Expresses interest in specific running processes Show sources
| api_process_name | smss.exe |
| api_process_name | csrss.exe |
| api_process_name | svchost.exe |
Attempts to connect to a dead IP:Port (6 unique times) Show sources
| network_host_ip | 104.16.90.188:80 (unknown) |
| network_host_ip | 178.255.83.1:80 (United Kingdom) |
| network_host_ip | 38.69.238.122:80 (United States) |
| network_host_ip | 104.16.91.188:80 (unknown) |
| network_host_ip | 23.49.13.33:7000 (United States) |
| network_host_ip | 38.69.238.114:80 (United States) |
Performs some HTTP requests Show sources
| network_url | http://www.ip-adress.com/ |
| network_url | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D |
| network_url | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D |
| network_url | http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEQCOot%2Bo4GHnch9qDcxWT3Pj |
| network_url | http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl |
| network_url | http://crl.comodoca.com/COMODORSACertificationAuthority.crl |
| network_url | http://crl.globalsign.net/primobject.crl |
Behavior consistent with a dropper attempting to download the next stage. Show sources
| File | /rYfAeMHtNIi3sN5CzfLVRhe.php was requested from hosts: 96.19.160.50, 75.127.141.50, 68.231.147.100, 96.69.89.156, 108.58.129.90, 68.173.55.51 |
Network activity contains more than one unique useragent. Show sources
| Process | explorer.exe |
| User-Agent | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Process | explorer.exe |
| User-Agent |
Detects Bitdefender Antivirus through the presence of a library Show sources
| file_query | avcuf32.dll |
Attempts to identify installed AV products by installation directory Show sources
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\SbieCtrl.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Windows\Installer\SandboxieInstall64.exe |
Exhibits behavior characteristics of Vawtrak / Neverquest malware.
The binary likely contains encrypted or compressed data. Show sources
| packer_section | name: .text, entropy: 7.23, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0002f000, virtual_size: 0x0002e850 |
| packer_section | name: .crt, entropy: 7.22, characteristics: IMAGE_SCN_TYPE_NO_PAD|IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00021000, virtual_size: 0x000207e7 |
| packer_section | name: .reloc, entropy: 7.21, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00030000, virtual_size: 0x0002f3b5 |
Collects information to fingerprint the system Show sources
| registry_read | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductId |
Steals private information from local Internet browsers Show sources
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@downloads.sourceforge[1].txt |
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@google[2].txt |
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@microsoft[2].txt |
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@c1.microsoft[2].txt |
Collects information about installed applications Show sources
| registry_query | Google Update Helper |
| registry_query | Windows Software Development Kit DirectX x86 Remote |
| registry_query | WinPcap 4.1.2 |
| registry_query | Adobe Reader 9.5.0 |
| registry_query | FileAlyzer 2 |
| registry_query | Microsoft Office Groove MUI 2007 |
| registry_query | Microsoft Office Proof 2007 |
| registry_query | Google Chrome |
| registry_query | Microsoft Office Groove Setup Metadata MUI 2007 |
| registry_query | Python 2.7.10 |
| registry_query | Kits Configuration Installer |
| registry_query | Microsoft Office Excel MUI 2007 |
| registry_query | Notepad++ |
| registry_query | WPT Redistributables |
| registry_query | Microsoft Office Word MUI 2007 |
| registry_query | Microsoft Office Access Setup Metadata MUI 2007 |
| registry_query | Microsoft Office OneNote MUI 2007 |
| registry_query | Microsoft Office Access MUI 2007 |
| registry_query | Windows Software Development Kit Redistributables |
| registry_query | Mozilla Firefox 46.0.1 |
| registry_query | Adobe Flash Player 20 ActiveX |
| registry_query | Microsoft Office Proofing 2007 |
| registry_query | Python 2.7 PIL-1.1.7 |
| registry_query | MSI Development Tools |
| registry_query | Java 8 Update 91 |
| registry_query | Microsoft .NET Framework 4.5.1 SDK |
| registry_query | Microsoft Visual C++ 2015 x86 Additional Runtime - 14.0.23026 |
| registry_query | Total Commander |
| registry_query | Universal Extractor 1.6.1 |
| registry_query | Adobe Flash Player 20 NPAPI |
| registry_query | Microsoft Visual C++ 2015 x86 Minimum Runtime - 14.0.23026 |
| registry_query | Microsoft Office Enterprise 2007 |
| registry_query | Microsoft Office Outlook MUI 2007 |
| registry_query | Windows Software Development Kit for Windows Store Apps DirectX x86 Remote |
| registry_query | Windows Software Development Kit for Windows Store Apps |
| registry_query | Microsoft Office Publisher MUI 2007 |
| registry_query | Microsoft .NET Framework 4.5.1 Multi-Targeting Pack |
| registry_query | 2007 Microsoft Office Suite Service Pack 2 |
| registry_query | Windows Software Development Kit for Windows 8.1 |
| registry_query | WPTx64 |
| registry_query | Java Auto Updater |
| registry_query | Microsoft Office InfoPath MUI 2007 |
| registry_query | Microsoft Office Shared Setup Metadata MUI 2007 |
| registry_query | Windows Software Development Kit EULA |
| registry_query | Microsoft Office Shared MUI 2007 |
| registry_query | Microsoft Office PowerPoint MUI 2007 |
| registry_query | Windows Software Development Kit |
| registry_query | Microsoft Visual C++ 2015 Redistributable - 14.0.23026 |
| registry_query | SDK Debuggers |
Anomalous binary characteristics Show sources
| static_pe_section_name | Found duplicated section names |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Executed a process and injected code into it, probably while unpacking Show sources
| code_injection | ikosqxu.exe(1660) -> explorer.exe(2264) |
Attempts to execute a powershell command with suspicious parameter/s Show sources
| b64_encoded | Uses a Base64 encoded command value |
Drops a binary and executes it Show sources
| file_dropped | C:\Users\user\AppData\Roaming\Microsoft\Ikosqxuk\ikosqxu.exe |
Installs itself for autorun at Windows startup Show sources
| registry_write | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tjcsme |
| data | "C:\Users\user\AppData\Roaming\Microsoft\Ikosqxuk\ikosqxu.exe" |
| executed_command | "C:\Windows\system32\schtasks.exe" /create /tn {15FE1D59-5E9A-4A81-8129-D36F617EDCF9} /tr "\"C:\Users\user\AppData\Roaming\Microsoft\Ikosqxuk\ikosqxu.exe\"" /sc HOURLY /mo 7 /F |
Creates a copy of itself Show sources
| file | C:\Users\user\AppData\Roaming\Microsoft\Ikosqxuk\ikosqxu.exe |
Mimics the system's user agent string for its own requests Show sources
| stealth_mimics | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
Possible date expiration check, exits too soon after checking local time Show sources
| api_process_name | schtasks.exe, PID 2152 |
A process attempted to delay the analysis task. Show sources
| api_process_name | explorer.exe tried to sleep 621 seconds, actually delayed analysis time by 0 seconds |
Tries to suspend Cuckoo threads to prevent logging of malicious activity Show sources
| api_process_name | powershell.exe (3052) |
Tries to unhook or modify Windows functions monitored by Cuckoo Show sources
| function_modify | function_name: WSASend, type: modification |
| function_modify | function_name: connect, type: modification |
| function_modify | function_name: WSAConnect, type: modification |
| function_modify | function_name: LdrLoadDll, type: modification |
| function_modify | function_name: HttpOpenRequestW, type: modification |
| function_modify | function_name: DnsQuery_A, type: modification |
| function_modify | function_name: HttpOpenRequestA, type: modification |
| function_modify | function_name: send, type: modification |
| function_modify | function_name: InternetWriteFile, type: modification |
| function_modify | function_name: HttpSendRequestW, type: modification |
| function_modify | function_name: HttpSendRequestA, type: modification |
| function_modify | function_name: DnsQuery_W, type: modification |
| function_modify | function_name: InternetReadFile, type: modification |
| function_modify | function_name: NtResumeThread, type: modification |
| function_modify | function_name: HttpSendRequestExW, type: modification |
| function_modify | function_name: InternetCloseHandle, type: modification |
Detects VirtualBox through the presence of a file Show sources
| file_query | C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe |
Creates a hidden or system file Show sources
| file_write | C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF157ebb3.TMP |