File name:

万世轮回DDOS-Win集群端6.rar

Full analysis: https://app.any.run/tasks/a7bed0bc-2f73-4d3d-bcbe-c965be382e58
Verdict: Malicious activity
Analysis date: November 13, 2023, 16:51:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

6B112B84441BCF018FCF3983D49462BD

SHA1:

F6C0D038ACDCD6DF9E413CBED1AB6766516D15DF

SHA256:

E79DFEA0E883A89DCDC91FD18D5918666D09C49650B6EBFB9CE54448EE3251C7

SSDEEP:

12288:sSz8J97cYOw/SsoKElSKvZEfcmac03FWYXibzksqGv:sSzg9QYOw/zobQKvCfca01WYXibzk3o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 客户端.exe (PID: 3756)
      • dd0s_jbk.exe (PID: 4000)

    • Creates a writable file the system directory

      • dd0s_jbk.exe (PID: 4000)

  • SUSPICIOUS

    • Executes as Windows Service

      • nefjeq.exe (PID: 3972)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 2904)
      • 客户端.exe (PID: 3756)
      • dd0s_jbk.exe (PID: 4000)
      • nefjeq.exe (PID: 3972)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2904)
      • 客户端.exe (PID: 3756)
      • dd0s_jbk.exe (PID: 4000)
      • nefjeq.exe (PID: 3972)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2904)
      • 客户端.exe (PID: 3756)
      • dd0s_jbk.exe (PID: 4000)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 2904)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3128)

    • Reads product name

      • nefjeq.exe (PID: 3972)

    • Reads Environment values

      • nefjeq.exe (PID: 3972)

    • Reads CPU info

      • nefjeq.exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 13312
UncompressedSize: 33280
OperatingSystem: Win32
ModifyDate: 2013:09:11 18:19:26
PackingMethod: Normal
ArchivedFileName: dat\server.dat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs wmpnscfg.exe no specs 客户端.exe no specs dd0s_jbk.exe nefjeq.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2904"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3128"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\万世轮回DDOS-Win集群端6.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3756"C:\Users\admin\Desktop\客户端.exe" C:\Users\admin\Desktop\客户端.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\客户端.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3972C:\Windows\system32\nefjeq.exeC:\Windows\System32\nefjeq.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
server Microsoft 基础类应用程序
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\windows\system32\nefjeq.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4000"C:\Users\admin\Desktop\dd0s_jbk.exe" C:\Users\admin\Desktop\dd0s_jbk.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
server Microsoft 基础类应用程序
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\dd0s_jbk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 204
Read events
1 188
Write events
13
Delete events
3

Modification events

(PID) Process:(3128) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2904) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4D9A96BB-D5E7-49CD-BA52-83CD595CCDC3}\{0E5D408B-72F0-417F-86B3-022AFD65C447}
Operation:delete keyName:(default)
Value:
(PID) Process:(2904) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4D9A96BB-D5E7-49CD-BA52-83CD595CCDC3}
Operation:delete keyName:(default)
Value:
Executable files
8
Suspicious files
15
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.28300\dat\下载请看.battext
MD5:CA3AA7CB861172E1115E21D90FD9D004
SHA256:334E1C5FC1FE38B4CB36616405426EA02069B9875ACEEC615ED4AFE76A941830
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\使用帮助说明.txtbinary
MD5:E3D4910779D0BA220488C65D06E5F414
SHA256:26BDAC230CC2CB501C42346C645FC1C53B40E96FA86C93CD8D49930CE1114D5B
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\Plug\使用帮助说明.txtbinary
MD5:CA0ECC3384464EB68E3E8A03638E735D
SHA256:152696A528030A6D346A37CFBBF40BECE68AC83C717F3FAE0534CAACC5A0A350
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\dat\支持幽灵学院.regbinary
MD5:91231E6EDDB2898DC84B2FDAE8D3477B
SHA256:CD4B0D1E043314A7D1AD1B69DC8B891975C8EA479AB1DB230257C43376CE4C84
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\Plug\律师声明.txtbinary
MD5:6E072BFC5DF67651C3A97A06B0D7F3F5
SHA256:F2C07BD9803D175A94B84003B39073DF4DBBE84F8CD2BC0D600BC54C9D1E9C89
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\支持幽灵学院.regtext
MD5:853903444C500A3C4E01A867F9FB1247
SHA256:6EAB435E8614B7EE7C03C2A00B9DF17C05513CAD2833102F2FF8E86F08DE6459
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\作品发布指南 .txtbinary
MD5:573700B40698DE1BD44902A4ED2F61A6
SHA256:FDB282F649D53E815644745E5B5CB91CEFD2CC01F0EB8C82749C382F5ACFB5D9
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.28300\dat\server.datexecutable
MD5:636070E38346700491EFE462AB8160B6
SHA256:830B7C0963849B62FBB4FA6D5EBA18CB346799273CB3C908D9B24BB38BE8A36D
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\律师声明.txtbinary
MD5:BE653DEACCE6D44EFCACC02E9402D7CB
SHA256:BE230D9F440D6F77AF344FEBEC52E61BA09124AD57D76ADE44B7D140ED0D5C7C
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\Plug\LPKbinary
MD5:DE606908AA3FDBA5A15567CFAF3BDBE5
SHA256:B4FCE1863D6B68D2B52E15E82100F192B30300FB272010BDF7B1130C3E94053A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
万世轮回DDOS-Win集群端6.rar