File name:

万世轮回DDOS-Win集群端6.rar

Full analysis: https://app.any.run/tasks/a7bed0bc-2f73-4d3d-bcbe-c965be382e58
Verdict: Malicious activity
Analysis date: November 13, 2023, 16:51:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

6B112B84441BCF018FCF3983D49462BD

SHA1:

F6C0D038ACDCD6DF9E413CBED1AB6766516D15DF

SHA256:

E79DFEA0E883A89DCDC91FD18D5918666D09C49650B6EBFB9CE54448EE3251C7

SSDEEP:

12288:sSz8J97cYOw/SsoKElSKvZEfcmac03FWYXibzksqGv:sSzg9QYOw/zobQKvCfca01WYXibzk3o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 客户端.exe (PID: 3756)
      • dd0s_jbk.exe (PID: 4000)

    • Creates a writable file the system directory

      • dd0s_jbk.exe (PID: 4000)

  • SUSPICIOUS

    • Executes as Windows Service

      • nefjeq.exe (PID: 3972)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 2904)
      • 客户端.exe (PID: 3756)
      • dd0s_jbk.exe (PID: 4000)
      • nefjeq.exe (PID: 3972)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2904)
      • 客户端.exe (PID: 3756)
      • dd0s_jbk.exe (PID: 4000)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2904)
      • 客户端.exe (PID: 3756)
      • dd0s_jbk.exe (PID: 4000)
      • nefjeq.exe (PID: 3972)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 2904)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3128)

    • Reads product name

      • nefjeq.exe (PID: 3972)

    • Reads CPU info

      • nefjeq.exe (PID: 3972)

    • Reads Environment values

      • nefjeq.exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 13312
UncompressedSize: 33280
OperatingSystem: Win32
ModifyDate: 2013:09:11 18:19:26
PackingMethod: Normal
ArchivedFileName: dat\server.dat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs wmpnscfg.exe no specs 客户端.exe no specs dd0s_jbk.exe nefjeq.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2904"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3128"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\万世轮回DDOS-Win集群端6.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3756"C:\Users\admin\Desktop\客户端.exe" C:\Users\admin\Desktop\客户端.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\客户端.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3972C:\Windows\system32\nefjeq.exeC:\Windows\System32\nefjeq.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
server Microsoft 基础类应用程序
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\windows\system32\nefjeq.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4000"C:\Users\admin\Desktop\dd0s_jbk.exe" C:\Users\admin\Desktop\dd0s_jbk.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
server Microsoft 基础类应用程序
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\dd0s_jbk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 204
Read events
1 188
Write events
13
Delete events
3

Modification events

(PID) Process:(3128) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2904) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4D9A96BB-D5E7-49CD-BA52-83CD595CCDC3}\{0E5D408B-72F0-417F-86B3-022AFD65C447}
Operation:delete keyName:(default)
Value:
(PID) Process:(2904) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4D9A96BB-D5E7-49CD-BA52-83CD595CCDC3}
Operation:delete keyName:(default)
Value:
Executable files
8
Suspicious files
15
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\客户端.exetext
MD5:B9FFF99E679756ED9E40691BDBA48A09
SHA256:C6AC091342AF3109E20B877555E84C60BED1611C33895A50690087A061733F23
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\Plug\使用帮助说明.txtbinary
MD5:CA0ECC3384464EB68E3E8A03638E735D
SHA256:152696A528030A6D346A37CFBBF40BECE68AC83C717F3FAE0534CAACC5A0A350
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\dat\支持幽灵学院.regbinary
MD5:91231E6EDDB2898DC84B2FDAE8D3477B
SHA256:CD4B0D1E043314A7D1AD1B69DC8B891975C8EA479AB1DB230257C43376CE4C84
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\dat\下载请看.batbinary
MD5:2498D47380B6D6D3C4232F520994CD8C
SHA256:F45DCD5921E4ECA8695BBC9AC69EA193CAB1C091F0CBF97E13C01579A1511C7B
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\Plug\下载请看.batbinary
MD5:9EE1750613469BC785B4DC732476193F
SHA256:AD5E9236371A5091A8ACBE1A3DEF98C4501D2E1C5B6348A8F705121B87258C6A
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\Plug\Mir2binary
MD5:4E77A9559E621930DC0ABA0A761EEE7F
SHA256:8EACACD5ED1160244F74346C078B514E6BB1608D43EF91C6623287130B1EBFCA
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\Plug\LPKbinary
MD5:DE606908AA3FDBA5A15567CFAF3BDBE5
SHA256:B4FCE1863D6B68D2B52E15E82100F192B30300FB272010BDF7B1130C3E94053A
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\Plug\律师声明.txtbinary
MD5:6E072BFC5DF67651C3A97A06B0D7F3F5
SHA256:F2C07BD9803D175A94B84003B39073DF4DBBE84F8CD2BC0D600BC54C9D1E9C89
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\Plug\支持幽灵学院.regbinary
MD5:91231E6EDDB2898DC84B2FDAE8D3477B
SHA256:CD4B0D1E043314A7D1AD1B69DC8B891975C8EA479AB1DB230257C43376CE4C84
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3128.26675\使用帮助说明.txtbinary
MD5:E3D4910779D0BA220488C65D06E5F414
SHA256:26BDAC230CC2CB501C42346C645FC1C53B40E96FA86C93CD8D49930CE1114D5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
万世轮回DDOS-Win集群端6.rar