Analysis

Category Package Started Completed Duration Log
PCAP 2018-12-20 12:04:49 2018-12-20 12:04:49 0 seconds Show Log

    

MalScore

0.0

Benign


Signatures

No signatures

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 74.118.138.93 [VT] United States
N 72.247.184.178 [VT] Netherlands
N 72.247.184.177 [VT] Netherlands
N 2.21.242.203 [VT] Netherlands
Y fe80::c8c7:a44f:142b:cf30 [VT] unknown
Y fe80::8d8d:12f:f3a3:d4a9 [VT] unknown
Y ff02::1:2 [VT] unknown
Y ff02::c [VT] unknown

DNS

Name Response Post-Analysis Lookup
rietumu.me [VT] A 74.118.138.93 [VT]
dns.msftncsi.com [VT] A 131.107.255.255 [VT]
ctldl.windowsupdate.com [VT] CNAME ctldl.windowsupdate.nsatc.net [VT]
A 2.21.242.203 [VT]
A 2.21.242.237 [VT]
CNAME a1621.g.akamai.net [VT]
CNAME ctldl.windowsupdate.com.edgesuite.net [VT]
ocsp.usertrust.com [VT] A 72.247.184.105 [VT]
CNAME ocsp.usertrust.com.edgesuite.net [VT]
CNAME a207.dscb.akamai.net [VT]
A 72.247.184.177 [VT]
ocsp.comodoca.com [VT] CNAME ocsp.comodoca.com.edgesuite.net [VT]
CNAME a652.dscb.akamai.net [VT]
A 72.247.184.178 [VT]
A 72.247.184.136 [VT]

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 74.118.138.93 [VT] United States
N 72.247.184.178 [VT] Netherlands
N 72.247.184.177 [VT] Netherlands
N 2.21.242.203 [VT] Netherlands
Y fe80::c8c7:a44f:142b:cf30 [VT] unknown
Y fe80::8d8d:12f:f3a3:d4a9 [VT] unknown
Y ff02::1:2 [VT] unknown
Y ff02::c [VT] unknown

TCP

Source Source Port Destination Destination Port
fe80::8d8d:12f:f3a3:d4a9 49162 fe80::c8c7:a44f:142b:cf30 2869
192.168.56.151 2869 192.168.56.152 49160
192.168.56.152 49181 2.21.242.203 ctldl.windowsupdate.com 80
192.168.56.152 49182 72.247.184.177 ocsp.usertrust.com 80
192.168.56.152 49183 72.247.184.178 ocsp.comodoca.com 80
192.168.56.152 49178 74.118.138.93 rietumu.me 443
192.168.56.152 49179 74.118.138.93 rietumu.me 443
192.168.56.152 49180 74.118.138.93 rietumu.me 443
192.168.56.152 49184 74.118.138.93 rietumu.me 443
192.168.56.152 49185 74.118.138.93 rietumu.me 443
192.168.56.152 49186 74.118.138.93 rietumu.me 443

UDP

Source Source Port Destination Destination Port
fe80::c8c7:a44f:142b:cf30 1900 ff02::c 1900
fe80::c8c7:a44f:142b:cf30 546 ff02::1:2 547
192.168.56.152 1900 239.255.255.250 1900
192.168.56.152 53910 8.8.8.8 53
192.168.56.152 56618 8.8.8.8 53
192.168.56.152 59306 8.8.8.8 53
192.168.56.152 60840 8.8.8.8 53
192.168.56.152 65237 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
rietumu.me [VT] A 74.118.138.93 [VT]
dns.msftncsi.com [VT] A 131.107.255.255 [VT]
ctldl.windowsupdate.com [VT] CNAME ctldl.windowsupdate.nsatc.net [VT]
A 2.21.242.203 [VT]
A 2.21.242.237 [VT]
CNAME a1621.g.akamai.net [VT]
CNAME ctldl.windowsupdate.com.edgesuite.net [VT]
ocsp.usertrust.com [VT] A 72.247.184.105 [VT]
CNAME ocsp.usertrust.com.edgesuite.net [VT]
CNAME a207.dscb.akamai.net [VT]
A 72.247.184.177 [VT]
ocsp.comodoca.com [VT] CNAME ocsp.comodoca.com.edgesuite.net [VT]
CNAME a652.dscb.akamai.net [VT]
A 72.247.184.178 [VT]
A 72.247.184.136 [VT]

HTTP Requests

URI Data
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5ad66e0583c4f586
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5ad66e0583c4f586 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 20 Apr 2017 16:02:20 GMT
If-None-Match: "04e707defb9d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com

http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com

http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com

http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEQCZTAee%2F%2BPgUpGL48pZnvtc
GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEQCZTAee%2F%2BPgUpGL48pZnvtc HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.03 seconds )

  • 0.024 NetworkAnalysis
  • 0.004 AnalysisInfo
  • 0.001 BehaviorAnalysis
  • 0.001 Debug

Signatures ( 0.042 seconds )

  • 0.007 antiav_detectreg
  • 0.004 antiav_detectfile
  • 0.004 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 ie_martian_children
  • 0.001 network_torgateway

Reporting ( 0.0 seconds )

Task ID 27823
Mongo ID 5c1b88d0f28488050bd945b0
Cuckoo release 1.3-CAPE
Delete