Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:366514
Start time:13:07:49
Joe Sandbox Product:Cloud
Start date:18.09.2017
Overall analysis duration:0h 14m 32s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:CCleaner.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
  • JavaScript Instrumentation enabled
Detection:MAL
Classification:mal72.evad.spyw.winEXE@1/11@2/5
HCA Information:Failed
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Sleeps bigger than 20000ms are automatically reduced to 500ms
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Max analysis timeout: 600s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, WMIADAP.exe, dllhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Collider Navigation

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: CCleaner.exevirustotal: 8/64 detections McAfee-GW-Edition: Artemis!Trojan, Paloalto: generic.ml, McAfee: Artemis!EF694B89AD7A, Qihoo-360: Trojan.Generic, Tencent: Win32.Trojan.Gen.Anvr, Ikarus: Win32.Outbreak, Malwarebytes: Trojan.Nyetya, ClamAV: Win.Trojan.Floxif-6336251-0Perma Link

E-Banking Fraud:

barindex
Drops certificate files (DER)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_000E22CB InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpAddRequestHeadersA,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,LocalAlloc,InternetQueryDataAvailable,LocalAlloc,memcpy,InternetReadFile,LocalFree,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_000E22CB
Downloads filesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GNNUVO51\app_cc_pro_trialkey[1].htm
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=FEB2-8J35-8PDX-HZIY-N8IC-Q332-9Y73-E5HP-9XTW HTTP/1.1User-Agent: Mozilla/4.0 (CCleaner, 5.33.6162)Connection: Keep-AliveCache-Control: no-cacheHost: license.piriform.com
Found strings which match to known social media urlsShow sources
Source: CCleaner.exeString found in binary or memory: Error %d - %sPNG1100COMBOBOX%I64d&cc%dccteccbeFreeccproProfessionalTechnicianMozilla/4.0 (CCleaner, %s)BusinessBRANDINGCCleanerThank you for purchasing CCleaner Professional.Piriform CCleaner ActivationYour upgrade is complete.PNG101COMBOBOX0&%d%I64dccbeccccproccteTechnicianFreeBusinessProfessionalCCleanerMozilla/4.0 (CCleaner, %s)CCleanerBRANDING%s%s - %s*.piriform.com0||mail.google.comlogin.live.comgoogle.com/accountswww.google.com/accountswww.google.comgoogle.comwebmail.earthlink.netaccounts.google.commail.yahoo.commail.netscape.comwebmail.aol.comyahoo.comfastmail.fmmy.screenname.aol.commail.rumail.lycos.comovi.com/services/signinauth.me.comwww.mail.lycos.comlogin.comcast.netmy.screenname.aol.commail.aol.comscreenname.aol.comicloud.comfacebook.comaol.com0twitter.comPNGEVENTS_WINDOW_MESSAGE equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: Facebook Metro equals www.facebook.com (Facebook)
Source: CCleaner.exeString found in binary or memory: Intelligent Cookie Scan'Intelligently scan for cookies to keep?pThis will allow CCleaner to keep your persistent logins for websites, such as GMail, Outlook.com and Yahoo Mail. equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: This will allow CCleaner to keep your persistent logins for websites, such as Hotmail, GMail and Yahoo Mail equals www.hotmail.com (Hotmail)
Source: CCleaner.exeString found in binary or memory: This will allow CCleaner to keep your persistent logins for websites, such as Hotmail, GMail and Yahoo Mail equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: Twitter Metro equals www.twitter.com (Twitter)
Source: CCleaner.exeString found in binary or memory: Yahoo Messenger equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: Yahoo Toolbar equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: [Facebook Metro] equals www.facebook.com (Facebook)
Source: CCleaner.exeString found in binary or memory: [Twitter Metro] equals www.twitter.com (Twitter)
Source: CCleaner.exeString found in binary or memory: [Yahoo Messenger] equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: [Yahoo Toolbar] equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.piriform.com
Urls found in memory or binary dataShow sources
Source: CCleaner.exeString found in binary or memory: ftp://license.piriform.com/verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=cj9t-j7cu-spnv-gwmb-wbec&mk=f
Source: CCleaner.exeString found in binary or memory: http://
Source: CCleaner.exeString found in binary or memory: http://.
Source: CCleaner.exeString found in binary or memory: http://.domstore:http://domstore:https://:hstsdomstore:https://:hpkp:hsts:hpkppng101&0combobox%i64d%
Source: CCleaner.exeString found in binary or memory: http://.domstore:http://domstore:https://:hstsdomstore:https://:hpkp:hsts:hpkppngremoveselfrecursecu
Source: CCleaner.exeString found in binary or memory: http://.domstore:http://domstore:https://:hstsdomstore:https://:hsts:hpkp:hpkp101combobox0&%d%i64dta
Source: CCleaner.exeString found in binary or memory: http://.domstore:http://domstore:https://:hstsdomstore:https://:hsts:hpkp:hpkppng1100combobox&%i64d%
Source: CCleaner.exeString found in binary or memory: http://c
Source: CCleaner.exeString found in binary or memory: http://crash-reports.piriform.com/submitproductnameversionerror
Source: CCleaner.exeString found in binary or memory: http://crl.com
Source: CCleaner.exeString found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: CCleaner.exeString found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: CCleaner.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.globalsign.com/gs/gsorg
Source: CCleaner.exeString found in binary or memory: http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.globalsign.net/root.crl0=
Source: CCleaner.exeString found in binary or memory: http://crl.globalsignj
Source: CCleaner.exeString found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.thawte.com/thawtetimestampingca.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: CCleaner.exeString found in binary or memory: http://crt.comod
Source: CCleaner.exeString found in binary or memory: http://crt.comodoca.com/
Source: CCleaner.exeString found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: CCleaner.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: CCleaner.exeString found in binary or memory: http://domstore:http://
Source: CCleaner.exeString found in binary or memory: http://domstore:http://domstore:https://domstore:https://:hsts:hsts:hpkp:hpkppngrecurseremoveselfcus
Source: CCleaner.exeString found in binary or memory: http://domstore:https://domstore:http://:hstsdomstore:https://:hpkp:hsts:hpkppng101combobox0&%d%i64d
Source: CCleaner.exeString found in binary or memory: http://domstore:https://domstore:http://:hstsdomstore:https://:hpkp:hsts:hpkppng10combobox10%i64d%d&
Source: CCleaner.exeString found in binary or memory: http://java.com/
Source: CCleaner.exe, verify[1].htm.0.drString found in binary or memory: http://license.piriform.com/verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=cj9t-j7cu-sp
Source: CCleaner.exeString found in binary or memory: http://license.piriform.com/verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=cj9t-j7cu-spnv-gwmb-wbec&mk=
Source: CCleaner.exeString found in binary or memory: http://ocs
Source: CCleaner.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: CCleaner.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: CCleaner.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: CCleaner.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: CCleaner.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: CCleaner.exeString found in binary or memory: http://ocsp.entrust.net03
Source: CCleaner.exeString found in binary or memory: http://ocsp.entrust.net0d
Source: ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr1/mewwsjbimeywrdajbgurdgmcgguabbs3v7w2naf4fimtjpdjkg6%2bmggqmqquyhtm
Source: CCleaner.exeString found in binary or memory: http://ocsp.globalsign.com/rootr10
Source: CCleaner.exeString found in binary or memory: http://ocsp.globalsign.com/rootr1http://crl.globalsign.net/root.crl4i
Source: CCleaner.exeString found in binary or memory: http://ocsp.thawte.com0
Source: CCleaner.exeString found in binary or memory: http://ocsp2.globalsign.com/gsorganizationvalsha2g20v
Source: CCleaner.exeString found in binary or memory: http://piriform.com/go/app_cc_license_agreement
Source: CCleaner.exeString found in binary or memory: http://piriform.com/go/app_cc_privacy_policy
Source: CCleaner.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: CCleaner.exeString found in binary or memory: http://s.symcd.com06
Source: CCleaner.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: CCleaner.exeString found in binary or memory: http://s2.symcb.com0
Source: CCleaner.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsorganizationvals
Source: CCleaner.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsorganizationvalsh
Source: CCleaner.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt0?
Source: CCleaner.exeString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: CCleaner.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: CCleaner.exeString found in binary or memory: http://sv.symcd.com0&
Source: CCleaner.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: CCleaner.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: CCleaner.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: CCleaner.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: CCleaner.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: CCleaner.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: CCleaner.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: CCleaner.exeString found in binary or memory: http://virtual_check_changed_window_message#httponly_.
Source: CCleaner.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: CCleaner.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/auto
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/ccleaner
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/ccleaner/update
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_helpnllnxgqz
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_icon
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_icon?a=0&v=5.33.6162&l=1033
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_pear
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_pear?a=0&v=5.33.6162&l=1033
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_title
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_title?a=0&v=5.33.6162&l=1033
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_lock_purchase
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_privacy_policy?a=%s&v=%s&l=%sthe
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_reg_purchase
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_reg_renew
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_social_facebook
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_social_googleplus
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_social_twitter
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_social_youtube
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_tracking
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/inapp/notifications
Source: CCleaner.exeString found in binary or memory: http://www.piriform.comhttp://www.piriform.com/ccleanerhttp://www.piriform.com/go/app_cc_home_helpht
Source: CCleaner.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: CCleaner.exeString found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: CCleaner.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: CCleaner.exeString found in binary or memory: http://www.symauth.com/rpa00
Source: CCleaner.exeString found in binary or memory: http://www.usertrust.com1
Source: CCleaner.exe, verify[1].htm.0.drString found in binary or memory: https://
Source: CCleaner.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: CCleaner.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: CCleaner.exeString found in binary or memory: https://d.symcb.com/rpa0.
Source: CCleaner.exeString found in binary or memory: https://domstore:http://
Source: CCleaner.exeString found in binary or memory: https://domstore:http://:hsts:hstsdomstore:https://:hpkp:hpkppng
Source: CCleaner.exeString found in binary or memory: https://domstore:http://domstore:http://:hstsdomstore:https://:hpkp:hpkp:hstswinregwinappwinsyscclea
Source: CCleaner.exeString found in binary or memory: https://domstore:https://:hsts:hpkppng1&%i64d%d100comboboxfreetechnicianprofessionalbusinessccccbecc
Source: CCleaner.exeString found in binary or memory: https://domstore:https://domstore:http://:hpkp:hsts:hsts:hpkppng101&0combobox%i64d%ddisplaynamesoftw
Source: CCleaner.exeString found in binary or memory: https://http://urlsize_kb
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/activate
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/t
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/update
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/verify
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/verify?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=cj9t-j7cu-spnv-gwmb-wbec&mk=
Source: CCleaner.exeString found in binary or memory: https://secure.comodo.co
Source: CCleaner.exeString found in binary or memory: https://secure.comodo.com/cps0
Source: CCleaner.exe, ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C0.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: CCleaner.exeString found in binary or memory: https://www.globalsign.com/repository/03
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_be_trialkeya
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_get_update
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_inapp_tls_cart
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_pro_trialkey
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_pro_trialkey0
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_pro_trialkeyq
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_reg_purchase
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/inapp/ccshop
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/j
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/r
Source: CCleaner.exeString found in binary or memory: https://www.ssllabs.com/ssltest/viewmyclient.htmlenter
Source: CCleaner.exeString found in binary or memory: https://www.vyt
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49241
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49244
Source: unknownNetwork traffic detected: HTTP traffic on port 49244 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49241 -> 443
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=FEB2-8J35-8PDX-HZIY-N8IC-Q332-9Y73-E5HP-9XTW HTTP/1.1User-Agent: Mozilla/4.0 (CCleaner, 5.33.6162)Connection: Keep-AliveCache-Control: no-cacheHost: license.piriform.com

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite-wal
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite-wal
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite-shm
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite-shm
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_USERS\Software\Globalscape\CuteFTP 9
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 8 Professional
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\GPSoftware\Directory Opus
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Globalscape\CuteFTP 9
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_USERS\Software\SmartFTP
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 7 Home
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 7 Professional
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 8 Home

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_000E1E2A LoadLibraryA,GetProcAddress,GetModuleFileNameExA,CloseHandle,0_2_000E1E2A
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_01285506 push ecx; ret 0_2_01285519

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft

System Summary:

barindex
Reads internet explorer settingsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeKey opened: HKEY_USERS\Software\Microsoft\Internet Explorer\Settings
Executable creates window controls seldom found in malwareShow sources
Source: C:\Users\user\Desktop\CCleaner.exeWindow found: window name: SysTabControl32
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\CCleaner.exeKey opened: HKEY_USERS\Software\Microsoft\Office\8.0\Common
PE file has a big code sizeShow sources
Source: CCleaner.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
PE file has a valid certificateShow sources
Source: CCleaner.exeStatic PE information: certificate valid
Submission file is bigger than most known malware samplesShow sources
Source: CCleaner.exeStatic file information: File size 7680216 > 1048576
PE file has a big raw sectionShow sources
Source: CCleaner.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x334e00
Source: CCleaner.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x288200
PE file imports many functionsShow sources
Source: CCleaner.exeStatic PE information: More than 200 imports for KERNEL32.dll
PE file contains a mix of data directories often seen in goodwareShow sources
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: CCleaner.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: s:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb source: CCleaner.exe
PE file contains a valid data directory to section mappingShow sources
Source: CCleaner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CCleaner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CCleaner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CCleaner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CCleaner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Classification labelShow sources
Source: classification engineClassification label: mal72.evad.spyw.winEXE@1/11@2/5
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_000E203A GetCurrentProcess,OpenProcessToken,time,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,0_2_000E203A
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\tmp.edb
PE file has an executable .text section and no other executable sectionShow sources
Source: CCleaner.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeWMI Queries: IWbemServices::ExecQuery - SELECT UniqueId,ProcessorId,Name,Manufacturer FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
SQL strings found in memory and binary dataShow sources
Source: CCleaner.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: CCleaner.exeBinary or memory string: select url from snapshots;select url from sites;select url from favorites;
Source: CCleaner.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: CCleaner.exeBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: CCleaner.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: CCleaner.exeBinary or memory string: select * from meta where key='last_compatible_version';origin_bound_certsselect host_key, creation_utc from cookies;valueautofillselect host, creation_time from channel_id;channel_idselect origin, creation_time from origin_bound_certs;SELECT pair_id, date_created FROM autofill_dates;SELECT pair_id FROM autofill;autofill_datesSELECT name, value, value_lower, count FROM autofill;SELECT origin_url, action_url, username_element, username_value, password_element, password_value, submit_element, signon_realm, ssl_valid, preferred, date_created, blacklisted_by_user, scheme FROM logins;loginsSELECT url_hash, password_value, date_created FROM ie7_logins;ie7_loginsselect host from HostQuotaTable;HostQuotaTableselect origin from OriginInfoTable;OriginInfoTableselect show_in_default_list, safe_for_autoreplace from keywords;keywordsselect favicon_id from urls;urlsfavorites.dbstash.dbbookmarks.dbBookmarksPRAGMA table_info(%s)%s\QuotaManager%s\Origin Bound Certs%s\cookiesselect host_key,creation_utc, name, value, encrypted_v
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: CCleaner.exeVirustotal: hash found
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\CCleaner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
Creates mutexesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeMutant created: \Sessions\1\BaseNamedObjects\Piriform_CCleaner_PreventSecondInstance
Source: C:\Users\user\Desktop\CCleaner.exeMutant created: \Sessions\1\BaseNamedObjects\Piriform_CCleaner_SystemTrayIconActive
PE file contains executable resources (Code or Archives)Show sources
Source: CCleaner.exeStatic PE information: Resource name: BRANDING type: ump; PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Source: CCleaner.exeStatic PE information: Resource name: RT_STRING type: ump; Hitachi SH big-endian COFF object, not stripped
Source: CCleaner.exeStatic PE information: Resource name: RT_STRING type: ump; Hitachi SH big-endian COFF object, not stripped
PE file contains strange resourcesShow sources
Source: CCleaner.exeStatic PE information: Resource name: RT_BITMAP type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\CCleaner.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\CCleaner.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\CCleaner.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: CCleaner.exeBinary or memory string: OriginalFilenamebranding.dll\ vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenamewinhttp.dll.muij% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameKernelbasej% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameuser32j% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenamebranding.dll\ vs CCleaner.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: dwmapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: esent.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: secur32.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: webio.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: duser.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: dui70.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: linkinfo.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: ntshrui.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: srvcli.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: nlaapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: cscapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: slc.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: rpcrtremote.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: credssp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: bcrypt.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: gpapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: cryptnet.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: sensapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: webio.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: ntdsapi.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: CCleaner.exeBinary or memory string: %s|%d|%I64d|%d|%d0|%s|%d|%d|%d|%s|%I64d|%d||%d|||LMN|%d||Shell_TrayWndLMN
Source: CCleaner.exeBinary or memory string: t@VIRTUAL_CHECK_CHANGED_WINDOW_MESSAGECookie:#HttpOnly_.DOMStore:http://DOMStore:https://DOMStore:http://:HSTSDOMStore:https://:HPKP:HSTS:HPKPPNG101COMBOBOX0&%d%I64dSoftware\Microsoft\Installer\ProductsInstaller\ProductsProductNameSOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\PackagesSoftware\Microsoft\Windows\CurrentVersion\UninstallDisplayName{*}[CC][CC]*CredFreeCredDeleteWAdvapi32CredEnumerateWAdvapi32_NF_Advapi32UserDataSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible CacheDOMStoreSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache%LocalAppData%CachePath%LocalLowAppData%Microsoft\Internet Explorer\DOMStore%LocalAppData%%AppData%Microsoft\Internet Explorer\DOMStore%AppData%Packages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStoreMicrosoft\Internet Explorer\UserDataTaskbarSetProgressStateccbeSoftware\Microsoft\Internet Explorer\DOMStorageMicrosoft\Internet Explorer\UserData\LowTaskba
Source: CCleaner.exeBinary or memory string: Progman
Source: CCleaner.exeBinary or memory string: @VIRTUAL_CHECK_CHANGED_WINDOW_MESSAGECookie:#HttpOnly_.DOMStore:http://DOMStore:https://DOMStore:http://:HSTSDOMStore:https://:HPKP:HSTS:HPKPPNG101COMBOBOX0&%d%I64dSoftware\Microsoft\Installer\ProductsInstaller\ProductsProductNameSOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\PackagesSoftware\Microsoft\Windows\CurrentVersion\UninstallDisplayName{*}[CC][CC]*CredFreeCredDeleteWAdvapi32CredEnumerateWAdvapi32_NF_Advapi32UserDataSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible CacheDOMStoreSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache%LocalAppData%CachePath%LocalLowAppData%Microsoft\Internet Explorer\DOMStore%LocalAppData%%AppData%Microsoft\Internet Explorer\DOMStore%AppData%Packages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStoreMicrosoft\Internet Explorer\UserDataTaskbarSetProgressStateccbeSoftware\Microsoft\Internet Explorer\DOMStorageMicrosoft\Internet Explorer\UserData\LowTaskbar
Source: CCleaner.exeBinary or memory string: Program Manager
Source: CCleaner.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_01284811 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_01284811
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_0128FCD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0128FCD8
Checks for debuggers (devices)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Windows\system32\en-US\filemgmt.dll.mui
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Windows\system32\filemgmt.dll
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\CCleaner.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_0128FCD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0128FCD8
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_000E1E2A LoadLibraryA,GetProcAddress,GetModuleFileNameExA,CloseHandle,0_2_000E1E2A
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_012A1699 mov eax, dword ptr fs:[00000030h]0_2_012A1699

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeProcess information queried: ProcessInformation
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\CCleaner.exe TID: 3696Thread sleep time: -1080000s >= -60s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeWMI Queries: IWbemServices::ExecQuery - SELECT UniqueId,ProcessorId,Name,Manufacturer FROM Win32_Processor
Found evasive API chain checking for user administrative privilegesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_0-1489
Found evasive API chains implementing implicit delay functionalityShow sources
Source: C:\Users\user\Desktop\CCleaner.exeImplicit delay: IcmpCreateFile, DecisionNode, Sleep, timegraph_0-1534
Source: C:\Users\user\Desktop\CCleaner.exeImplicit delay: IcmpCreateFile, DecisionNode, IcmpSendEcho, timegraph_0-1534
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeWMI Queries: IWbemServices::ExecQuery - SELECT Manufacturer,SMBIOSBIOSVersion,IdentificationCode,SerialNumber,ReleaseDate,Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\CCleaner.exeWMI Queries: IWbemServices::ExecQuery - SELECT Model,Manufacturer,Name,SerialNumber FROM Win32_BaseBoard
Query firmware table information (likely to detect VMs)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeSystem information queried: FirmwareTableInformation

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CCleaner.exeProcess information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: CCleaner.exeBinary or memory string: DetectFile1=%ProgramFiles%\Malwarebytes' Anti-Malware\mbam.exe
Source: CCleaner.exeBinary or memory string: DetectFile2=%ProgramFiles%\Malwarebytes Anti-Malware\mbam.exe

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_0128556B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0128556B
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_000E1DCB GetVersionExA,OpenProcess,0_2_000E1DCB
Queries information about the installed CPU (vendor, model number etc)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the installation date of WindowsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\tmp.edb VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\Desktop\CCleaner.exe VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 366514 Sample:  CCleaner.exe Startdate:  18/09/2017 Architecture:  WINDOWS Score:  72 0 CCleaner.exe 46 24 main->0      started     13110reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 13110sig Found evasive API chain checking for user administrative privileges 13100sig Found evasive API chains implementing implicit delay functionality 6690sig Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) d1e170640 www.piriform.com 151.101.0.64, 443 GARRItalianacademicandresearchnetwork United States d1e168144 www.piriform.com d1e168203 license.piriform.com 0->13110reducedSig 0->13110sig 0->13100sig 0->6690sig 0->d1e170640 0->d1e168144 0->d1e168203 process0 dnsIp0 signatures0 fileCreated0

Simulations

Behavior and APIs

TimeTypeDescription
13:09:51API Interceptor257x Sleep call for process: CCleaner.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

SourceRatioCloudLink
CCleaner.exe8/64virustotalBrowse

Dropped Files

No Antivirus matches

Domains

SourceRatioCloudLink
license.piriform.com0/65virustotalBrowse
www.piriform.com0/64virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

Dropped Files

No context

Screenshot