Advanced File Analysis System

File Name: ccsetup533.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: c705c0b0210ebda6a3301c6ca9c6091b2ee11d5b

MD5: 75735db7291a19329190757437bdb847

Information Discovery

Reads data out of its own binary image Show sources

self_read	process: c705c0b0210ebda6a3301c6ca9c6091b2ee11d5b.exe, pid: 2756, offset: 0x00000000, length: 0x00953669
self_read	process: c705c0b0210ebda6a3301c6ca9c6091b2ee11d5b.exe, pid: 2756, offset: 0x0001341c, length: 0x00940251

HIPS/ PFW/ Operating System Protection Evasion

Attempts to identify installed AV products by installation directory Show sources

file	C:\Program Files\Sandboxie\Start.exe
file	C:\Program Files\Sandboxie
file	C:\Program Files\Sandboxie\Start.exe
file	C:\Program Files\Sandboxie
file	C:\Program Files\Sandboxie\Start.exe
file	C:\Program Files\Sandboxie
file	C:\Program Files\Sandboxie\SbieCtrl.exe
file	C:\Program Files\Sandboxie
file	C:\Program Files\Sandboxie\Start.exe
file	C:\Program Files\Sandboxie
file	C:\Windows\Installer\SandboxieInstall64.exe
file	C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
file	C:\Program Files (x86)\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
file	C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
file	C:\Program Files (x86)\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
file	C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
file	C:\Program Files (x86)\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
file	C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
file	C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-Aware.exe
file	C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
file	C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
file	C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
file	C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
file	C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
file	C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
file	C:\Program Files\Sandboxie\Start.exe
file	C:\ProgramData\McAfee\MCLOGS

Attempts to identify installed AV products by registry key Show sources

key	HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm
key	HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm
key	HKEY_LOCAL_MACHINE\Software\Avast Software\Avast
key	HKEY_LOCAL_MACHINE\Software\Avast Software\Avast
key	HKEY_CURRENT_USER\Software\Avast Software\Avast
key	HKEY_CURRENT_USER\Software\Avast Software\Avast

Stealing of Sensitive Information

Steals private information from local Internet browsers Show sources

file	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@google[2].txt
file	C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
file	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs
file	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\QuotaManager
file	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\webappsstore.sqlite
file	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\cookies.sqlite
file	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@microsoft[2].txt
file	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@downloads.sourceforge[1].txt
file	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\SiteSecurityServiceState.txt
file	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@c1.microsoft[2].txt

Harvests credentials from local FTP client softwares Show sources

key	HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 8 Home
key	HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 7 Professional
key	HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 8 Professional
key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Globalscape\CuteFTP 9
key	HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 7 Home
key	HKEY_USERS\.DEFAULT\Software\Globalscape\CuteFTP 9
key	HKEY_CURRENT_USER\SOFTWARE\FileZilla Client
key	HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla Client

Harvests information related to installed mail clients Show sources

file	C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Data Obfuscation

Drops a binary and executes it Show sources

binary

C:\Program Files\CCleaner\CCleaner64.exe

Persistence and Installation Behavior

Installs itself for autorun at Windows startup Show sources

key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CCleaner Monitoring
data	"C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR

Anti Debugging

Checks for the presence of known windows from debuggers and forensic tools Show sources

Window

ThunderRT6FormDC

Malware Analysis System Evasion

Tries to suspend Cuckoo threads to prevent logging of malicious activity Show sources

Process

CCleaner64.exe (568)

Checks the CPU name from registry, possibly for anti-virtualization Show sources

Key	H
Key	K
Key	E
Key	Y
Key	_
Key	L
Key	O
Key	C
Key	A
Key	L
Key	_
Key	M
Key	A
Key	C
Key	H
Key	I
Key	N
Key	E
Key	\
Key	H
Key	A
Key	R
Key	D
Key	W
Key	A
Key	R
Key	E
Key	\
Key	D
Key	E
Key	S
Key	C
Key	R
Key	I
Key	P
Key	T
Key	I
Key	O
Key	N
Key	\
Key	S
Key	y
Key	s
Key	t
Key	e
Key	m
Key	\
Key	C
Key	e
Key	n
Key	t
Key	r
Key	a
Key	l
Key	P
Key	r
Key	o
Key	c
Key	e
Key	s
Key	s
Key	o
Key	r
Key	\
Key	0
Key	\
Key	P
Key	r
Key	o
Key	c
Key	e
Key	s
Key	s
Key	o
Key	r
Key	N
Key	a
Key	m
Key	e
Key	S
Key	t
Key	r
Key	i
Key	n
Key	g

Detects VirtualBox through the presence of a file Show sources

file	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe

Creates a hidden or system file Show sources

file	C:\Users\user\AppData\Local\Temp\etilqs_iGaj0dtUtTRn36P

Lowering of HIPS/ PFW/ Operating System Security Settings

Attempts to block SafeBoot use by removing registry keys Show sources

file	H
file	K
file	E
file	Y
file	_
file	L
file	O
file	C
file	A
file	L
file	_
file	M
file	A
file	C
file	H
file	I
file	N
file	E
file	\
file	S
file	Y
file	S
file	T
file	E
file	M
file	\
file	C
file	u
file	r
file	r
file	e
file	n
file	t
file	C
file	o
file	n
file	t
file	r
file	o
file	l
file	S
file	e
file	t
file	\
file	C
file	o
file	n
file	t
file	r
file	o
file	l
file	\
file	S
file	a
file	f
file	e
file	b
file	o
file	o
file	t
file	\
file	O
file	p
file	t
file	i
file	o
file	n

Loading...

Key	H
Key	K
Key	E
Key	Y
Key	_
Key	L
Key	O
Key	C
Key	A
Key	L
Key	_
Key	M
Key	A
Key	C
Key	H
Key	I
Key	N
Key	E
Key	\
Key	H
Key	A
Key	R
Key	D
Key	W
Key	A
Key	R
Key	E
Key	\
Key	D
Key	E
Key	S
Key	C
Key	R
Key	I
Key	P
Key	T
Key	I
Key	O
Key	N
Key	\
Key	S
Key	y
Key	s
Key	t
Key	e
Key	m
Key	\
Key	C
Key	e
Key	n
Key	t
Key	r
Key	a
Key	l
Key	P
Key	r
Key	o
Key	c
Key	e
Key	s
Key	s
Key	o
Key	r
Key	\
Key	0
Key	\
Key	P
Key	r
Key	o
Key	c
Key	e
Key	s
Key	s
Key	o
Key	r
Key	N
Key	a
Key	m
Key	e
Key	S
Key	t
Key	r
Key	i
Key	n
Key	g

Key	H
Key	K
Key	E
Key	Y
Key	_
Key	L
Key	O
Key	C
Key	A
Key	L
Key	_
Key	M
Key	A
Key	C
Key	H
Key	I
Key	N
Key	E
Key	\
Key	H
Key	A
Key	R
Key	D
Key	W
Key	A
Key	R
Key	E
Key	\
Key	D
Key	E
Key	S
Key	C
Key	R
Key	I
Key	P
Key	T
Key	I
Key	O
Key	N
Key	\
Key	S
Key	y
Key	s
Key	t
Key	e
Key	m
Key	\
Key	C
Key	e
Key	n
Key	t
Key	r
Key	a
Key	l
Key	P
Key	r
Key	o
Key	c
Key	e
Key	s
Key	s
Key	o
Key	r
Key	\
Key	0
Key	\
Key	P
Key	r
Key	o
Key	c
Key	e
Key	s
Key	s
Key	o
Key	r
Key	N
Key	a
Key	m
Key	e
Key	S
Key	t
Key	r
Key	i
Key	n
Key	g

Key	H
Key	K
Key	E
Key	Y
Key	_
Key	L
Key	O
Key	C
Key	A
Key	L
Key	_
Key	M
Key	A
Key	C
Key	H
Key	I
Key	N
Key	E
Key	\
Key	H
Key	A
Key	R
Key	D
Key	W
Key	A
Key	R
Key	E
Key	\
Key	D
Key	E
Key	S
Key	C
Key	R
Key	I
Key	P
Key	T
Key	I
Key	O
Key	N
Key	\
Key	S
Key	y
Key	s
Key	t
Key	e
Key	m
Key	\
Key	C
Key	e
Key	n
Key	t
Key	r
Key	a
Key	l
Key	P
Key	r
Key	o
Key	c
Key	e
Key	s
Key	s
Key	o
Key	r
Key	\
Key	0
Key	\
Key	P
Key	r
Key	o
Key	c
Key	e
Key	s
Key	s
Key	o
Key	r
Key	N
Key	a
Key	m
Key	e
Key	S
Key	t
Key	r
Key	i
Key	n
Key	g