Reads data out of its own binary image Show sources
| api_process_name | process: 50b322435a8475c50d5a3ac96e49bb2afb88cc5c.exe, pid: 2772, offset: 0x00000000, length: 0x00022968 |
| api_process_name | process: 50b322435a8475c50d5a3ac96e49bb2afb88cc5c.exe, pid: 2772, offset: 0x00000000, length: 0x003550af |
| api_process_name | process: 50b322435a8475c50d5a3ac96e49bb2afb88cc5c.exe, pid: 2772, offset: 0x0002081c, length: 0x0000104e |
| api_process_name | process: 50b322435a8475c50d5a3ac96e49bb2afb88cc5c.exe, pid: 2772, offset: 0x00022968, length: 0x00000bf1 |
| api_process_name | process: 50b322435a8475c50d5a3ac96e49bb2afb88cc5c.exe, pid: 2772, offset: 0x00023f30, length: 0x00291c4a |
| api_process_name | process: 50b322435a8475c50d5a3ac96e49bb2afb88cc5c.exe, pid: 2772, offset: 0x0035047a, length: 0x000017e0 |
| api_process_name | process: 50b322435a8475c50d5a3ac96e49bb2afb88cc5c.exe, pid: 2772, offset: 0x003550af, length: 0x00000004 |
Attempts to connect to a dead IP:Port (7 unique times) Show sources
| network_host_ip | 23.50.75.27:80 (United States) |
| network_host_ip | 127.0.0.1:49253 |
| network_host_ip | 23.215.131.169:80 (United States) |
| network_host_ip | 69.195.158.196:443 (United States) |
| network_host_ip | 72.21.91.29:80 (United States) |
| network_host_ip | 144.76.116.39:443 (Germany) |
| network_host_ip | 192.241.99.194:80 (Canada) |
Starts servers listening on 127.0.0.1:0
HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources
| network_anomaly | HTTP traffic contains a POST request with no referer header |
| network_anomaly | HTTP traffic contains a POST request with no user-agent header |
| network_anomaly | http://pppcw.shieldapps.ml/pppcw/pppcw.php |
| network_anomaly | http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEGllzqlxaYVWCPVm%2BOHAM%2FM%3D |
| network_anomaly | http://sv.symcb.com/sv.crl |
| network_anomaly | http://crl.globalsign.net/primobject.crl |
Performs some HTTP requests Show sources
| network_url | http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D |
| network_url | http://pppcw.shieldapps.ml/pppcw/pppcw.php |
| network_url | http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEGllzqlxaYVWCPVm%2BOHAM%2FM%3D |
| network_url | http://sv.symcb.com/sv.crl |
| network_url | http://crl.globalsign.net/primobject.crl |
At least one IP Address, Domain, or File Name was found in a crypto call Show sources
| ioc | http://www.symauth.com/cps0 |
| ioc | http://www.symauth.com/rpa0 |
Collects information to fingerprint the system Show sources
| registry_read | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate |
Collects information about installed applications Show sources
| registry_query | Google Update Helper |
| registry_query | Windows Software Development Kit DirectX x86 Remote |
| registry_query | WinPcap 4.1.2 |
| registry_query | Adobe Reader 9.5.0 |
| registry_query | Adobe Flash Player 20 ActiveX |
| registry_query | Windows Software Development Kit |
| registry_query | Microsoft Office Groove MUI 2007 |
| registry_query | Microsoft Office Proof 2007 |
| registry_query | Google Chrome |
| registry_query | Microsoft Office Groove Setup Metadata MUI 2007 |
| registry_query | Python 2.7.10 |
| registry_query | Kits Configuration Installer |
| registry_query | Microsoft Office Excel MUI 2007 |
| registry_query | Notepad++ |
| registry_query | WPT Redistributables |
| registry_query | Microsoft Office Word MUI 2007 |
| registry_query | Microsoft Office Access Setup Metadata MUI 2007 |
| registry_query | Microsoft Office OneNote MUI 2007 |
| registry_query | Microsoft Office Access MUI 2007 |
| registry_query | Windows Software Development Kit Redistributables |
| registry_query | Universal Extractor 1.6.1 |
| registry_query | Microsoft Office Proofing 2007 |
| registry_query | Microsoft .NET Framework 4.5.1 Multi-Targeting Pack |
| registry_query | MSI Development Tools |
| registry_query | Java 8 Update 91 |
| registry_query | Microsoft .NET Framework 4.5.1 SDK |
| registry_query | Microsoft Visual C++ 2015 x86 Additional Runtime - 14.0.23026 |
| registry_query | Total Commander |
| registry_query | Mozilla Firefox 46.0.1 |
| registry_query | SDK Debuggers |
| registry_query | Microsoft Visual C++ 2015 x86 Minimum Runtime - 14.0.23026 |
| registry_query | Microsoft Office Enterprise 2007 |
| registry_query | FileAlyzer 2 |
| registry_query | Windows Software Development Kit for Windows Store Apps DirectX x86 Remote |
| registry_query | Windows Software Development Kit for Windows Store Apps |
| registry_query | Microsoft Office Publisher MUI 2007 |
| registry_query | Python 2.7 PIL-1.1.7 |
| registry_query | 2007 Microsoft Office Suite Service Pack 2 |
| registry_query | Windows Software Development Kit for Windows 8.1 |
| registry_query | WPTx64 |
| registry_query | Java Auto Updater |
| registry_query | Microsoft Office InfoPath MUI 2007 |
| registry_query | Adobe Flash Player 20 NPAPI |
| registry_query | Windows Software Development Kit EULA |
| registry_query | Microsoft Office Shared MUI 2007 |
| registry_query | Microsoft Office PowerPoint MUI 2007 |
| registry_query | Microsoft Office Outlook MUI 2007 |
| registry_query | Microsoft Visual C++ 2015 Redistributable - 14.0.23026 |
| registry_query | Microsoft Office Shared Setup Metadata MUI 2007 |
Attempts to modify proxy settings
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Drops a binary and executes it Show sources
| file_dropped | C:\Program Files (x86)\PPC-software\InstAct.exe |
| file_dropped | C:\Program Files (x86)\PPC-software\PPC-software.exe |
A process attempted to delay the analysis task. Show sources
| api_process_name | WmiPrvSE.exe tried to sleep 551 seconds, actually delayed analysis time by 0 seconds |
| api_process_name | PPC-software.exe tried to sleep 767 seconds, actually delayed analysis time by 0 seconds |
Detects VirtualBox through the presence of a registry key Show sources
| registry_query | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00 |
Checks the CPU name from registry, possibly for anti-virtualization Show sources
| registry_read | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString |
Checks the version of Bios, possibly for anti-virtualization Show sources
| registry_read | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion |
Tries to unhook or modify Windows functions monitored by Cuckoo Show sources
| function_modify | function_name: LdrLoadDll, type: modification |
Attempts to repeatedly call a single API many times in order to delay analysis time Show sources
| api_process_name | firefox.exe (2576) called API GetSystemTime 387197 times |
| api_process_name | firefox.exe (2576) called API GetSystemTimeAsFileTime 832460 times |