Summary

packets2.pcap

File packets2.pcap

Summary
Download Resubmit sample

Size 1.5KB
Type pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 32767)
MD5 938badf9428bd8c6c4b853123d6f8753
SHA1 3ac8b3b5bd444b6e794884cef849de8937fbc3ed
SHA256 ce5b50055f30db896dea16309b1a199c3450da7bad50da1716fa2e4ede3ba330
SHA512
e1d22535d7460205d40ef204c9f95a81aa5e37954da5b791cef818f9717b98b6aa867efbea0ecd68215a71e101b3cd5dc471de4c3b45fdab7d90e06e1b555e0f
CRC32 B9AB1298
ssdeep None
Yara
  • Cobalt_functions - Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE March 9, 2026, 2:41 p.m. March 9, 2026, 2:45 p.m. 194 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2026-03-09 14:41:47,001 [root] DEBUG: Starting analyzer from: /tmp/tmpTGJVHn
2026-03-09 14:41:47,002 [root] DEBUG: Storing results at: /tmp/pdbRWbtP
2026-03-09 14:41:47,002 [lib.core.packages] INFO: _guess_package_name failed
2026-03-09 14:41:47,002 [lib.core.packages] INFO: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 32767)
2026-03-09 14:41:47,003 [lib.core.packages] INFO: packets2.pcap
2026-03-09 14:41:48,639 [modules.auxiliary.filecollector] INFO: FileCollector started v0.08
2026-03-09 14:41:48,642 [modules.auxiliary.human] INFO: Human started v0.02
2026-03-09 14:41:48,644 [modules.auxiliary.screenshots] INFO: Screenshots started v0.03
2026-03-09 14:41:54,244 [lib.core.packages] INFO: Process startup took 5.59 seconds
2026-03-09 14:41:54,245 [root] INFO: Added new process to list with pid: 2079
2026-03-09 14:42:00,256 [root] INFO: Process with pid 2079 has terminated
2026-03-09 14:42:00,257 [root] INFO: Process list is empty, terminating analysis.
2026-03-09 14:42:03,261 [lib.core.packages] INFO: Package requested stop
2026-03-09 14:42:03,261 [lib.core.packages] WARNING: Exception uploading log: [Errno 3] No such process

Cuckoo Log

2026-03-09 14:41:51,198 [cuckoo.core.scheduler] INFO: Task #7479223: acquired machine Ubuntu1904x642 (label=Ubuntu1904x642)
2026-03-09 14:41:51,199 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.102 for task #7479223
2026-03-09 14:41:51,894 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3377299 (interface=vboxnet0, host=192.168.168.102)
2026-03-09 14:41:51,955 [cuckoo.machinery.virtualbox] DEBUG: Starting vm Ubuntu1904x642
2026-03-09 14:41:53,015 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine Ubuntu1904x642 to Snapshot
2026-03-09 14:42:52,983 [cuckoo.core.guest] INFO: Starting analysis #7479223 on guest (id=Ubuntu1904x642, ip=192.168.168.102)
2026-03-09 14:42:54,184 [cuckoo.core.guest] DEBUG: Ubuntu1904x642: not ready yet
2026-03-09 14:42:59,311 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=Ubuntu1904x642, ip=192.168.168.102)
2026-03-09 14:42:59,373 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=Ubuntu1904x642, ip=192.168.168.102, monitor=latest, size=73219)
2026-03-09 14:43:00,152 [cuckoo.core.resultserver] DEBUG: Task #7479223: live log analysis.log initialized.
2026-03-09 14:43:08,860 [cuckoo.core.resultserver] DEBUG: Task #7479223: File upload for 'shots/0001.jpg'
2026-03-09 14:43:08,882 [cuckoo.core.resultserver] DEBUG: Task #7479223 uploaded file length: 171458
2026-03-09 14:43:15,804 [cuckoo.core.guest] DEBUG: Ubuntu1904x642: analysis #7479223 still processing
2026-03-09 14:43:16,423 [cuckoo.core.resultserver] DEBUG: Task #7479223: File upload for 'logs/all.stap'
2026-03-09 14:43:16,442 [cuckoo.core.resultserver] DEBUG: Task #7479223 uploaded file length: 1197
2026-03-09 14:43:30,898 [cuckoo.core.guest] DEBUG: Ubuntu1904x642: analysis #7479223 still processing
2026-03-09 14:43:45,993 [cuckoo.core.guest] DEBUG: Ubuntu1904x642: analysis #7479223 still processing
2026-03-09 14:44:01,170 [cuckoo.core.guest] INFO: Ubuntu1904x642: end of analysis reached!
2026-03-09 14:44:01,202 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2026-03-09 14:44:01,230 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2026-03-09 14:44:02,864 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label Ubuntu1904x642 to path /srv/cuckoo/cwd/storage/analyses/7479223/memory.dmp
2026-03-09 14:44:02,867 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm Ubuntu1904x642
2026-03-09 14:45:05,482 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.102 for task #7479223
2026-03-09 14:45:05,482 [cuckoo.core.resultserver] DEBUG: Cancel <Context for LOG> for task 7479223
2026-03-09 14:45:05,830 [cuckoo.core.scheduler] DEBUG: Released database task #7479223
2026-03-09 14:45:05,846 [cuckoo.core.scheduler] INFO: Task #7479223: analysis procedure completed

Signatures

Yara rule detected for file (1 event)
description Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT rule Cobalt_functions
File has been identified by 8 AntiVirus engine on IRMA as malicious (8 events)
G Data Antivirus (Windows) Virus: Generic.ShellCode.Marte.H.4654ED67 (Engine A)
Avast Core Security (Linux) Win32:Meterpreter-C [Trj]
C4S ClamAV (Linux) Win.Trojan.MSShellcode-7
eScan Antivirus (Linux) Generic.ShellCode.Marte.H.4654ED67(DB)
Sophos Anti-Virus (Linux) Exp/MSFFFmnt-E
ClamAV (Linux) Win.Trojan.MSShellcode-7
Bitdefender Antivirus (Linux) Generic.ShellCode.Marte.H.4654ED67
Emsisoft Commandline Scanner (Windows) Generic.ShellCode.Marte.H.4654ED67 (B)
File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)
Lionic Trojan.Win32.Generic.4!c
ClamAV Win.Trojan.MSShellcode-7
ALYac Generic.RozenaA.4654ED67
Zillya Trojan.Generic.Win32.1606403
Arcabit Generic.RozenaA.4654ED67
Avast Win32:Meterpreter-C [Trj]
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Generic.RozenaA.4654ED67
NANO-Antivirus Trojan.Dos.Shellcode.ewfvwj
MicroWorld-eScan Generic.RozenaA.4654ED67
Ad-Aware Generic.RozenaA.4654ED67
Emsisoft Generic.RozenaA.4654ED67 (B)
FireEye Generic.RozenaA.4654ED67
Ikarus Exploit.CVE-2011-1591
Microsoft Exploit:Win32/CVE-2011-1591.A
GData Generic.RozenaA.4654ED67
Tencent Win32.Trojan.Generic.Hssh
Yandex Trojan.AvsEtecer.bS6SYf
MAX malware (ai score=84)
AVG Win32:Meterpreter-C [Trj]
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.