Advanced File Analysis System

Stealing of Sensitive Information

Steals private information from local Internet browsers Show sources

file_read	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@google[2].txt
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\QuotaManager
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\webappsstore.sqlite
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\cookies.sqlite
file_read	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@microsoft[2].txt
file_read	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@downloads.sourceforge[1].txt
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\SiteSecurityServiceState.txt
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file_read	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@c1.microsoft[2].txt

Harvests credentials from local FTP client softwares Show sources

key	HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 8 Home
key	HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 7 Professional
key	HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 8 Professional
key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Globalscape\CuteFTP 9
key	HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 7 Home
key	HKEY_USERS\.DEFAULT\Software\Globalscape\CuteFTP 9
key	HKEY_CURRENT_USER\SOFTWARE\FileZilla Client
key	HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla Client

Harvests information related to installed mail clients Show sources

file	C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini

Networking

Generates some ICMP traffic

Malware Analysis System Evasion

A process attempted to delay the analysis task. Show sources

api_process_name

8983a49172af96178458266f93d65fa193eaaef2.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds

Tries to suspend Cuckoo threads to prevent logging of malicious activity Show sources

api_process_name

8983a49172af96178458266f93d65fa193eaaef2.exe (2212)

Checks the CPU name from registry, possibly for anti-virtualization Show sources

registry_read

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Detects VirtualBox through the presence of a file Show sources

file_query

C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

HIPS/ PFW/ Operating System Protection Evasion

Attempts to identify installed AV products by installation directory Show sources

file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files (x86)\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
file_query	C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
file_query	C:\Program Files (x86)\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
file_query	C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
file_query	C:\Program Files (x86)\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
file_query	C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
file_query	C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-Aware.exe
file_query	C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
file_query	C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
file_query	C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
file_query	C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
file_query	C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
file_query	C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
file_query	C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
file_query	C:\Program Files (x86)\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\ProgramData\McAfee\MCLOGS

Attempts to identify installed AV products by registry key Show sources

registry_query	HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm
registry_query	HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm
registry_query	HKEY_LOCAL_MACHINE\Software\Avast Software\Avast
registry_query	HKEY_LOCAL_MACHINE\Software\Avast Software\Avast
registry_query	HKEY_CURRENT_USER\Software\Avast Software\Avast
registry_query	HKEY_CURRENT_USER\Software\Avast Software\Avast

File Name: CCleaner.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: 8983a49172af96178458266f93d65fa193eaaef2

MD5: ef694b89ad7addb9a16bb6f26f1efaf7