Malware analysis Bandook v1.35.rar Malicious activity

Add for printing

File name:	Bandook v1.35.rar
Full analysis:	https://app.any.run/tasks/8f1a0c9c-0aca-47e5-8de4-b0939e95e31f
Verdict:	Malicious activity
Analysis date:	May 03, 2018, 15:09:15
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v4, os: Win32
MD5:	425BBD854E4EB273D101DF90862617D2
SHA1:	C9AEBE6B1D5F1D6BEDF4188FA6B980AE3A01A2C1
SHA256:	30EB4DC3C46CECEBA84384B6A89DA8D12CD00D8D9BC9E4E1CBC97610FC496BE1
SSDEEP:	98304:Ign0wDXWq+Ijscsz9hGDGPTFccqYEWeX4uLDW5s7LH:z0wDXWrCDGPpccTCIuLDW5QH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:

Software preset

Internet Explorer 8.0.7601.17514 undefined
7-Zip 16.04 (16.04)
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 26 ActiveX (26.0.0.137)
CCleaner (5.35)
FileZilla Client 3.31.0 (3.31.0)
Google Chrome (61.0.3163.100)
Google Update Helper (1.3.33.5)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Home and Business 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2005 Redistributable (8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 (14.12.25810.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.12.25810 (14.12.25810)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.12.25810 (14.12.25810)
Mozilla Firefox 55.0.3 (x86 en-US) (55.0.3)
Mozilla Maintenance Service (55.0.3)
Notepad++ (32-bit x86) (7.5.4)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
VLC media player (2.2.6)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition
WinMan WinIP Package TopLevel

Add for printing

MALICIOUS
- Application loaded dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 1360)
- Actions looks like stealing of personal data
  - 7zFM.exe (PID: 2872)
- Application was dropped or rewritten from another process
  - BANDOOK V1.35.EXE (PID: 3312)
  - Bandook.exe (PID: 3936)
  - ali.exe (PID: 2216)
  - Bandook v1.35.exe.exe (PID: 2108)
- Changes the autorun value in the registry
  - ali.exe (PID: 2216)
SUSPICIOUS
- Starts itself from another location
  - Bandook.exe (PID: 3936)
- Starts Internet Explorer
  - ali.exe (PID: 2216)
- Creates files in the Windows directory
  - Bandook.exe (PID: 3936)
INFO
- Dropped object may contain URL's
  - 7zFM.exe (PID: 2872)
  - BANDOOK V1.35.EXE (PID: 3312)
  - Bandook.exe (PID: 3936)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v-4.x) (58.3)
.rar	\|	RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize:	320
UncompressedSize:	511
OperatingSystem:	Win32
ModifyDate:	2006:07:02 11:49:02
PackingMethod:	Normal
ArchivedFileName:	nfascripts\destroy.nfa

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1360

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\System32\SearchProtocolHost.exe

—

SearchIndexer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Windows Search Protocol Host

Exit code:

Version:

7.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2096

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

—

ali.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Internet Explorer

Exit code:

Version:

8.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2108

"C:\Users\admin\Desktop\asdf\Bandook v1.35.exe.exe"

C:\Users\admin\Desktop\asdf\Bandook v1.35.exe.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\asdf\bandook v1.35.exe.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2216

C:\Windows\system32\ali.exe

Bandook.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\windows\system32\ali.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2592

C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\system32\DllHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2872

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\admin\AppData\Local\Temp\Bandook v1.35.rar"

C:\Program Files\7-Zip\7zFM.exe

explorer.exe

User:

admin

Company:

Igor Pavlov

Integrity Level:

MEDIUM

Description:

7-Zip File Manager

Exit code:

Version:

16.04

Modules

Images
c:\program files\7-zip\7zfm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

3312

"C:\Users\admin\AppData\Local\Temp\BANDOOK V1.35.EXE"

C:\Users\admin\AppData\Local\Temp\BANDOOK V1.35.EXE

Bandook v1.35.exe.exe

User:

admin

Company:

Nuclear Winter Crew

Integrity Level:

MEDIUM

Description:

Bandook FWB++ RAT

Exit code:

Version:

1.3.5.0

Modules

Images
c:\users\admin\appdata\local\temp\bandook v1.35.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll

3936

"C:\Users\admin\Desktop\asdf\Bandook.exe"

C:\Users\admin\Desktop\asdf\Bandook.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\asdf\bandook.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

1 548

Read events

1 516

Write events

Delete events

Modification events


(PID) Process:	(2872) 7zFM.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\91\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2872) 7zFM.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\91\52C64B7E
Operation:	write	Name:	@C:\Program Files\Common Files\System\wab32res.dll,-4602
Value: Contact file
(PID) Process:	(2872) 7zFM.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\91\52C64B7E
Operation:	write	Name:	@"C:\Program Files\Windows Journal\Journal.exe",-3072
Value: Journal Document
(PID) Process:	(2872) 7zFM.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:	write	Name:	Classes
Value: .bmp
(PID) Process:	(2872) 7zFM.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:	write	Name:	~reserved~
Value: 0800000000000600
(PID) Process:	(2872) 7zFM.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	Browse For Folder Width
Value: 318
(PID) Process:	(2872) 7zFM.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	Browse For Folder Height
Value: 288
(PID) Process:	(2872) 7zFM.exe	Key:	HKEY_CURRENT_USER\Software\7-Zip\FM
Operation:	write	Name:	CopyHistory
Value: 43003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0061007300640066005C000000
(PID) Process:	(2872) 7zFM.exe	Key:	HKEY_CURRENT_USER\Software\7-Zip\FM\Columns
Operation:	write	Name:	7-Zip.Rar
Value: 0100000004000000010000000400000001000000A00000000700000001000000640000000800000001000000640000000C00000001000000640000000A00000001000000640000000B00000001000000640000000900000001000000640000000F00000001000000640000000D00000001000000640000000E00000001000000640000001000000001000000640000001100000001000000640000001300000001000000640000001700000001000000640000001600000001000000640000002100000001000000640000001F0000000100000064000000200000000100000064000000
(PID) Process:	(1360) SearchProtocolHost.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\91\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2872	7zFM.exe	C:\Users\admin\Desktop\asdf		—
		MD5:—	SHA256:—
2872	7zFM.exe	C:\Users\admin\Desktop\asdf\nfascripts\olmert.nfa		text
		MD5:E2294C4DF34C893038B252732FFFC98E	SHA256:35429B047C12159CD069FD6093DCFA1A0D3ABDE8BF0690D897FC3607B479E8BF
2872	7zFM.exe	C:\Users\admin\Desktop\asdf\nfascripts\olmert2.nfa		text
		MD5:7DDD4EE0A7D2A2E0E5DB014A995D0BD4	SHA256:8FF735729726334FA766FC19044287B2CF5F933CA1060323D48CB8F276AD49B3
2872	7zFM.exe	C:\Users\admin\Desktop\asdf\nfascripts\destroy.nfa		text
		MD5:8FD0E0C30DCA53DAF6D2C96E21D7BA9D	SHA256:8034CDD7D1994E1D061D19F2B60F13961A40FA3EE416AF234773D83B8133E96E
2872	7zFM.exe	C:\Users\admin\Desktop\asdf\Plugins\bndkhook.dll		executable
		MD5:0B313F78E7359E0316FAFF6F56C50765	SHA256:3AC998883DB48A7DCEEE8ABDCCD461B23E194B7ECC476DAEB12BAAC03CDCDA16
2872	7zFM.exe	C:\Users\admin\Desktop\asdf\nfascripts\pcterrorist.nfa		text
		MD5:8302FE259CA77C4B22E08F6DB54DCC30	SHA256:1048E32F1D6E4451828FDE8D07434BEBDDC1928E45F39D62EC524DB8B061AB3B
2872	7zFM.exe	C:\Users\admin\Desktop\asdf\nfascripts\Icons.nfa		text
		MD5:DC9C2CA9FFA5EA0FD2A1B8E44FE12B7C	SHA256:92218310DFD24A25C40817A8AFA0E8F4F4FA92ADE1F41D24EE3A2C59EBB93A0E
2872	7zFM.exe	C:\Users\admin\Desktop\asdf\Plugins\bndkmul.dll		executable
		MD5:49221ECC541162C7A8A1EF83FED537D4	SHA256:7C60029C9837E3FBAAA3050508E11C18B92FC4CBEA46A7F2BDB6E8C4A0B7F6AE
2872	7zFM.exe	C:\Users\admin\Desktop\asdf\nfascripts\fuckfuckfuck.nfa		text
		MD5:D373FDD7C7839D9BA3279A61ED25C4D0	SHA256:44CA0393675CE91BA1AF516AF2507534FC60FE3E997C0CA8698BCB6007EACB20
2872	7zFM.exe	C:\Users\admin\Desktop\asdf\Plugins\nfa.bndk		executable
		MD5:B709BECB4F8EC6BC7AB81E071B113690	SHA256:B6AC220C5713C85BCE298B7406E284ADB5E3E6ECCE80AC56C1E3ED99EB9BCB96

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

Process	Message
Bandook v1.35.exe.exe	C:\Users\admin\AppData\Local\Temp\BANDOOK V1.35.EXE
Bandook v1.35.exe.exe	C:\Users\admin\AppData\Local\Temp\DJACK.ICO

General Info

Bandook v1.35.rar

425BBD854E4EB273D101DF90862617D2

C9AEBE6B1D5F1D6BEDF4188FA6B980AE3A01A2C1

30EB4DC3C46CECEBA84384B6A89DA8D12CD00D8D9BC9E4E1CBC97610FC496BE1

98304:Ign0wDXWq+Ijscsz9hGDGPTFccqYEWeX4uLDW5s7LH:z0wDXWrCDGPpccTCIuLDW5QH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application loaded dropped or rewritten executable

Actions looks like stealing of personal data

Application was dropped or rewritten from another process

Changes the autorun value in the registry

SUSPICIOUS

Starts itself from another location

Starts Internet Explorer

Creates files in the Windows directory

INFO

Dropped object may contain URL's

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings