Malware analysis Zyklon HTTP Botnet Builder+ Setup.rar Malicious activity

Add for printing

File name:	Zyklon HTTP Botnet Builder+ Setup.rar
Full analysis:	https://app.any.run/tasks/cefe1fb7-d970-4754-ae3c-fb7ac448196e
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	September 28, 2018, 16:02:55
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	miner
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	D0E994883156C0378ADD168AE4D14C12
SHA1:	544346352A4C0138299AF673EE3532338AADA254
SHA256:	A5198B34B7CAA6D6841031956678E4776D1581B90060C00774B7BB0E5E8632F4
SSDEEP:	49152:R4btbJbX53pk6SjPHGx7TtvCZVbVF3EaSKXt1qIJEkvjC1EltuVVzLlosoAYI3:+d5ArPmx7T5CZV7EngRJTA8uVVCVAP3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Builder.exe (PID: 1380)
  - Services.exe (PID: 3864)
- Changes the autorun value in the registry
  - Builder.exe (PID: 1380)
- Looks like application has launched a miner
  - Services.exe (PID: 3864)
- Connects to CnC server
  - Regasm.exe (PID: 3240)
- MINER was detected
  - Regasm.exe (PID: 3240)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Builder.exe (PID: 1380)
- Connects to unusual port
  - Regasm.exe (PID: 3240)
- Creates files in the user directory
  - Builder.exe (PID: 1380)
- Creates executable files which already exist in Windows
  - Builder.exe (PID: 1380)
- Starts itself from another location
  - Builder.exe (PID: 1380)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1380

"C:\Users\admin\Desktop\Zyklon HTTP Botnet Builder+ Setup\Builder.exe"

C:\Users\admin\Desktop\Zyklon HTTP Botnet Builder+ Setup\Builder.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\zyklon http botnet builder+ setup\builder.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

3240

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\Regasm.exe" -B --donate-level=0 -t 2 -a cryptonight --url=stratum+tcp://xmr.pool.minergate.com:45700 -u jecho.montsko@fyii.de -p -R --variant=-1 --max-cpu-usage=50

C:\Windows\Microsoft.NET\Framework\v2.0.50727\Regasm.exe

Services.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Assembly Registration Utility

Exit code:

Version:

2.0.50727.5420 (Win7SP1.050727-5400)

Modules

Images
c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll

3864

"C:\Users\admin\AppData\Roaming\Services.exe"

C:\Users\admin\AppData\Roaming\Services.exe

—

Builder.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

0.0.0.0

Modules

Images
c:\users\admin\appdata\roaming\services.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

4060

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Zyklon HTTP Botnet Builder+ Setup.rar"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

Add for printing

Total events

815

Read events

791

Write events

Delete events

Modification events


(PID) Process:	(4060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(4060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(4060) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(4060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Zyklon HTTP Botnet Builder+ Setup.rar
(PID) Process:	(4060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:	(4060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\AppData\Local\Temp

Add for printing

Executable files

Suspicious files

Text files

621

Unknown types

Dropped files

PID	Process	Filename		Type
4060	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4060.27698\Zyklon HTTP Botnet Builder+ Setup\config.php		text
		MD5:AFEE68D5900422FD2045119098317EBB	SHA256:4CDE41468B2878C01206650BA2D3810459F594C17688F05356154F8C6ED82DD9
4060	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4060.27698\Zyklon HTTP Botnet Builder+ Setup\includes\design\images\bg_header.jpg		image
		MD5:36022B8665A56BDE5C71A6C6ECEC81CA	SHA256:79DECAD07C99378B47539F2252F9B65FC161A8600CDAFFB6FAC39358A8B395DE
4060	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4060.27698\Zyklon HTTP Botnet Builder+ Setup\includes\chart.php		text
		MD5:C841BCB49990805F5EA70C5C99EA818A	SHA256:FEF7EBF6FE6FCF1A067EC8AF279564BDC263B1CABCEBD569EB22E8F7E0B1BB3C
4060	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4060.27698\Zyklon HTTP Botnet Builder+ Setup\includes\design\images\bg_header2.png		image
		MD5:AB504111A60F3D1FCC82F6E7F41F0314	SHA256:D83B129A484645807D49060326743EC5C9210F44CCFDE9001C49E1F8290DE1A2
4060	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4060.27698\Zyklon HTTP Botnet Builder+ Setup\includes\design\images\chart_pie.png		image
		MD5:A9E4CDDFFC69FF8AC1B1D90A93CBDAAC	SHA256:C4BE8CF22CEDFE22CA5A0691640C47AE5308ABA65EB9949C246B53BCC86070BC
4060	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4060.27698\Zyklon HTTP Botnet Builder+ Setup\includes\database.php		text
		MD5:5EF1F7D259F02BA5A9E3847C32CB7ECA	SHA256:5BD36D02609D7B7C84393D2F687C3A6B30147CEB0C9DEBD9FB12A206569C5B79
4060	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4060.27698\Zyklon HTTP Botnet Builder+ Setup\includes\design\images\add.png		image
		MD5:1988C3CC1384A3AC9B9A4129183248F3	SHA256:C06A52DF3361DF380A02A45159A0858D6F7CD8CBC3F71FF732A65D6C25EA6AF6
4060	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4060.27698\Zyklon HTTP Botnet Builder+ Setup\gate.php		text
		MD5:F908C85C5566865264D9E0520C18D934	SHA256:BF08D45B8E744DAB6F51D67A33AEF77226A0CCB17BE28EBFDA4FF63A738CFA36
4060	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4060.27698\Zyklon HTTP Botnet Builder+ Setup\includes\design\images\check_icon.png		image
		MD5:3BA3DE0734C58E9EDFACAAB198C44AB6	SHA256:2998CE3B7236756D2CF8117E1159F0B51A9E4D9B18C4403DA90843FF8D4551BB
4060	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4060.27698\Zyklon HTTP Botnet Builder+ Setup\includes\design\images\check_icon_small.png		image
		MD5:1C8F45344D982E8B9A08454E1016384B	SHA256:F34C0BF8616AE948A1717D3C4773F933A6CAE7D4257E15C846B558FF41EE7F79

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	216.58.205.238:80	—	Google Inc.	US	whitelisted
—	—	94.130.48.154:45700	xmr.pool.minergate.com	Hetzner Online GmbH	DE	suspicious
3240	Regasm.exe	136.243.102.157:45700	xmr.pool.minergate.com	Hetzner Online GmbH	DE	malicious

DNS requests

Domain	IP	Reputation
xmr.pool.minergate.com	78.46.49.212 136.243.94.27 46.4.119.208 136.243.102.157 176.9.147.178 94.130.9.194 78.46.23.253 94.130.48.154 94.130.64.225 136.243.88.145	suspicious

Threats

PID	Process	Class	Message
1056	svchost.exe	A Network Trojan was detected	ET POLICY Monero Mining Pool DNS Lookup
3240	Regasm.exe	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin
3240	Regasm.exe	Misc activity	SUSPICIOUS [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login
3240	Regasm.exe	Misc activity	SUSPICIOUS [PTsecurity] Riskware/CoinMiner JSON_RPC Response
3240	Regasm.exe	Misc activity	SUSPICIOUS [PTsecurity] Risktool.W32.coinminer!c
3240	Regasm.exe	Misc activity	SUSPICIOUS [PTsecurity] Riskware/CoinMiner JSON_RPC Response
3240	Regasm.exe	Misc activity	SUSPICIOUS [PTsecurity] Risktool.W32.coinminer!c
3240	Regasm.exe	Misc activity	SUSPICIOUS [PTsecurity] Riskware/CoinMiner JSON_RPC Response
3240	Regasm.exe	Misc activity	SUSPICIOUS [PTsecurity] Risktool.W32.coinminer!c
3240	Regasm.exe	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Zyklon HTTP Botnet Builder+ Setup.rar

D0E994883156C0378ADD168AE4D14C12

544346352A4C0138299AF673EE3532338AADA254

A5198B34B7CAA6D6841031956678E4776D1581B90060C00774B7BB0E5E8632F4

49152:R4btbJbX53pk6SjPHGx7TtvCZVbVF3EaSKXt1qIJEkvjC1EltuVVzLlosoAYI3:+d5ArPmx7T5CZV7EngRJTA8uVVCVAP3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Changes the autorun value in the registry

Looks like application has launched a miner

Connects to CnC server

MINER was detected

SUSPICIOUS

Executable content was dropped or overwritten

Connects to unusual port

Creates files in the user directory

Creates executable files which already exist in Windows

Starts itself from another location

INFO

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings