibly employs anti-virtualization techniques",
"author": "nex"
},
"name": "vmdetect",
"offsets": {
"virtualbox6": [
["40298", 10],
["40556", 10]
],
"virtualbox5": [
["40174", 9],
["40512", 9]
],
"virtualbox4": [
["40214", 8],
["40468", 8]
],
"virtualbox3": [
["37536", 12],
["37565", 12],
["37705", 20],
["41100", 20],
["41291", 12],
["41312", 12],
["41358", 12],
["41379", 12],
["41488", 20],
["41528", 20]
],
"virtualbox2": [
["37688", 19],
["40254", 11],
["41064", 19],
["41421", 19],
["41464", 19]
],
"virtualbox1": [
["40708", 18]
],
"xen6": [
["42676", 13],
["42682", 13]
],
"virtualbox_mac_1b": [
["37426", 4],
["37476", 4]
],
"vmware_mac_4b": [
["38450", 2],
["38532", 2]
],
"vmware_mac_3b": [
["38440", 1],
["38522", 1]
],
"vmware24": [
["37803", 5],
["37823", 16],
["37832", 7],
["38028", 5],
["38070", 5],
["38083", 5],
["38119", 5],
["38132", 5],
["38148", 5],
["38268", 5],
["38384", 5],
["38556", 5],
["38636", 5],
["38688", 5],
["41884", 6],
["42153", 5],
["42166", 5],
["42275", 5],
["42300", 7],
["42663", 5],
["42669", 5]
],
"vmware_mac_1b": [
["38430", 0],
["38512", 0]
],
"vmware20": [
["38201", 17],
["38256", 17],
["42208", 17]
],
"vmware5": [
["38322", 15],
["38373", 15],
["42249", 15]
],
"vmware4": [
["38323", 14],
["38374", 14],
["42250", 14]
],
"vmware_mac_2b": [
["38462", 3],
["38544", 3]
]
},
"strings": ["MDA6MDU6Njk=", "MDA6MEM6Mjk=", "MDA6MUM6MTQ=", "MDA6NTA6NTY=", "MDg6MDA6Mjc=", "Vk13YXJl", "Vk1XQVJF", "Vk1XYXJl", "VkJveE1vdXNl", "VkJveEd1ZXN0", "VkJveFNG", "VkJveFNlcnZpY2U=", "VkJveFRyYXk=", "WGVuVk1N", "aGdmcy5zeXM=", "bWhnZnMuc3lz", "dm13YXJl", "dm1tb3VzZQ==", "dmJveGhvb2suZGxs", "dmJveHNlcnZpY2U=", "dmJveHRyYXk="]
}],
"sha1": "3f1d3e276e2aa0a6f930803140ae919e5ecdbf5c",
"name": "1008-3f1d3e276e2aa0a6.exe_",
"type": "PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows",
"extracted_id": "5d02dd4559bfaf1280fee9c0",
"sha256": "3901b91bda860b624467cb5678e8d47f70476c7a9752a9364a3044a03c7c547a",
"urls": [],
"crc32": "0C1405F3",
"path": "/home/cuckoo/.cuckoo/storage/analyses/1180/memory/1008-3f1d3e276e2aa0a6.exe_",
"ssdeep": null,
"size": 102400,
"sha512": "55e1f6c291d14a9dc3440cbe8d023f2f591bedbb5c2a7127f88b647b535480646dd4ad30f0510a6ac837b82a1e1ad2f32c3d474ce9c2af8999524814849fa363",
"md5": "10edbc14794583239d0b7e698d1e35e7"
}],
"pid": 1008
}],
"target": {
"category": "file",
"file_id": "5cdb795059bfaf4ded9b0b4f",
"file": {
"yara": [{
"meta": {
"description": "Possibly employs anti-virtualization techniques",
"author": "nex"
},
"name": "vmdetect",
"offsets": {
"virtualbox6": [
["29546", 10],
["29804", 10]
],
"virtualbox5": [
["29422", 9],
["29760", 9]
],
"virtualbox4": [
["29462", 8],
["29716", 8]
],
"virtualbox3": [
["26784", 12],
["26813", 12],
["26953", 20],
["30348", 20],
["30539", 12],
["30560", 12],
["30606", 12],
["30627", 12],
["30736", 20],
["30776", 20]
],
"virtualbox2": [
["26936", 19],
["29502", 11],
["30312", 19],
["30669", 19],
["30712", 19]
],
"virtualbox1": [
["29956", 18]
],
"xen6": [
["31924", 13],
["31930", 13]
],
"virtualbox_mac_1b": [
["26674", 4],
["26724", 4]
],
"vmware_mac_4b": [
["27698", 2],
["27780", 2]
],
"vmware_mac_3b": [
["27688", 1],
["27770", 1]
],
"vmware24": [
["27051", 5],
["27071", 16],
["27080", 7],
["27276", 5],
["27318", 5],
["27331", 5],
["27367", 5],
["27380", 5],
["27396", 5],
["27516", 5],
["27632", 5],
["27804", 5],
["27884", 5],
["27936", 5],
["31132", 6],
["31401", 5],
["31414", 5],
["31523", 5],
["31548", 7],
["31911", 5],
["31917", 5]
],
"vmware_mac_1b": [
["27678", 0],
["27760", 0]
],
"vmware20": [
["27449", 17],
["27504", 17],
["31456", 17]
],
"vmware5": [
["27570", 15],
["27621", 15],
["31497", 15]
],
"vmware4": [
["27571", 14],
["27622", 14],
["31498", 14]
],
"vmware_mac_2b": [
["27710", 3],
["27792", 3]
]
},
"strings": ["MDA6MDU6Njk=", "MDA6MEM6Mjk=", "MDA6MUM6MTQ=", "MDA6NTA6NTY=", "MDg6MDA6Mjc=", "Vk13YXJl", "Vk1XQVJF", "Vk1XYXJl", "VkJveE1vdXNl", "VkJveEd1ZXN0", "VkJveFNG", "VkJveFNlcnZpY2U=", "VkJveFRyYXk=", "WGVuVk1N", "aGdmcy5zeXM=", "bWhnZnMuc3lz", "dm13YXJl", "dm1tb3VzZQ==", "dmJveGhvb2suZGxs", "dmJveHNlcnZpY2U=", "dmJveHRyYXk="]
}],
"sha1": "124f46228d1e220d88ae5e9a24d6e713039a64f9",
"name": "pafish.exe",
"type": "PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows",
"sha256": "2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5",
"urls": [],
"crc32": "6F030481",
"path": "/home/cuckoo/.cuckoo/storage/binaries/2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5",
"ssdeep": null,
"size": 76800,
"sha512": "4b6d56b81dd3cd42bb53fc8d68b5c8ef0d6c85ebcc503cd042ae5c19e8965e6477f259a02bafb9c5c66956ae1023fc30e3be5bbcd526eacc8480f93d74c1ab7c",
"md5": "9159edb64c4a21d8888d088bf2db23f3"
}
},
"shots": [],
"extracted": [],
"signatures": [{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": "1",
"arguments": {
"computer_name": "WIN-QQK6CL8VR7N"
},
"time": "2019-06-14T20:31:03.167Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 465
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": "1",
"arguments": {
"computer_name": "WIN-QQK6CL8VR7N"
},
"time": "2019-06-14T20:31:05.140Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 564
}],
"references": [],
"name": "antivm_queries_computername"
}, {
"markcount": 1,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 183,
"nt_status": -1073741515,
"api": "IsDebuggerPresent",
"return_value": "0",
"arguments": {},
"time": "2019-06-14T20:31:00.694Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 31
}],
"references": [],
"name": "checks_debugger"
}, {
"markcount": 128,
"families": [],
"description": "Command line console output was observed",
"severity": 1,
"marks": [{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "* Pafish (",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.624Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 9
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "Paranoid fish",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.624Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 10
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "Some anti(debugger/VM/sandbox) tricks\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.634Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 12
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "used by malware for the general public.\r\n\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.634Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 13
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Windows version: 6.1 build 7600\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.644Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 14
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] CPU: GenuineIntel\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.644Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 15
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": " Hypervisor: KVMKVMKVM\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.644Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 16
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": " CPU brand: Intel Core Processor (Haswell, no TSX, IBRS)\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.644Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 17
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "\r\n[-] Debuggers detection\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.694Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 30
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Using IsDebuggerPresent() ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.704Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 32
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "OK\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.704Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 33
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "\r\n[-] CPU information based detections\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.714Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 34
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking the difference between CPU timestamp counters (rdtsc) ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.814Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 45
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.864Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 52
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.974Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 67
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:00.994Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 74
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking hypervisor bit in cpuid feature bits ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.014Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 79
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.054Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 86
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking cpuid hypervisor vendor for known VM vendors ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.074Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 91
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.084Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 98
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "\r\n[-] Generic sandbox detection\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.104Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 103
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Using mouse activity ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.114Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 107
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.154Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 114
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking username ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.174Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 120
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "OK\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.194Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 121
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking file path ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.194Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 122
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "OK\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.194Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 123
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking common sample names in drives root ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.375Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 136
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "OK\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.395Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 137
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking if disk size <= 60GB via DeviceIoControl() ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.415Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 141
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.445Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 148
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.465Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 154
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.525Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 161
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking if Sleep() is patched using GetTickCount() ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.555Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 167
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "OK\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.565Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 168
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking if NumberOfProcessors is < 2 via raw access ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.565Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 169
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.605Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 176
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.615Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 182
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.665Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 189
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking if pysical memory is < 1Gb ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.685Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 195
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.715Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 202
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking operating system uptime using GetTickCount() ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.735Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 207
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "OK\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.735Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 208
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking if operating system IsNativeVhdBoot() ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.745Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 211
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "OK\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.755Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 212
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "\r\n[-] Hooks detection\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.795Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 213
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking function ShellExecuteExW method 1 ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.795Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 214
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "traced!\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.825Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 221
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "[*] Checking function CreateProcessA method 1 ... ",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.845Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 226
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleA",
"return_value": "1",
"arguments": {
"buffer": "OK\r\n",
"console_handle": "0x00000007"
},
"time": "2019-06-14T20:31:01.855Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 227
}],
"references": [],
"name": "console_output"
}, {
"markcount": 1,
"families": [],
"description": "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)",
"severity": 1,
"marks": [{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosDate",
"type": "ioc",
"description": null
}],
"references": [],
"name": "recon_fingerprint"
}, {
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": "1",
"arguments": {},
"time": "2019-06-14T20:31:01.685Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 194
}],
"references": [],
"name": "antivm_memory_available"
}, {
"markcount": 2,
"families": [],
"description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation",
"severity": 2,
"marks": [{
"call": {
"category": "file",
"status": 1,
"stacktrace": [],
"api": "DeviceIoControl",
"return_value": "1",
"arguments": {
"input_buffer": "",
"device_handle": "0x000000d0",
"control_code": 475228,
"output_buffer": "\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000"
},
"time": "2019-06-14T20:31:01.405Z",
"tid": 1836,
"flags": {
"control_code": "IOCTL_DISK_GET_LENGTH_INFO"
}
},
"pid": 1008,
"type": "call",
"cid": 139
}, {
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": "1",
"arguments": {
"root_path": "C:\\",
"free_bytes_available": "0",
"total_number_of_free_bytes": "0",
"total_number_of_bytes": "34252779520"
},
"time": "2019-06-14T20:31:01.455Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 153
}],
"references": [],
"name": "antivm_disk_size"
}, {
"markcount": 2,
"families": [],
"description": "Executes one or more WMI queries",
"severity": 2,
"marks": [{
"category": "wmi",
"ioc": "SELECT DeviceId FROM Win32_PnPEntity",
"type": "ioc",
"description": null
}, {
"category": "wmi",
"ioc": "SELECT SerialNumber FROM Win32_Bios",
"type": "ioc",
"description": null
}],
"references": [],
"name": "has_wmi"
}, {
"markcount": 5,
"families": [],
"description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping",
"severity": 2,
"marks": [{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": "1",
"arguments": {
"process_name": "python.exe",
"snapshot_handle": "0x0000011c",
"process_identifier": 2012
},
"time": "2019-06-14T20:31:02.897Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 436
}, {
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": "1",
"arguments": {
"process_name": "taskhost.exe",
"snapshot_handle": "0x0000011c",
"process_identifier": 1756
},
"time": "2019-06-14T20:31:02.897Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 437
}, {
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": "1",
"arguments": {
"process_name": "sdclt.exe",
"snapshot_handle": "0x0000011c",
"process_identifier": 976
},
"time": "2019-06-14T20:31:02.907Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 438
}, {
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": "1",
"arguments": {
"process_name": "pafish.exe",
"snapshot_handle": "0x0000011c",
"process_identifier": 1008
},
"time": "2019-06-14T20:31:02.907Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 439
}, {
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": "1",
"arguments": {
"process_name": "conhost.exe",
"snapshot_handle": "0x0000011c",
"process_identifier": 1492
},
"time": "2019-06-14T20:31:02.907Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 440
}],
"references": [],
"name": "injection_process_search"
}, {
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741275,
"api": "GetAdaptersAddresses",
"return_value": "111",
"arguments": {
"flags": 0,
"family": 0
},
"time": "2019-06-14T20:31:02.436Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 365
}],
"references": [],
"name": "antivm_network_adapters"
}, {
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [{
"entropy": 7.854124193008595,
"section": {
"size_of_data": "0x00009000",
"virtual_address": "0x0000f000",
"entropy": 7.854124193008595,
"name": ".rsrc",
"virtual_size": "0x00008ef0"
},
"type": "generic",
"description": "A section with a high entropy has been found"
}, {
"entropy": 0.4864864864864865,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}],
"references": ["http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"],
"name": "packer_entropy"
}, {
"markcount": 371,
"families": [],
"description": "Potentially malicious URLs were found in the process memory dump",
"severity": 2,
"marks": [{
"category": "url",
"ioc": "http://www.expedia.com/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://uk.ask.com/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.priceminister.com/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.iask.com/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.merlin.com.pl/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.cnet.com/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://search.nifty.com/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://ns.adobe.com/exif/1.0/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.etmall.com.tw/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://search.goo.ne.jp/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://fr.wikipedia.org/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://busca.estadao.com.br/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://search.hanafos.com/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://search.chol.com/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://amazon.fr/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.amazon.co.jp/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.mtv.com/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://busqueda.aol.com.mx/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://search.live.com/results.aspx?FORM=SOLTDF",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://msdn.microsoft.com/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp)",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.sify.com/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://yellowpages.superpages.com/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://suche.freenet.de/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://search.aol.com/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://browse.guardian.co.uk/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.mercadolibre.com.mx/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.asharqalawsat.com/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.facebook.com/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://si.wikipedia.org/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.rtl.de/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://search.msn.com/results.aspx?q=",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.microsoft.com.",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://search.naver.com/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://en.wikipedia.org/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://si.wikipedia.org/w/api.php?action=opensearch",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://udn.com/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://rover.ebay.com",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://search.ebay.fr/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.univision.com/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://pt.wikipedia.org/w/api.php?action=opensearch",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://it.wikipedia.org/favicon.ico",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://uk.ask.com/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.google.co.uk/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://cnweb.search.live.com/results.aspx?q=",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.google.cz/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.google.co.jp/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://search.ebay.co.uk/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.weather.com/",
"type": "ioc",
"description": null
}, {
"category": "url",
"ioc": "http://www.taobao.com/favicon.ico",
"type": "ioc",
"description": null
}],
"references": [],
"name": "memdump_urls"
}, {
"markcount": 2,
"families": [],
"description": "Executes one or more WMI queries which can be used to identify virtual machines",
"severity": 2,
"marks": [{
"category": "wmi",
"ioc": "SELECT SerialNumber FROM Win32_Bios",
"type": "ioc",
"description": null
}, {
"category": "wmi",
"ioc": "SELECT DeviceId FROM Win32_PnPEntity",
"type": "ioc",
"description": null
}],
"references": [],
"name": "wmi_antivm"
}, {
"markcount": 4,
"families": [],
"description": "Looks for known filepaths where sandboxes execute samples",
"severity": 3,
"marks": [{
"category": "file",
"ioc": "C:\\sample.exe",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "D:\\sample.exe",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\malware.exe",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "D:\\malware.exe",
"type": "ioc",
"description": null
}],
"references": [],
"name": "antisandbox_file"
}, {
"markcount": 2,
"families": [],
"description": "Checks the version of Bios, possibly for anti-virtualization",
"severity": 3,
"marks": [{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"type": "ioc",
"description": null
}, {
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"type": "ioc",
"description": null
}],
"references": [],
"name": "antivm_generic_bios"
}, {
"markcount": 2,
"families": [],
"description": "Attempts to detect a virtual machine by the use of a pseudo device",
"severity": 3,
"marks": [{
"call": {
"category": "file",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "NtCreateFile",
"return_value": "3221225524",
"arguments": {
"create_disposition": 1,
"file_handle": "0x00000000",
"filepath": "\\??\\HGFS",
"desired_access": "0x80100080",
"file_attributes": 128,
"filepath_r": "\\??\\HGFS",
"create_options": 96,
"status_info": "4294967295",
"share_access": 1
},
"time": "2019-06-14T20:31:04.950Z",
"tid": 1836,
"flags": {
"create_disposition": "FILE_OPEN",
"desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
"file_attributes": "FILE_ATTRIBUTE_NORMAL",
"create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
"status_info": "",
"share_access": "FILE_SHARE_READ"
}
},
"pid": 1008,
"type": "call",
"cid": 540
}, {
"call": {
"category": "file",
"status": 0,
"stacktrace": [],
"last_error": 2,
"nt_status": -1073741772,
"api": "NtCreateFile",
"return_value": "3221225524",
"arguments": {
"create_disposition": 1,
"file_handle": "0x00000000",
"filepath": "\\??\\vmci",
"desired_access": "0x80100080",
"file_attributes": 128,
"filepath_r": "\\??\\vmci",
"create_options": 96,
"status_info": "4294967295",
"share_access": 1
},
"time": "2019-06-14T20:31:04.960Z",
"tid": 1836,
"flags": {
"create_disposition": "FILE_OPEN",
"desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
"file_attributes": "FILE_ATTRIBUTE_NORMAL",
"create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
"status_info": "",
"share_access": "FILE_SHARE_READ"
}
},
"pid": 1008,
"type": "call",
"cid": 541
}],
"references": [],
"name": "antivm_shared_device"
}, {
"markcount": 1,
"families": [],
"description": "Detects Joe or Anubis Sandboxes through the presence of a file",
"severity": 3,
"marks": [{
"category": "file",
"ioc": "C:\\sample.exe",
"type": "ioc",
"description": null
}],
"references": [],
"name": "antisandbox_joe_anubis_files"
}, {
"markcount": 4,
"families": [],
"description": "Detects VirtualBox through the presence of a device",
"severity": 3,
"marks": [{
"category": "file",
"ioc": "\\??\\VBoxMiniRdrDN",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "\\\\?\\pipe\\VBoxMiniRdDN",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "\\??\\VBoxTrayIPC",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "\\\\?\\pipe\\VBoxTrayIPC",
"type": "ioc",
"description": null
}],
"references": [],
"name": "antivm_vbox_devices"
}, {
"markcount": 16,
"families": [],
"description": "Detects VirtualBox through the presence of a file",
"severity": 3,
"marks": [{
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxdisp.dll",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxhook.dll",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxmrxnp.dll",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxogl.dll",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxoglarrayspu.dll",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxoglcrutil.dll",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxoglerrorspu.dll",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxoglfeedbackspu.dll",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxoglpackspu.dll",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\drivers\\VBoxSF.sys",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\VBoxControl.exe",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxservice.exe",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\vboxtray.exe",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\drivers\\VBoxGuest.sys",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\drivers\\VBoxMouse.sys",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\drivers\\VBoxVideo.sys",
"type": "ioc",
"description": null
}],
"references": [],
"name": "antivm_vbox_files"
}, {
"markcount": 4,
"families": [],
"description": "Detects VirtualBox through the presence of a registry key",
"severity": 3,
"marks": [{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Oracle\\VirtualBox Guest Additions",
"type": "ioc",
"description": null
}, {
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\FADT\\VBOX__",
"type": "ioc",
"description": null
}, {
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"type": "ioc",
"description": null
}, {
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\RSDT\\VBOX__",
"type": "ioc",
"description": null
}],
"references": [],
"name": "antivm_vbox_keys"
}, {
"markcount": 1,
"families": [],
"description": "Detects VirtualBox using WNetGetProviderName trick",
"severity": 3,
"marks": [{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 1222,
"nt_status": -1073741511,
"api": "WNetGetProviderNameW",
"return_value": "1222",
"arguments": {
"net_type": "0x00250000"
},
"time": "2019-06-14T20:31:02.546Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 389
}],
"references": [],
"name": "antivm_vbox_provname"
}, {
"markcount": 2,
"families": [],
"description": "Detects VirtualBox through the presence of a window",
"severity": 3,
"marks": [{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 2,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": "0",
"arguments": {
"class_name": "VBoxTrayToolWndClass",
"window_name": ""
},
"time": "2019-06-14T20:31:02.526Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 385
}, {
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 2,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": "0",
"arguments": {
"class_name": "#0",
"window_name": "VBoxTrayToolWnd"
},
"time": "2019-06-14T20:31:02.526Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 386
}],
"references": [],
"name": "antivm_vbox_window"
}, {
"markcount": 4,
"families": [],
"description": "Detects VMWare through the presence of various files",
"severity": 3,
"marks": [{
"category": "file",
"ioc": "C:\\Windows\\System32\\drivers\\vmmouse.sys",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "C:\\Windows\\System32\\drivers\\vmhgfs.sys",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "\\??\\HGFS",
"type": "ioc",
"description": null
}, {
"category": "file",
"ioc": "\\??\\vmci",
"type": "ioc",
"description": null
}],
"references": [],
"name": "antivm_vmware_files"
}, {
"markcount": 1,
"families": [],
"description": "Detects VMWare through the presence of a registry key",
"severity": 3,
"marks": [{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\VMware Tools",
"type": "ioc",
"description": null
}],
"references": [],
"name": "antivm_vmware_keys"
}, {
"markcount": 2,
"families": [],
"description": "Detects the presence of Wine emulator",
"severity": 3,
"marks": [{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "LdrGetProcedureAddress",
"return_value": "3221225785",
"arguments": {
"ordinal": 0,
"module": "kernel32",
"module_address": "0x75b10000",
"function_address": "0x00409375",
"function_name": "wine_get_unix_file_name"
},
"time": "2019-06-14T20:31:01.915Z",
"tid": 1836,
"flags": {}
},
"pid": 1008,
"type": "call",
"cid": 235
}, {
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\SOFTWARE\\Wine",
"type": "ioc",
"description": null
}],
"references": [],
"name": "antiemu_wine"
}],
"static": {
"pdb_path": null,
"pe_imports": [{
"imports": [{
"name": "GetUserNameA",
"address": "0x40c2a8"
}, {
"name": "RegCloseKey",
"address": "0x40c2ac"
}, {
"name": "RegOpenKeyExA",
"address": "0x40c2b0"
}, {
"name": "RegQueryValueExA",
"address": "0x40c2b4"
}],
"dll": "ADVAPI32.dll"
}, {
"imports": [{
"name": "GetAdaptersAddresses",
"address": "0x40c2bc"
}],
"dll": "IPHLPAPI.DLL"
}, {
"imports": [{
"name": "CloseHandle",
"address": "0x40c2c4"
}, {
"name": "CreateFileA",
"address": "0x40c2c8"
}, {
"name": "CreateProcessA",
"address": "0x40c2cc"
}, {
"name": "CreateToolhelp32Snapshot",
"address": "0x40c2d0"
}, {
"name": "DeleteCriticalSection",
"address": "0x40c2d4"
}, {
"name": "DeleteFileW",
"address": "0x40c2d8"
}, {
"name": "DeviceIoControl",
"address": "0x40c2dc"
}, {
"name": "EnterCriticalSection",
"address": "0x40c2e0"
}, {
"name": "GetConsoleScreenBufferInfo",
"address": "0x40c2e4"
}, {
"name": "GetCurrentProcess",
"address": "0x40c2e8"
}, {
"name": "GetCurrentProcessId",
"address": "0x40c2ec"
}, {
"name": "GetCurrentThreadId",
"address": "0x40c2f0"
}, {
"name": "GetDiskFreeSpaceExA",
"address": "0x40c2f4"
}, {
"name": "GetDriveTypeA",
"address": "0x40c2f8"
}, {
"name": "GetFileAttributesA",
"address": "0x40c2fc"
}, {
"name": "GetLastError",
"address": "0x40c300"
}, {
"name": "GetLogicalDriveStringsA",
"address": "0x40c304"
}, {
"name": "GetModuleFileNameA",
"address": "0x40c308"
}, {
"name": "GetModuleHandleA",
"address": "0x40c30c"
}, {
"name": "GetProcAddress",
"address": "0x40c310"
}, {
"name": "GetStartupInfoA",
"address": "0x40c314"
}, {
"name": "GetStdHandle",
"address": "0x40c318"
}, {
"name": "GetSystemInfo",
"address": "0x40c31c"
}, {
"name": "GetSystemTimeAsFileTime",
"address": "0x40c320"
}, {
"name": "GetTickCount",
"address": "0x40c324"
}, {
"name": "GetVersionExA",
"address": "0x40c328"
}, {
"name": "GlobalMemoryStatusEx",
"address": "0x40c32c"
}, {
"name": "InitializeCriticalSection",
"address": "0x40c330"
}, {
"name": "IsDebuggerPresent",
"address": "0x40c334"
}, {
"name": "LeaveCriticalSection",
"address": "0x40c338"
}, {
"name": "LocalAlloc",
"address": "0x40c33c"
}, {
"name": "LocalFree",
"address": "0x40c340"
}, {
"name": "OutputDebugStringA",
"address": "0x40c344"
}, {
"name": "Process32First",
"address": "0x40c348"
}, {
"name": "Process32Next",
"address": "0x40c34c"
}, {
"name": "QueryPerformanceCounter",
"address": "0x40c350"
}, {
"name": "SetConsoleTextAttribute",
"address": "0x40c354"
}, {
"name": "SetLastError",
"address": "0x40c358"
}, {
"name": "SetUnhandledExceptionFilter",
"address": "0x40c35c"
}, {
"name": "Sleep",
"address": "0x40c360"
}, {
"name": "TerminateProcess",
"address": "0x40c364"
}, {
"name": "TlsGetValue",
"address": "0x40c368"
}, {
"name": "UnhandledExceptionFilter",
"address": "0x40c36c"
}, {
"name": "VirtualProtect",
"address": "0x40c370"
}, {
"name": "VirtualQuery",
"address": "0x40c374"
}, {
"name": "lstrcmpiA",
"address": "0x40c378"
}],
"dll": "KERNEL32.dll"
}, {
"imports": [{
"name": "WNetGetProviderNameA",
"address": "0x40c380"
}],
"dll": "MPR.DLL"
}, {
"imports": [{
"name": "__dllonexit",
"address": "0x40c388"
}, {
"name": "__getmainargs",
"address": "0x40c38c"
}, {
"name": "__initenv",
"address": "0x40c390"
}, {
"name": "__lconv_init",
"address": "0x40c394"
}, {
"name": "__set_app_type",
"address": "0x40c398"
}, {
"name": "__setusermatherr",
"address": "0x40c39c"
}, {
"name": "_acmdln",
"address": "0x40c3a0"
}, {
"name": "_amsg_exit",
"address": "0x40c3a4"
}, {
"name": "_cexit",
"address": "0x40c3a8"
}, {
"name": "_fmode",
"address": "0x40c3ac"
}, {
"name": "_initterm",
"address": "0x40c3b0"
}, {
"name": "_iob",
"address": "0x40c3b4"
}, {
"name": "_lock",
"address": "0x40c3b8"
}, {
"name": "_onexit",
"address": "0x40c3bc"
}, {
"name": "calloc",
"address": "0x40c3c0"
}, {
"name": "exit",
"address": "0x40c3c4"
}, {
"name": "fclose",
"address": "0x40c3c8"
}, {
"name": "fopen",
"address": "0x40c3cc"
}, {
"name": "fprintf",
"address": "0x40c3d0"
}, {
"name": "fputs",
"address": "0x40c3d4"
}, {
"name": "free",
"address": "0x40c3d8"
}, {
"name": "fwrite",
"address": "0x40c3dc"
}, {
"name": "getchar",
"address": "0x40c3e0"
}, {
"name": "malloc",
"address": "0x40c3e4"
}, {
"name": "mbstowcs",
"address": "0x40c3e8"
}, {
"name": "memcmp",
"address": "0x40c3ec"
}, {
"name": "memcpy",
"address": "0x40c3f0"
}, {
"name": "printf",
"address": "0x40c3f4"
}, {
"name": "puts",
"address": "0x40c3f8"
}, {
"name": "signal",
"address": "0x40c3fc"
}, {
"name": "sprintf",
"address": "0x40c400"
}, {
"name": "strlen",
"address": "0x40c404"
}, {
"name": "strncat",
"address": "0x40c408"
}, {
"name": "strncmp",
"address": "0x40c40c"
}, {
"name": "strncpy",
"address": "0x40c410"
}, {
"name": "strstr",
"address": "0x40c414"
}, {
"name": "_unlock",
"address": "0x40c418"
}, {
"name": "abort",
"address": "0x40c41c"
}, {
"name": "toupper",
"address": "0x40c420"
}, {
"name": "vfprintf",
"address": "0x40c424"
}, {
"name": "wcsstr",
"address": "0x40c428"
}, {
"name": "_vsnprintf",
"address": "0x40c42c"
}],
"dll": "msvcrt.dll"
}, {
"imports": [{
"name": "CoCreateInstance",
"address": "0x40c434"
}, {
"name": "CoInitializeEx",
"address": "0x40c438"
}, {
"name": "CoInitializeSecurity",
"address": "0x40c43c"
}, {
"name": "CoUninitialize",
"address": "0x40c440"
}],
"dll": "ole32.dll"
}, {
"imports": [{
"name": "SysAllocString",
"address": "0x40c448"
}, {
"name": "SysFreeString",
"address": "0x40c44c"
}],
"dll": "OLEAUT32.dll"
}, {
"imports": [{
"name": "ShellExecuteExW",
"address": "0x40c454"
}],
"dll": "SHELL32.dll"
}, {
"imports": [{
"name": "FindWindowA",
"address": "0x40c45c"
}, {
"name": "GetCursorPos",
"address": "0x40c460"
}],
"dll": "USER32.dll"
}, {
"imports": [{
"name": "freeaddrinfo",
"address": "0x40c468"
}, {
"name": "getaddrinfo",
"address": "0x40c46c"
}],
"dll": "WS2_32.dll"
}],
"peid_signatures": null,
"keys": [],
"signature": [],
"pe_timestamp": "2016-08-27 18:37:13",
"pe_exports": [],
"imported_dll_count": 10,
"pe_imphash": "5fd4caa76ea3c961f2d530674634f64d",
"pe_resources": [{
"name": "RT_ICON",
"language": "LANG_ENGLISH",
"filetype": "PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_ENGLISH_US",
"offset": "0x00017a10",
"size": "0x000001f1"
}, {
"name": "RT_ICON",
"language": "LANG_ENGLISH",
"filetype": "PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_ENGLISH_US",
"offset": "0x00017a10",
"size": "0x000001f1"
}, {
"name": "RT_ICON",
"language": "LANG_ENGLISH",
"filetype": "PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_ENGLISH_US",
"offset": "0x00017a10",
"size": "0x000001f1"
}, {
"name": "RT_ICON",
"language": "LANG_ENGLISH",
"filetype": "PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_ENGLISH_US",
"offset": "0x00017a10",
"size": "0x000001f1"
}, {
"name": "RT_ICON",
"language": "LANG_ENGLISH",
"filetype": "PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_ENGLISH_US",
"offset": "0x00017a10",
"size": "0x000001f1"
}, {
"name": "RT_ICON",
"language": "LANG_ENGLISH",
"filetype": "PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced",
"sublanguage": "SUBLANG_ENGLISH_US",
"offset": "0x00017a10",
"size": "0x000001f1"
}, {
"name": "RT_GROUP_ICON",
"language": "LANG_ENGLISH",
"filetype": "MS Windows icon resource - 6 icons, 256x256, 16 colors",
"sublanguage": "SUBLANG_ENGLISH_US",
"offset": "0x00017c08",
"size": "0x0000005a"
}, {
"name": "RT_VERSION",
"language": "LANG_ENGLISH",
"filetype": "data",
"sublanguage": "SUBLANG_ENGLISH_US",
"offset": "0x00017c68",
"size": "0x00000288"
}],
"pe_versioninfo": [{
"name": "LegalCopyright",
"value": ""
}, {
"name": "InternalName",
"value": ""
}, {
"name": "FileVersion",
"value": ""
}, {
"name": "CompanyName",
"value": ""
}, {
"name": "LegalTrademarks",
"value": ""
}, {
"name": "ProductName",
"value": "Paranoid Fish"
}, {
"name": "ProductVersion",
"value": ""
}, {
"name": "FileDescription",
"value": "Paranoid Fish is paranoid"
}, {
"name": "OriginalFilename",
"value": ""
}, {
"name": "Translation",
"value": "0x0409 0x04e4"
}],
"pe_sections": [{
"size_of_data": "0x00005000",
"virtual_address": "0x00001000",
"entropy": 5.837356922279207,
"name": ".text",
"virtual_size": "0x00004f04"
}, {
"size_of_data": "0x00000200",
"virtual_address": "0x00006000",
"entropy": 0.5160853718179212,
"name": ".data",
"virtual_size": "0x00000030"
}, {
"size_of_data": "0x00003400",
"virtual_address": "0x00007000",
"entropy": 5.841272613826215,
"name": ".rdata",
"virtual_size": "0x000032b8"
}, {
"size_of_data": "0x00000000",
"virtual_address": "0x0000b000",
"entropy": 0,
"name": ".bss",
"virtual_size": "0x00000400"
}, {
"size_of_data": "0x00000e00",
"virtual_address": "0x0000c000",
"entropy": 4.764537139404206,
"name": ".idata",
"virtual_size": "0x00000d24"
}, {
"size_of_data": "0x00000200",
"virtual_address": "0x0000d000",
"entropy": 0.2672080280062829,
"name": ".CRT",
"virtual_size": "0x00000034"
}, {
"size_of_data": "0x00000200",
"virtual_address": "0x0000e000",
"entropy": 0.2044881574398449,
"name": ".tls",
"virtual_size": "0x00000020"
}, {
"size_of_data": "0x00009000",
"virtual_address": "0x0000f000",
"entropy": 7.854124193008595,
"name": ".rsrc",
"virtual_size": "0x00008ef0"
}]
},
"dropped": [{
"yara": [{
"meta": {
"description": "A non-Windows executable contains win32 API functions names",
"author": "nex"
},
"name": "embedded_win_api",
"offsets": {
"api7": [
["986", 0]
]
},
"strings": ["U2hlbGxFeGVjdXRl"]
}, {
"meta": {
"description": "Possibly employs anti-virtualization techniques",
"author": "nex"
},
"name": "vmdetect",
"offsets": {
"virtualbox_mac_1b": [
["1071", 0]
]
},
"strings": ["MDg6MDA6Mjc="]
}],
"sha1": "184b43b4ca9da8bd86b3a74006ce601eb8005189",
"name": "694e192e2bf7c06f_pafish.log",
"filepath": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.log",
"sha512": "c69eb9299bdc07735e7caa67ef3a3457e837a45b0101d01386f5753087c72c897bc9d34325d56442cc0922b0848cd20946a54d256b49d737e99033423d18eda9",
"object_id": "5cdc219759bfaf0f424f4994",
"urls": [],
"crc32": "2D75BDDD",
"path": "/home/cuckoo/.cuckoo/storage/analyses/1180/files/694e192e2bf7c06f_pafish.log",
"ssdeep": null,
"sha256": "694e192e2bf7c06f43105877ccb2915d64c99bbe3aedbc9f927e700cb7c6df04",
"type": "ASCII text, with CRLF line terminators",
"pids": [1008],
"md5": "5cba38c8ed5b582529f6c938d80801a6",
"size": 1150
}],
"behavior": {
"generic": [{
"process_path": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.exe",
"process_name": "pafish.exe",
"pid": 1008,
"summary": {
"file_created": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_mouse_act", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_CPU_VM_hypervisor_bit", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_CPU_VM_hv_vendor_name", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_pysicalmemory_less_1Gb", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_drive_size2", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.log", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_virtualbox", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_CPU_VM_rdtsc", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_NumberOfProcessors_less_2_GetSystemInfo", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_drive_size", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_CPU_VM_rdtsc_force_vm_exit", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_hooks_shellexecuteexw_m1", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_NumberOfProcessors_less_2_raw"],
"dll_loaded": ["kernel32.dll"],
"file_opened": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_virtualbox", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.log", "\\??\\PhysicalDrive0"],
"regkey_opened": ["HKEY_LOCAL_MACHINE\\HARDWARE\\Description\\System", "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\FADT\\VBOX__", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Oracle\\VirtualBox Guest Additions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\VMware Tools", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\VBoxSF", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}", "HKEY_CURRENT_USER\\SOFTWARE\\Wine", "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\VBoxGuest", "HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\VBoxMouse", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\VBoxService", "HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\VBoxVideo", "HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\RSDT\\VBOX__"],
"resolves_host": ["hi-hooks-shellexecuteexw-m1.pafish", "hi-sandbox-drive-size2.pafish", "hi-sandbox-pysicalmemory-less-1Gb.pafish", "hi-sandbox-drive-size.pafish", "hi-CPU-VM-rdtsc.pafish", "analysis-start.pafish", "analysis-end.pafish", "hi-virtualbox.pafish", "hi-CPU-VM-hypervisor-bit.pafish", "hi-CPU-VM-rdtsc-force-vm-exit.pafish", "hi-sandbox-NumberOfProcessors-less-2-GetSystemInfo.pafish", "hi-sandbox-mouse-act.pafish", "hi-sandbox-NumberOfProcessors-less-2-raw.pafish", "hi-CPU-VM-hv-vendor-name.pafish"],
"file_written": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.log"],
"file_exists": ["C:\\Windows\\System32\\vboxoglfeedbackspu.dll", "C:\\Windows\\System32\\drivers\\VBoxSF.sys", "C:\\Windows\\System32\\drivers\\VBoxMouse.sys", "C:\\sample.exe", "C:\\program files\\oracle\\virtualbox guest additions\\", "C:\\Windows\\System32\\vboxoglerrorspu.dll", "C:\\Windows\\System32\\drivers\\VBoxVideo.sys", "C:\\Windows\\System32\\vboxoglpassthroughspu.dll", "C:\\Windows\\System32\\vboxoglpackspu.dll", "C:\\Windows\\System32\\drivers\\VBoxGuest.sys", "C:\\Windows\\System32\\vboxoglcrutil.dll", "C:\\malware.exe", "C:\\Windows\\System32\\drivers\\vmmouse.sys", "C:\\Windows\\System32\\vboxdisp.dll", "C:\\Windows\\System32\\vboxmrxnp.dll", "D:\\sample.exe", "C:\\Windows\\System32\\vboxogl.dll", "D:\\malware.exe", "C:\\Windows\\System32\\VBoxControl.exe", "C:\\Windows\\System32\\vboxservice.exe", "C:\\Windows\\System32\\vboxhook.dll", "C:\\Windows\\System32\\vboxtray.exe", "C:\\Windows\\System32\\drivers\\vmhgfs.sys", "C:\\Windows\\System32\\vboxoglarrayspu.dll"],
"file_failed": ["\\??\\vmci", "\\??\\VBoxTrayIPC", "\\??\\HGFS", "\\\\?\\pipe\\VBoxTrayIPC", "\\\\?\\pipe\\VBoxMiniRdDN", "\\??\\VBoxMiniRdrDN"],
"wmi_query": ["SELECT DeviceId FROM Win32_PnPEntity", "SELECT SerialNumber FROM Win32_Bios"],
"guid": ["{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{8bc3f05e-d86b-11d0-a075-00c04fb68820}", "{7c857801-7381-11cf-884d-00aa004b2e24}", "{d5f569d0-593b-101a-b569-08002b2dbf7a}", "{f309ad18-d86a-11d0-a075-00c04fb68820}", "{dc12a687-737f-11cf-884d-00aa004b2e24}"],
"regkey_read": ["HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosDate", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"]
},
"first_seen": "2019-06-14T20:30:59.792Z",
"ppid": 1216
}, {
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 484,
"summary": {},
"first_seen": "2019-06-14T20:30:58.060Z",
"ppid": 388
}],
"apistats": {
"1008": {
"CreateToolhelp32Snapshot": 1,
"NtDuplicateObject": 2,
"getaddrinfo": 15,
"CoUninitialize": 2,
"RegCloseKey": 17,
"CoCreateInstanceEx": 2,
"LdrUnloadDll": 1,
"WNetGetProviderNameW": 1,
"GetSystemInfo": 1,
"RegQueryValueExA": 5,
"DeviceIoControl": 1,
"IsDebuggerPresent": 1,
"GetSystemWindowsDirectoryW": 1,
"NtClose": 58,
"GetAdaptersAddresses": 12,
"FindWindowA": 2,
"GetFileAttributesW": 24,
"IWbemServices_ExecQuery": 2,
"RegQueryValueExW": 4,
"NtMapViewOfSection": 1,
"Process32NextW": 32,
"RegOpenKeyExW": 8,
"NtDelayExecution": 23,
"NtAllocateVirtualMemory": 1,
"RegOpenKeyExA": 21,
"NtWriteFile": 17,
"LdrGetDllHandle": 53,
"Process32FirstW": 1,
"CoGetClassObject": 2,
"GetCursorPos": 2,
"GetComputerNameW": 2,
"CoCreateInstance": 2,
"SetFilePointer": 34,
"GetUserNameA": 1,
"NtCreateFile": 38,
"GetSystemTimeAsFileTime": 2,
"GlobalMemoryStatusEx": 1,
"CoInitializeEx": 2,
"NtCreateSection": 1,
"SetUnhandledExceptionFilter": 1,
"WriteConsoleA": 130,
"NtOpenKey": 18,
"LdrGetProcedureAddress": 49,
"CoInitializeSecurity": 2,
"GetDiskFreeSpaceExW": 1,
"GetFileType": 30,
"LdrLoadDll": 1,
"UuidCreate": 2,
"NtQueryValueKey": 10
}
},
"processes": [{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"calls": [],
"track": false,
"command_line": "C:\\Windows\\system32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 484,
"modules": [{
"basename": "lsass.exe",
"imgsize": 36864,
"baseaddr": "0xd80000",
"filepath": "C:\\Windows\\system32\\lsass.exe"
}, {
"basename": "ntdll.dll",
"imgsize": 1294336,
"baseaddr": "0x774c0000",
"filepath": "C:\\Windows\\SYSTEM32\\ntdll.dll"
}, {
"basename": "kernel32.dll",
"imgsize": 868352,
"baseaddr": "0x75b10000",
"filepath": "C:\\Windows\\system32\\kernel32.dll"
}, {
"basename": "KERNELBASE.dll",
"imgsize": 303104,
"baseaddr": "0x75890000",
"filepath": "C:\\Windows\\system32\\KERNELBASE.dll"
}, {
"basename": "msvcrt.dll",
"imgsize": 704512,
"baseaddr": "0x773b0000",
"filepath": "C:\\Windows\\system32\\msvcrt.dll"
}, {
"basename": "RPCRT4.dll",
"imgsize": 659456,
"baseaddr": "0x75bf0000",
"filepath": "C:\\Windows\\system32\\RPCRT4.dll"
}, {
"basename": "SspiSrv.dll",
"imgsize": 28672,
"baseaddr": "0x75500000",
"filepath": "C:\\Windows\\system32\\SspiSrv.dll"
}, {
"basename": "lsasrv.dll",
"imgsize": 1048576,
"baseaddr": "0x753c0000",
"filepath": "C:\\Windows\\system32\\lsasrv.dll"
}, {
"basename": "sechost.dll",
"imgsize": 102400,
"baseaddr": "0x75cb0000",
"filepath": "C:\\Windows\\SYSTEM32\\sechost.dll"
}, {
"basename": "SspiCli.dll",
"imgsize": 106496,
"baseaddr": "0x754e0000",
"filepath": "C:\\Windows\\system32\\SspiCli.dll"
}, {
"basename": "ADVAPI32.dll",
"imgsize": 655360,
"baseaddr": "0x75910000",
"filepath": "C:\\Windows\\system32\\ADVAPI32.dll"
}, {
"basename": "USER32.dll",
"imgsize": 823296,
"baseaddr": "0x75ce0000",
"filepath": "C:\\Windows\\system32\\USER32.dll"
}, {
"basename": "GDI32.dll",
"imgsize": 319488,
"baseaddr": "0x77360000",
"filepath": "C:\\Windows\\system32\\GDI32.dll"
}, {
"basename": "LPK.dll",
"imgsize": 40960,
"baseaddr": "0x75ca0000",
"filepath": "C:\\Windows\\system32\\LPK.dll"
}, {
"basename": "USP10.dll",
"imgsize": 643072,
"baseaddr": "0x75f50000",
"filepath": "C:\\Windows\\system32\\USP10.dll"
}, {
"basename": "SAMSRV.dll",
"imgsize": 569344,
"baseaddr": "0x75330000",
"filepath": "C:\\Windows\\system32\\SAMSRV.dll"
}, {
"basename": "cryptdll.dll",
"imgsize": 69632,
"baseaddr": "0x75310000",
"filepath": "C:\\Windows\\system32\\cryptdll.dll"
}, {
"basename": "MSASN1.dll",
"imgsize": 49152,
"baseaddr": "0x75680000",
"filepath": "C:\\Windows\\system32\\MSASN1.dll"
}, {
"basename": "wevtapi.dll",
"imgsize": 270336,
"baseaddr": "0x752c0000",
"filepath": "C:\\Windows\\system32\\wevtapi.dll"
}, {
"basename": "IMM32.DLL",
"imgsize": 126976,
"baseaddr": "0x77340000",
"filepath": "C:\\Windows\\system32\\IMM32.DLL"
}, {
"basename": "MSCTF.dll",
"imgsize": 835584,
"baseaddr": "0x76f00000",
"filepath": "C:\\Windows\\system32\\MSCTF.dll"
}, {
"basename": "cngaudit.dll",
"imgsize": 24576,
"baseaddr": "0x752b0000",
"filepath": "C:\\Windows\\system32\\cngaudit.dll"
}, {
"basename": "AUTHZ.dll",
"imgsize": 110592,
"baseaddr": "0x75290000",
"filepath": "C:\\Windows\\system32\\AUTHZ.dll"
}, {
"basename": "ncrypt.dll",
"imgsize": 229376,
"baseaddr": "0x75250000",
"filepath": "C:\\Windows\\system32\\ncrypt.dll"
}, {
"basename": "bcrypt.dll",
"imgsize": 94208,
"baseaddr": "0x75230000",
"filepath": "C:\\Windows\\system32\\bcrypt.dll"
}, {
"basename": "msprivs.DLL",
"imgsize": 8192,
"baseaddr": "0x75220000",
"filepath": "C:\\Windows\\system32\\msprivs.DLL"
}, {
"basename": "netjoin.dll",
"imgsize": 176128,
"baseaddr": "0x751f0000",
"filepath": "C:\\Windows\\system32\\netjoin.dll"
}, {
"basename": "negoexts.DLL",
"imgsize": 110592,
"baseaddr": "0x751d0000",
"filepath": "C:\\Windows\\system32\\negoexts.DLL"
}, {
"basename": "Secur32.dll",
"imgsize": 32768,
"baseaddr": "0x751c0000",
"filepath": "C:\\Windows\\system32\\Secur32.dll"
}, {
"basename": "cryptbase.dll",
"imgsize": 49152,
"baseaddr": "0x75560000",
"filepath": "C:\\Windows\\system32\\cryptbase.dll"
}, {
"basename": "kerberos.DLL",
"imgsize": 557056,
"baseaddr": "0x75130000",
"filepath": "C:\\Windows\\system32\\kerberos.DLL"
}, {
"basename": "CRYPTSP.dll",
"imgsize": 90112,
"baseaddr": "0x75110000",
"filepath": "C:\\Windows\\system32\\CRYPTSP.dll"
}, {
"basename": "WS2_32.dll",
"imgsize": 217088,
"baseaddr": "0x77650000",
"filepath": "C:\\Windows\\system32\\WS2_32.dll"
}, {
"basename": "NSI.dll",
"imgsize": 24576,
"baseaddr": "0x76fd0000",
"filepath": "C:\\Windows\\system32\\NSI.dll"
}, {
"basename": "mswsock.dll",
"imgsize": 245760,
"baseaddr": "0x750d0000",
"filepath": "C:\\Windows\\system32\\mswsock.dll"
}, {
"basename": "wship6.dll",
"imgsize": 24576,
"baseaddr": "0x750c0000",
"filepath": "C:\\Windows\\System32\\wship6.dll"
}, {
"basename": "msv1_0.DLL",
"imgsize": 270336,
"baseaddr": "0x75070000",
"filepath": "C:\\Windows\\system32\\msv1_0.DLL"
}, {
"basename": "netlogon.DLL",
"imgsize": 573440,
"baseaddr": "0x74fe0000",
"filepath": "C:\\Windows\\system32\\netlogon.DLL"
}, {
"basename": "DNSAPI.dll",
"imgsize": 278528,
"baseaddr": "0x74f90000",
"filepath": "C:\\Windows\\system32\\DNSAPI.dll"
}, {
"basename": "logoncli.dll",
"imgsize": 139264,
"baseaddr": "0x74f60000",
"filepath": "C:\\Windows\\system32\\logoncli.dll"
}, {
"basename": "schannel.DLL",
"imgsize": 233472,
"baseaddr": "0x74f20000",
"filepath": "C:\\Windows\\system32\\schannel.DLL"
}, {
"basename": "CRYPT32.dll",
"imgsize": 1163264,
"baseaddr": "0x75770000",
"filepath": "C:\\Windows\\system32\\CRYPT32.dll"
}, {
"basename": "wdigest.DLL",
"imgsize": 180224,
"baseaddr": "0x74ef0000",
"filepath": "C:\\Windows\\system32\\wdigest.DLL"
}, {
"basename": "rsaenh.dll",
"imgsize": 241664,
"baseaddr": "0x74eb0000",
"filepath": "C:\\Windows\\system32\\rsaenh.dll"
}, {
"basename": "tspkg.DLL",
"imgsize": 73728,
"baseaddr": "0x74e70000",
"filepath": "C:\\Windows\\system32\\tspkg.DLL"
}, {
"basename": "pku2u.DLL",
"imgsize": 212992,
"baseaddr": "0x74e30000",
"filepath": "C:\\Windows\\system32\\pku2u.DLL"
}, {
"basename": "bcryptprimitives.dll",
"imgsize": 249856,
"baseaddr": "0x74df0000",
"filepath": "C:\\Windows\\system32\\bcryptprimitives.dll"
}, {
"basename": "RpcRtRemote.dll",
"imgsize": 57344,
"baseaddr": "0x75600000",
"filepath": "C:\\Windows\\system32\\RpcRtRemote.dll"
}, {
"basename": "efslsaext.dll",
"imgsize": 53248,
"baseaddr": "0x74ea0000",
"filepath": "C:\\Windows\\system32\\efslsaext.dll"
}, {
"basename": "scecli.DLL",
"imgsize": 188416,
"baseaddr": "0x74dc0000",
"filepath": "C:\\Windows\\system32\\scecli.DLL"
}, {
"basename": "credssp.dll",
"imgsize": 32768,
"baseaddr": "0x74db0000",
"filepath": "C:\\Windows\\system32\\credssp.dll"
}, {
"basename": "WINSTA.dll",
"imgsize": 167936,
"baseaddr": "0x755d0000",
"filepath": "C:\\Windows\\system32\\WINSTA.dll"
}, {
"basename": "wshtcpip.dll",
"imgsize": 20480,
"baseaddr": "0x74ba0000",
"filepath": "C:\\Windows\\System32\\wshtcpip.dll"
}, {
"basename": "IPHLPAPI.DLL",
"imgsize": 114688,
"baseaddr": "0x72740000",
"filepath": "C:\\Windows\\system32\\IPHLPAPI.DLL"
}, {
"basename": "WINNSI.DLL",
"imgsize": 28672,
"baseaddr": "0x72730000",
"filepath": "C:\\Windows\\system32\\WINNSI.DLL"
}, {
"basename": "netutils.dll",
"imgsize": 36864,
"baseaddr": "0x73e80000",
"filepath": "C:\\Windows\\system32\\netutils.dll"
}, {
"basename": "USERENV.dll",
"imgsize": 94208,
"baseaddr": "0x74c70000",
"filepath": "C:\\Windows\\system32\\USERENV.dll"
}, {
"basename": "profapi.dll",
"imgsize": 45056,
"baseaddr": "0x75610000",
"filepath": "C:\\Windows\\system32\\profapi.dll"
}, {
"basename": "samcli.dll",
"imgsize": 61440,
"baseaddr": "0x73e60000",
"filepath": "C:\\Windows\\system32\\samcli.dll"
}, {
"basename": "SAMLIB.dll",
"imgsize": 73728,
"baseaddr": "0x749d0000",
"filepath": "C:\\Windows\\system32\\SAMLIB.dll"
}, {
"basename": "dssenh.dll",
"imgsize": 159744,
"baseaddr": "0x70ee0000",
"filepath": "C:\\Windows\\system32\\dssenh.dll"
}, {
"basename": "GPAPI.dll",
"imgsize": 90112,
"baseaddr": "0x74c50000",
"filepath": "C:\\Windows\\system32\\GPAPI.dll"
}, {
"basename": "WLDAP32.dll",
"imgsize": 282624,
"baseaddr": "0x77600000",
"filepath": "C:\\Windows\\system32\\WLDAP32.dll"
}, {
"basename": "monitor-x86.dll",
"imgsize": 2117632,
"baseaddr": "0x63dc0000",
"filepath": "C:\\tmpgojdca\\bin\\monitor-x86.dll"
}],
"time": 70,
"tid": 768,
"first_seen": "2019-06-14T20:30:58.060Z",
"ppid": 388,
"type": "process"
}, {
"process_path": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.exe",
"calls": ["5d02dd4559bfaf1280fee9c2", "5d02dd4559bfaf1280fee9c3", "5d02dd4559bfaf1280fee9c4", "5d02dd4559bfaf1280fee9c5", "5d02dd4559bfaf1280fee9c6", "5d02dd4559bfaf1280fee9c7", "5d02dd4559bfaf1280fee9c8"],
"track": true,
"command_line": "\"C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.exe\" ",
"process_name": "pafish.exe",
"pid": 1008,
"modules": [{
"basename": "pafish.exe",
"imgsize": 98304,
"baseaddr": "0x400000",
"filepath": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.exe"
}, {
"basename": "ntdll.dll",
"imgsize": 1294336,
"baseaddr": "0x774c0000",
"filepath": "C:\\Windows\\SYSTEM32\\ntdll.dll"
}, {
"basename": "kernel32.dll",
"imgsize": 868352,
"baseaddr": "0x75b10000",
"filepath": "C:\\Windows\\system32\\kernel32.dll"
}, {
"basename": "KERNELBASE.dll",
"imgsize": 303104,
"baseaddr": "0x75890000",
"filepath": "C:\\Windows\\system32\\KERNELBASE.dll"
}, {
"basename": "ADVAPI32.dll",
"imgsize": 655360,
"baseaddr": "0x75910000",
"filepath": "C:\\Windows\\system32\\ADVAPI32.dll"
}, {
"basename": "msvcrt.dll",
"imgsize": 704512,
"baseaddr": "0x773b0000",
"filepath": "C:\\Windows\\system32\\msvcrt.dll"
}, {
"basename": "sechost.dll",
"imgsize": 102400,
"baseaddr": "0x75cb0000",
"filepath": "C:\\Windows\\SYSTEM32\\sechost.dll"
}, {
"basename": "RPCRT4.dll",
"imgsize": 659456,
"baseaddr": "0x75bf0000",
"filepath": "C:\\Windows\\system32\\RPCRT4.dll"
}, {
"basename": "IPHLPAPI.DLL",
"imgsize": 114688,
"baseaddr": "0x72740000",
"filepath": "C:\\Windows\\system32\\IPHLPAPI.DLL"
}, {
"basename": "NSI.dll",
"imgsize": 24576,
"baseaddr": "0x76fd0000",
"filepath": "C:\\Windows\\system32\\NSI.dll"
}, {
"basename": "WINNSI.DLL",
"imgsize": 28672,
"baseaddr": "0x72730000",
"filepath": "C:\\Windows\\system32\\WINNSI.DLL"
}, {
"basename": "MPR.DLL",
"imgsize": 73728,
"baseaddr": "0x723e0000",
"filepath": "C:\\Windows\\system32\\MPR.DLL"
}, {
"basename": "ole32.dll",
"imgsize": 1425408,
"baseaddr": "0x759b0000",
"filepath": "C:\\Windows\\system32\\ole32.dll"
}, {
"basename": "GDI32.dll",
"imgsize": 319488,
"baseaddr": "0x77360000",
"filepath": "C:\\Windows\\system32\\GDI32.dll"
}, {
"basename": "USER32.dll",
"imgsize": 823296,
"baseaddr": "0x75ce0000",
"filepath": "C:\\Windows\\system32\\USER32.dll"
}, {
"basename": "LPK.dll",
"imgsize": 40960,
"baseaddr": "0x75ca0000",
"filepath": "C:\\Windows\\system32\\LPK.dll"
}, {
"basename": "USP10.dll",
"imgsize": 643072,
"baseaddr": "0x75f50000",
"filepath": "C:\\Windows\\system32\\USP10.dll"
}, {
"basename": "OLEAUT32.dll",
"imgsize": 585728,
"baseaddr": "0x772a0000",
"filepath": "C:\\Windows\\system32\\OLEAUT32.dll"
}, {
"basename": "SHELL32.dll",
"imgsize": 12881920,
"baseaddr": "0x760b0000",
"filepath": "C:\\Windows\\system32\\SHELL32.dll"
}, {
"basename": "SHLWAPI.dll",
"imgsize": 356352,
"baseaddr": "0x77690000",
"filepath": "C:\\Windows\\system32\\SHLWAPI.dll"
}, {
"basename": "WS2_32.dll",
"imgsize": 217088,
"baseaddr": "0x77650000",
"filepath": "C:\\Windows\\system32\\WS2_32.dll"
}, {
"basename": "IMM32.DLL",
"imgsize": 126976,
"baseaddr": "0x77340000",
"filepath": "C:\\Windows\\system32\\IMM32.DLL"
}, {
"basename": "MSCTF.dll",
"imgsize": 835584,
"baseaddr": "0x76f00000",
"filepath": "C:\\Windows\\system32\\MSCTF.dll"
}, {
"basename": "monitor-x86.dll",
"imgsize": 2117632,
"baseaddr": "0x63dc0000",
"filepath": "C:\\tmpgojdca\\bin\\monitor-x86.dll"
}],
"time": 30,
"tid": 1836,
"first_seen": "2019-06-14T20:30:59.792Z",
"ppid": 1216,
"type": "process"
}],
"processtree": [{
"track": false,
"pid": 484,
"process_name": "lsass.exe",
"command_line": "C:\\Windows\\system32\\lsass.exe",
"first_seen": "2019-06-14T20:30:58.060Z",
"ppid": 388,
"children": []
}, {
"track": true,
"pid": 1008,
"process_name": "pafish.exe",
"command_line": "\"C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.exe\" ",
"first_seen": "2019-06-14T20:30:59.792Z",
"ppid": 1216,
"children": []
}],
"summary": {
"file_created": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_mouse_act", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_CPU_VM_hypervisor_bit", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_CPU_VM_hv_vendor_name", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_pysicalmemory_less_1Gb", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_drive_size2", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.log", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_virtualbox", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_CPU_VM_rdtsc", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_NumberOfProcessors_less_2_GetSystemInfo", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_drive_size", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_CPU_VM_rdtsc_force_vm_exit", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_hooks_shellexecuteexw_m1", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_sandbox_NumberOfProcessors_less_2_raw"],
"dll_loaded": ["kernel32.dll"],
"file_opened": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\hi_virtualbox", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.log", "\\??\\PhysicalDrive0"],
"regkey_opened": ["HKEY_LOCAL_MACHINE\\HARDWARE\\Description\\System", "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\FADT\\VBOX__", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Oracle\\VirtualBox Guest Additions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\VMware Tools", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\VBoxSF", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}", "HKEY_CURRENT_USER\\SOFTWARE\\Wine", "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\VBoxGuest", "HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\VBoxMouse", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\VBoxService", "HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\VBoxVideo", "HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\RSDT\\VBOX__"],
"resolves_host": ["hi-hooks-shellexecuteexw-m1.pafish", "hi-sandbox-drive-size2.pafish", "hi-sandbox-pysicalmemory-less-1Gb.pafish", "hi-sandbox-drive-size.pafish", "hi-CPU-VM-rdtsc.pafish", "analysis-start.pafish", "analysis-end.pafish", "hi-virtualbox.pafish", "hi-CPU-VM-hypervisor-bit.pafish", "hi-CPU-VM-rdtsc-force-vm-exit.pafish", "hi-sandbox-NumberOfProcessors-less-2-GetSystemInfo.pafish", "hi-sandbox-mouse-act.pafish", "hi-sandbox-NumberOfProcessors-less-2-raw.pafish", "hi-CPU-VM-hv-vendor-name.pafish"],
"file_written": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.log"],
"file_exists": ["C:\\Windows\\System32\\vboxoglfeedbackspu.dll", "C:\\Windows\\System32\\drivers\\VBoxSF.sys", "C:\\Windows\\System32\\drivers\\VBoxMouse.sys", "C:\\sample.exe", "C:\\program files\\oracle\\virtualbox guest additions\\", "C:\\Windows\\System32\\vboxoglerrorspu.dll", "C:\\Windows\\System32\\drivers\\VBoxVideo.sys", "C:\\Windows\\System32\\vboxoglpassthroughspu.dll", "C:\\Windows\\System32\\vboxoglpackspu.dll", "C:\\Windows\\System32\\drivers\\VBoxGuest.sys", "C:\\Windows\\System32\\vboxoglcrutil.dll", "C:\\malware.exe", "C:\\Windows\\System32\\drivers\\vmmouse.sys", "C:\\Windows\\System32\\vboxdisp.dll", "C:\\Windows\\System32\\vboxmrxnp.dll", "D:\\sample.exe", "C:\\Windows\\System32\\vboxogl.dll", "D:\\malware.exe", "C:\\Windows\\System32\\VBoxControl.exe", "C:\\Windows\\System32\\vboxservice.exe", "C:\\Windows\\System32\\vboxhook.dll", "C:\\Windows\\System32\\vboxtray.exe", "C:\\Windows\\System32\\drivers\\vmhgfs.sys", "C:\\Windows\\System32\\vboxoglarrayspu.dll"],
"file_failed": ["\\??\\vmci", "\\??\\VBoxTrayIPC", "\\??\\HGFS", "\\\\?\\pipe\\VBoxTrayIPC", "\\\\?\\pipe\\VBoxMiniRdDN", "\\??\\VBoxMiniRdrDN"],
"wmi_query": ["SELECT DeviceId FROM Win32_PnPEntity", "SELECT SerialNumber FROM Win32_Bios"],
"guid": ["{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{8bc3f05e-d86b-11d0-a075-00c04fb68820}", "{7c857801-7381-11cf-884d-00aa004b2e24}", "{d5f569d0-593b-101a-b569-08002b2dbf7a}", "{f309ad18-d86a-11d0-a075-00c04fb68820}", "{dc12a687-737f-11cf-884d-00aa004b2e24}"],
"regkey_read": ["HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosDate", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"]
}
},
"debug": {
"action": [],
"dbgview": [],
"errors": [],
"log": ["2019-06-14 06:30:44,230 [analyzer] DEBUG: Starting analyzer from: C:\\tmpgojdca\n", "2019-06-14 06:30:44,240 [analyzer] DEBUG: Pipe server name: \\??\\PIPE\\CaAFHehVaazEuTcVhrkZDg\n", "2019-06-14 06:30:44,240 [analyzer] DEBUG: Log pipe server name: \\??\\PIPE\\FAAxfZgyRsPHKziuHWpCWkLRwpsPV\n", "2019-06-14 06:30:44,670 [analyzer] DEBUG: Started auxiliary module DbgView\n", "2019-06-14 06:30:57,578 [analyzer] DEBUG: Started auxiliary module Disguise\n", "2019-06-14 06:30:58,210 [analyzer] DEBUG: Loaded monitor into process with pid 484\n", "2019-06-14 06:30:58,240 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets\n", "2019-06-14 06:30:58,299 [analyzer] DEBUG: Started auxiliary module Human\n", "2019-06-14 06:30:58,309 [analyzer] DEBUG: Started auxiliary module InstallCertificate\n", "2019-06-14 06:30:58,309 [analyzer] DEBUG: Started auxiliary module Reboot\n", "2019-06-14 06:30:58,750 [analyzer] DEBUG: Started auxiliary module RecentFiles\n", "2019-06-14 06:30:58,760 [modules.auxiliary.screenshots] INFO: Python Image Library (either PIL or Pillow) is not installed, screenshots are disabled.\n", "2019-06-14 06:30:58,760 [analyzer] DEBUG: Started auxiliary module Screenshots\n", "2019-06-14 06:30:58,760 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n\n", "2019-06-14 06:30:59,391 [lib.api.process] INFO: Successfully executed process from path u'C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\pafish.exe' with arguments '' and pid 1008\n", "2019-06-14 06:31:00,562 [analyzer] DEBUG: Loaded monitor into process with pid 1008\n", "2019-06-14 06:31:00,602 [analyzer] INFO: Added new file to list with pid 1008 and path C:\\Users\\Administrator\\AppData\\Local\\Temp\\pafish.log\n", "2019-06-14 06:32:58,872 [analyzer] INFO: Analysis timeout hit, terminating analysis.\n", "2019-06-14 06:33:07,456 [lib.api.process] INFO: Memory dump of process with pid 1008 completed\n", "2019-06-14 06:33:07,565 [analyzer] INFO: Analysis completed.\n"],
"cuckoo": ["2019-06-14 06:30:45,924 [cuckoo.core.scheduler] INFO: Task #1180: acquired machine cuckoo (label=cuckoo)\n", "2019-06-14 06:30:45,935 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 19942 (interface=vboxnet0, host=192.168.56.101)\n", "2019-06-14 06:30:45,936 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer\n", "2019-06-14 06:30:45,990 [cuckoo.machinery.virtualbox] DEBUG: Starting vm cuckoo\n", "2019-06-14 06:30:46,182 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo to its current snapshot\n", "2019-06-14 06:30:50,178 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo, ip=192.168.56.101)\n", "2019-06-14 06:30:51,182 [cuckoo.core.guest] DEBUG: cuckoo: not ready yet\n", "2019-06-14 06:30:52,186 [cuckoo.core.guest] DEBUG: cuckoo: not ready yet\n", "2019-06-14 06:30:53,193 [cuckoo.core.guest] DEBUG: cuckoo: not ready yet\n", "2019-06-14 06:30:53,226 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=cuckoo, ip=192.168.56.101)\n", "2019-06-14 06:30:53,274 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo, ip=192.168.56.101, monitor=latest, size=3967696)\n", "2019-06-14 06:30:55,297 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:30:56,345 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:30:57,361 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:30:57,499 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.\n", "2019-06-14 06:30:58,412 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:30:59,426 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:00,444 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:01,463 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:02,496 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:03,544 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:04,558 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:05,575 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:06,589 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:07,603 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:08,621 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:09,636 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:10,651 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:11,792 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:12,836 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:13,451 [cuckoo.core.resultserver] DEBUG: New process (pid=1008, ppid=1216, name=pafish.exe)\n", "2019-06-14 06:31:13,874 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:14,968 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:15,985 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:17,026 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:18,067 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:19,088 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:20,104 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:21,123 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:22,136 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:23,150 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:24,172 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:25,206 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:26,222 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:27,265 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:28,287 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:29,303 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:30,318 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:31,333 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:32,350 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:33,383 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:34,406 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:35,437 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:36,462 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:37,490 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:38,519 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:39,547 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:40,561 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:41,576 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:42,590 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:43,614 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:44,628 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:45,648 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:46,704 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:47,722 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:48,738 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:49,753 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:50,775 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:51,799 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:52,814 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:53,831 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:54,847 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:55,863 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:56,886 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:57,904 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:58,931 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:31:59,949 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:00,966 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:01,983 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:03,000 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:04,026 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:05,060 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:06,078 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:07,096 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:08,111 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:09,131 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:10,146 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:11,161 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:12,180 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:13,198 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:14,214 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:15,231 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:16,246 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:17,266 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:18,285 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:19,311 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:20,328 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:21,349 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:22,370 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:23,403 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:24,420 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:25,440 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:26,466 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:27,490 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:28,511 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:29,530 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:30,547 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:31,567 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:32,581 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:33,600 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:34,615 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:35,629 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:36,641 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:37,675 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:38,689 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:39,707 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:40,717 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:41,734 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:42,751 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:43,768 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:44,787 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:45,802 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:46,820 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:47,840 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:48,855 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:49,872 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:50,890 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:51,907 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:52,921 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:53,937 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:54,954 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:55,972 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:56,988 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:58,004 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:32:59,026 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:00,050 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:01,078 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:02,092 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:03,109 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:04,124 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:05,137 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:06,154 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:07,170 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:08,188 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:09,212 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:10,233 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:11,247 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:12,266 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:13,282 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:14,308 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:15,324 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:16,344 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:17,386 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:18,404 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:19,418 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:19,455 [cuckoo.core.resultserver] DEBUG: File upload request for memory/1008-1.dmp\n", "2019-06-14 06:33:20,444 [cuckoo.core.guest] DEBUG: cuckoo: analysis still processing\n", "2019-06-14 06:33:21,062 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 36631976\n", "2019-06-14 06:33:21,155 [cuckoo.core.resultserver] DEBUG: File upload request for files/694e192e2bf7c06f_pafish.log\n", "2019-06-14 06:33:21,186 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 1150\n", "2019-06-14 06:33:21,459 [cuckoo.core.guest] INFO: cuckoo: analysis completed successfully\n", "2019-06-14 06:33:21,521 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer\n", "2019-06-14 06:33:21,522 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo\n", "2019-06-14 06:33:23,053 [cuckoo.core.scheduler] DEBUG: Released database task #1180\n", "2019-06-14 06:33:23,114 [cuckoo.core.plugins] DEBUG: Executed processing module \"AnalysisInfo\" for task #1180\n", "2019-06-14 06:33:23,139 [cuckoo.core.plugins] DEBUG: Executed processing module \"BehaviorAnalysis\" for task #1180\n", "2019-06-14 06:33:23,150 [cuckoo.core.plugins] DEBUG: Executed processing module \"Dropped\" for task #1180\n", "2019-06-14 06:33:23,151 [cuckoo.core.plugins] DEBUG: Executed processing module \"DroppedBuffer\" for task #1180\n", "2019-06-14 06:33:23,609 [cuckoo.core.plugins] DEBUG: Executed processing module \"MetaInfo\" for task #1180\n", "2019-06-14 06:33:23,986 [cuckoo.core.plugins] DEBUG: Executed processing module \"ProcessMemory\" for task #1180\n", "2019-06-14 06:33:23,986 [cuckoo.core.plugins] DEBUG: Executed processing module \"Procmon\" for task #1180\n", "2019-06-14 06:33:23,987 [cuckoo.core.plugins] DEBUG: Executed processing module \"Screenshots\" for task #1180\n", "2019-06-14 06:33:24,751 [cuckoo.core.plugins] DEBUG: Executed processing module \"Static\" for task #1180\n", "2019-06-14 06:33:24,757 [cuckoo.core.plugins] DEBUG: Executed processing module \"Strings\" for task #1180\n", "2019-06-14 06:33:24,761 [cuckoo.core.plugins] DEBUG: Executed processing module \"TargetInfo\" for task #1180\n", "2019-06-14 06:33:24,765 [cuckoo.core.plugins] DEBUG: Executed processing module \"NetworkAnalysis\" for task #1180\n", "2019-06-14 06:33:24,765 [cuckoo.core.plugins] DEBUG: Executed processing module \"Extracted\" for task #1180\n", "2019-06-14 06:33:24,766 [cuckoo.core.plugins] DEBUG: Executed processing module \"TLSMasterSecrets\" for task #1180\n", "2019-06-14 06:33:24,771 [cuckoo.core.plugins] DEBUG: Executed processing module \"Debug\" for task #1180\n", "2019-06-14 06:33:24,775 [cuckoo.core.plugins] DEBUG: Running 540 signatures\n", "2019-06-14 06:33:25,377 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antisandbox_file\n", "2019-06-14 06:33:25,378 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_generic_bios\n", "2019-06-14 06:33:25,378 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_queries_computername\n", "2019-06-14 06:33:25,379 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_disk_size\n", "2019-06-14 06:33:25,379 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_shared_device\n", "2019-06-14 06:33:25,379 [cuckoo.core.plugins] DEBUG: Analysis matched signature: checks_debugger\n", "2019-06-14 06:33:25,379 [cuckoo.core.plugins] DEBUG: Analysis matched signature: console_output\n", "2019-06-14 06:33:25,379 [cuckoo.core.plugins] DEBUG: Analysis matched signature: recon_fingerprint\n", "2019-06-14 06:33:25,380 [cuckoo.core.plugins] DEBUG: Analysis matched signature: has_wmi\n", "2019-06-14 06:33:25,380 [cuckoo.core.plugins] DEBUG: Analysis matched signature: injection_process_search\n", "2019-06-14 06:33:25,380 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_memory_available\n", "2019-06-14 06:33:25,380 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_network_adapters\n", "2019-06-14 06:33:25,380 [cuckoo.core.plugins] DEBUG: Analysis matched signature: packer_entropy\n", "2019-06-14 06:33:25,380 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_urls\n", "2019-06-14 06:33:25,381 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antisandbox_joe_anubis_files\n", "2019-06-14 06:33:25,381 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_vbox_devices\n", "2019-06-14 06:33:25,381 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_vbox_files\n", "2019-06-14 06:33:25,381 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_vbox_keys\n", "2019-06-14 06:33:25,381 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_vbox_provname\n", "2019-06-14 06:33:25,382 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_vbox_window\n", "2019-06-14 06:33:25,382 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_vmware_files\n", "2019-06-14 06:33:25,382 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_vmware_keys\n", "2019-06-14 06:33:25,382 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antiemu_wine\n", "2019-06-14 06:33:25,382 [cuckoo.core.plugins] DEBUG: Analysis matched signature: wmi_antivm\n", "2019-06-14 06:33:25,540 [cuckoo.core.plugins] DEBUG: Executed reporting module \"JsonDump\"\n"]
},
"metadata": {
"output": {
"memdumps": [{
"basename": "1008-1.dmp",
"sha256": "b1f5a4a8f43b4cd2072ce903eb56edd7b4f4cf13691d558a6142ff175852b82a",
"dirname": "memory"
}],
"pcap": {
"basename": "dump.pcap",
"sha256": "5c6a97a058e5bc3f6b49e054a8e8969aeaab125e8ea689a9f7da861f2af95617",
"dirname": ""
},
"dropped": [{
"basename": "694e192e2bf7c06f_pafish.log",
"sha256": "694e192e2bf7c06f43105877ccb2915d64c99bbe3aedbc9f927e700cb7c6df04",
"dirname": "files"
}]
}
},
"strings": ["!This program cannot be run in DOS mode.", "P`.data", ".rdata", "[email protected]", ".idata", "libgcj-16.dll", "_Jv_RegisterClasses", "analysis-start", "%lu.%lu build %lu", "[*] Windows version: %s", "[*] CPU: %s", " Hypervisor: %s", " CPU brand: %s", "Windows version: %s", "CPU: %s (HV: %s) %s", "CPU: %s %s", "Debuggers detection", "hi_debugger_isdebuggerpresent", "Debugger traced using IsDebuggerPresent()", "Using IsDebuggerPresent()", "hi_debugger_outputdebugstring", "Debugger traced using OutputDebugString()", "Using OutputDebugString()", "CPU information based detections", "hi_CPU_VM_rdtsc", "CPU VM traced by checking the difference between CPU timestamp counters (rdtsc)", "Checking the difference between CPU timestamp counters (rdtsc)", "hi_CPU_VM_rdtsc_force_vm_exit", "CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit", "Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit", "hi_CPU_VM_hypervisor_bit", "CPU VM traced by checking hypervisor bit in cpuid feature bits", "Checking hypervisor bit in cpuid feature bits", "hi_CPU_VM_hv_vendor_name", "CPU VM traced by checking cpuid hypervisor vendor for known VM vendors", "Checking cpuid hypervisor vendor for known VM vendors", "Generic sandbox detection", "hi_sandbox_mouse_act", "Sandbox traced using mouse activity", "Using mouse activity", "hi_sandbox_username", "Sandbox traced by checking username", "Checking username", "hi_sandbox_path", "Sandbox traced by checking file path", "Checking file path", "hi_sandbox_common_names", "Sandbox traced by checking common sample names in drives root", "Checking common sample names in drives root", "hi_sandbox_drive_size", "Sandbox traced by checking disk size <= 60GB via DeviceIoControl()", "Checking if disk size <= 60GB via DeviceIoControl()", "hi_sandbox_drive_size2", "Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()", "Checking if disk size <= 60GB via GetDiskFreeSpaceExA()", "hi_sandbox_sleep_gettickcount", "Sandbox traced by checking if Sleep() was patched using GetTickCount()", "Checking if Sleep() is patched using GetTickCount()", "hi_sandbox_NumberOfProcessors_less_2_raw", "Sandbox traced by checking if NumberOfProcessors is less than 2 via raw access", "Checking if NumberOfProcessors is < 2 via raw access", "hi_sandbox_NumberOfProcessors_less_2_GetSystemInfo", "Sandbox traced by checking if NumberOfProcessors is less than 2 via GetSystemInfo()", "Checking if NumberOfProcessors is < 2 via GetSystemInfo()", "hi_sandbox_pysicalmemory_less_1Gb", "Sandbox traced by checking if pysical memory is less than 1Gb", "Checking if pysical memory is < 1Gb", "hi_sandbox_uptime", "Sandbox traced by checking operating system uptime using GetTickCount()", "Checking operating system uptime using GetTickCount()", "hi_sandbox_IsNativeVhdBoot", "Sandbox traced by checking IsNativeVhdBoot()", "Checking if operating system IsNativeVhdBoot()", "Hooks detection", "hi_hooks_shellexecuteexw_m1", "Hooks traced using ShellExecuteExW method 1", "Checking function ShellExecuteExW method 1", "hi_hooks_createprocessa_m1", "Hooks traced using CreateProcessA method 1", "Checking function CreateProcessA method 1", "Sandboxie detection", "hi_sandboxie", "Sandboxie traced using GetModuleHandle(sbiedll.dll)", "Using GetModuleHandle(sbiedll.dll)", "Wine detection", "hi_wine", "Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll", "Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll", "Wine traced using Reg key HKCU\\SOFTWARE\\Wine", "Reg key (HKCU\\SOFTWARE\\Wine)", "VirtualBox detection", "hi_virtualbox", "VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"", "Scsi port->bus->target id->logical unit id-> 0 identifier", "VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"", "Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\")", "VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions", "Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions)", "VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\"", "Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\")", "VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__", "Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__)", "VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__", "Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__)", "VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__", "Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__)", "Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox*)", "VirtualBox traced using Reg key HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\"", "Reg key (HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\")", "Driver files in C:\\WINDOWS\\system32\\drivers\\VBox*", "Additional system files", "VirtualBox traced using MAC address starting with 08:00:27", "Looking for a MAC address starting with 08:00:27", "Looking for pseudo devices", "VirtualBox traced using VBoxTray windows", "Looking for VBoxTray windows", "VirtualBox traced using its network share", "Looking for VBox network share", "Looking for VBox processes (vboxservice.exe, vboxtray.exe)", "VirtualBox device identifiers traced using WMI", "Looking for VBox devices using WMI", "VMware detection", "hi_vmware", "VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0,1,2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"", "Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier", "VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools", "Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools)", "VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys", "Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys", "VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys", "Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys", "VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56", "Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56", "VMware traced using network adapter name", "Looking for network adapter name", "VMware serial number traced using WMI", "Looking for VMware serial number", "Qemu detection", "hi_qemu", "Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"", "Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"", "Qemu traced using CPU brand string 'QEMU Virtual CPU'", "cpuid CPU brand string 'QEMU Virtual CPU'", "Bochs detection", "hi_bochs", "Bochs traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"", "Bochs traced using CPU AMD wrong value for processor name", "cpuid AMD wrong value for processor name", "Bochs traced using CPU Intel wrong value for processor name", "cpuid Intel wrong value for processor name", "Cuckoo detection", "hi_cuckoo", "Cuckoo hooks information structure traced in the TLS", "Looking in the TLS for the hooks information structure", "[-] Feel free to RE me, check log file for more information.", "analysis-end", "* Pafish (", "Paranoid fish", "Some anti(debugger/VM/sandbox) tricks", "used by malware for the general public.", "traced!", "[pafish] %s", "pafish.log", "[-] %s", "[*] %s ... ", "kernel32", "Wow64DisableWow64FsRedirection", "Wow64RevertWow64FsRedirection", "IsWow64Process", "useless", "sbiedll.dll", "Identifier", "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "SystemBiosVersion", "HARDWARE\\Description\\System", "SOFTWARE\\Oracle\\VirtualBox Guest Additions", "VIRTUALBOX", "VideoBiosVersion", "HARDWARE\\ACPI\\DSDT\\VBOX__", "HARDWARE\\ACPI\\FADT\\VBOX__", "HARDWARE\\ACPI\\RSDT\\VBOX__", "SYSTEM\\ControlSet001\\Services\\VBoxGuest", "SYSTEM\\ControlSet001\\Services\\VBoxMouse", "SYSTEM\\ControlSet001\\Services\\VBoxService", "SYSTEM\\ControlSet001\\Services\\VBoxSF", "SYSTEM\\ControlSet001\\Services\\VBoxVideo", "VirtualBox traced using Reg key HKLM\\%s", "06/23/99", "SystemBiosDate", "HARDWARE\\DESCRIPTION\\System", "C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys", "C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys", "C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys", "C:\\WINDOWS\\system32\\drivers\\VBoxVideo.sys", "VirtualBox traced using driver file %s", "C:\\WINDOWS\\system32\\vboxdisp.dll", "C:\\WINDOWS\\system32\\vboxhook.dll", "C:\\WINDOWS\\system32\\vboxmrxnp.dll", "C:\\WINDOWS\\system32\\vboxogl.dll", "C:\\WINDOWS\\system32\\vboxoglarrayspu.dll", "C:\\WINDOWS\\system32\\vboxoglcrutil.dll", "C:\\WINDOWS\\system32\\vboxoglerrorspu.dll", "C:\\WINDOWS\\system32\\vboxoglfeedbackspu.dll", "C:\\WINDOWS\\system32\\vboxoglpackspu.dll", "C:\\WINDOWS\\system32\\vboxoglpassthroughspu.dll", "C:\\WINDOWS\\system32\\vboxservice.exe", "C:\\WINDOWS\\system32\\vboxtray.exe", "C:\\WINDOWS\\system32\\VBoxControl.exe", "C:\\program files\\oracle\\virtualbox guest additions\\", "VirtualBox traced using system file %s", "\\\\.\\VBoxMiniRdrDN", "\\\\.\\pipe\\VBoxMiniRdDN", "\\\\.\\VBoxTrayIPC", "\\\\.\\pipe\\VBoxTrayIPC", "VirtualBox traced using device %s", "VBoxTrayToolWndClass", "VBoxTrayToolWnd", "VirtualBox Shared Folders", "vboxservice.exe", "VirtualBox traced using vboxservice.exe process", "vboxtray.exe", "VirtualBox traced using vboxtray.exe process", "SANDBOX", "MALWARE", "\\SAMPLE", "\\VIRUS", "%ssample.exe", "%smalware.exe", "\\\\.\\PhysicalDrive0", "kernel32", "IsNativeVhdBoot", "kernel32.dll", "wine_get_unix_file_name", "SOFTWARE\\Wine", "VMWARE", "Identifier", "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "SOFTWARE\\VMware, Inc.\\VMware Tools", "C:\\WINDOWS\\system32\\drivers\\vmmouse.sys", "C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys", "VMware", "\\\\.\\HGFS", "\\\\.\\vmci", "VMWare traced using device %s", "Identifier", "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "SystemBiosVersion", "HARDWARE\\Description\\System", "QEMU Virtual CPU", "%c%c%c%c", "KVMKVMKVM", "Microsoft Hv", "VMwareVMware", "XenVMMXenVMM", "prl hyperv ", "VBoxVBoxVBox", "SystemBiosVersion", "HARDWARE\\Description\\System", "AMD Athlon(tm) processor", " Intel(R) Pentium(R) 4 CPU ", "Unknown error", "_matherr(): %s in %s(%g, %g) (retval=%g)", "Argument domain error (DOMAIN)", "Argument singularity (SIGN)", "Overflow range error (OVERFLOW)", "The result is too small to be represented (UNDERFLOW)", "Total loss of significance (TLOSS)", "Partial loss of significance (PLOSS)", "Mingw-w64 runtime failure:", "Address %p has no image-section", " VirtualQuery failed for %d bytes at address %p", " VirtualProtect failed with code 0x%x", " Unknown pseudo relocation protocol version %d.", " Unknown pseudo relocation bit size %d.", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 6.1.1 20160815", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 5.4.0 20160609", "GCC: (GNU) 6.1.1 20160815", "GetUserNameA", "RegCloseKey", "RegOpenKeyExA", "RegQueryValueExA", "GetAdaptersAddresses", "CloseHandle", "CreateFileA", "CreateProcessA", "CreateToolhelp32Snapshot", "DeleteCriticalSection", "DeleteFileW", "DeviceIoControl", "EnterCriticalSection", "GetConsoleScreenBufferInfo", "GetCurrentProcess", "GetCurrentProcessId", "GetCurrentThreadId", "GetDiskFreeSpaceExA", "GetDriveTypeA", "GetFileAttributesA", "GetLastError", "GetLogicalDriveStringsA", "GetModuleFileNameA", "GetModuleHandleA", "GetProcAddress", "GetStartupInfoA", "GetStdHandle", "GetSystemInfo", "GetSystemTimeAsFileTime", "GetTickCount", "GetVersionExA", "GlobalMemoryStatusEx", "InitializeCriticalSection", "IsDebuggerPresent", "LeaveCriticalSection", "LocalAlloc", "LocalFree", "OutputDebugStringA", "Process32First", "Process32Next", "QueryPerformanceCounter", "SetConsoleTextAttribute", "SetLastError", "SetUnhandledExceptionFilter", "TerminateProcess", "TlsGetValue", "UnhandledExceptionFilter", "VirtualProtect", "VirtualQuery", "lstrcmpiA", "WNetGetProviderNameA", "__dllonexit", "__getmainargs", "__initenv", "__lconv_init", "__set_app_type", "__setusermatherr", "_acmdln", "_amsg_exit", "_cexit", "_fmode", "_initterm", "_onexit", "calloc", "fclose", "fprintf", "fwrite", "getchar", "malloc", "mbstowcs", "memcmp", "memcpy", "printf", "signal", "sprintf", "strlen", "strncat", "strncmp", "strncpy", "strstr", "_unlock", "toupper", "vfprintf", "wcsstr", "_vsnprintf", "CoCreateInstance", "CoInitializeEx", "CoInitializeSecurity", "CoUninitialize", "SysAllocString", "SysFreeString", "ShellExecuteExW", "FindWindowA", "GetCursorPos", "freeaddrinfo", "getaddrinfo", "ADVAPI32.dll", "IPHLPAPI.DLL", "KERNEL32.dll", "MPR.DLL", "msvcrt.dll", "ole32.dll", "OLEAUT32.dll", "SHELL32.dll", "USER32.dll", "WS2_32.dll", "'R,4B:", "s)%0;7", " &0V/(z", "yn<^272S", "=BS{U\\", "Zz;7rv", "hAn`5u", "x&\u001f\u001f.^", "^RzDd!", "\\jab|,", "`(,?QZ", "<w~<O*f", "xT U9-^", "ZbeJK_", "9h' a", "sySumI", "w05v4;", "{M=VYD", "\u001fXwyyd1S", "E>`b|,", "nmjN]~", "G`WcI=", ">tX~ /", "?^Gi[E", "xa2W DO", "cp(e|:", "/NdoCT)", "*J`,WF", "qAt/n-", "hkibXy7", "S&wv+b+", "eIDATh", "R^A)o/", "1=yDXG p", "sIDATX", "/ffclFae&", "gx|OP\u001fxFu", "!Eh,*d", "gq*Kb9", "JBG%`d", "DeviceId", "PCI\\VEN_80EE&DEV_CAFE", "root\\cimv2", "SELECT DeviceId FROM Win32_PnPEntity", "sSerialNumber", "VMware", "root\\cimv2", "SELECT SerialNumber FROM Win32_Bios", "VS_VERSION_INFO", "StringFileInfo", "040904E4", "CompanyName", "FileVersion", "FileDescription", "Paranoid Fish is paranoid", "InternalName", "LegalCopyright", "LegalTrademarks", "OriginalFilename", "ProductName", "Paranoid Fish", "ProductVersion", "VarFileInfo", "Translation"],
"network": {
"tls": [],
"udp": [{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 826,
"time": 3.5624828338623047,
"dport": 1900,
"sport": 49160
}],
"dns_servers": [],
"http": [],
"pcap_id": "5d02dd4559bfaf1280fee9bc",
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"sorted_pcap_id": "5d02dd4559bfaf1280fee9be",
"mitm": [],
"hosts": [],
"pcap_sha256": "5c6a97a058e5bc3f6b49e054a8e8969aeaab125e8ea689a9f7da861f2af95617",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "c00ea07190eaafe12d877677b84fb8cece5064e9d631b876077db46e894de794",
"irc": [],
"https_ex": []
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment