Malware Analysis Report

2024-08-06 14:48

Sample ID 240617-wdrjmasbkn
Target b93ab92ae78f48fc913cb97e7e6e89a1_JaffaCakes118
SHA256 35e9a600576c02110e577a51b41a0df596126ccd260c9aa2210e2390e99ff776
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35e9a600576c02110e577a51b41a0df596126ccd260c9aa2210e2390e99ff776

Threat Level: Known bad

The file b93ab92ae78f48fc913cb97e7e6e89a1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Nanocore family

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 17:48

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Bunifu_UI_v1.5.3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Bunifu_UI_v1.5.3.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win7-20240508-en

Max time kernel

119s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\HtmlAgilityPack.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\HtmlAgilityPack.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\HtmlAgilityPack.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\HtmlAgilityPack.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\xNet.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\xNet.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\xNet.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\xNet.dll,#1

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Host\ddphost.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A
File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4512 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4512 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4512 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4512 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4512 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe

"C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5B3F.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5BCD.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
N/A 127.0.0.1:54984 tcp
NL 52.111.243.31:443 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp

Files

memory/4512-0-0x0000000074822000-0x0000000074823000-memory.dmp

memory/4512-1-0x0000000074820000-0x0000000074DD1000-memory.dmp

memory/4512-2-0x0000000074820000-0x0000000074DD1000-memory.dmp

memory/4512-5-0x0000000074820000-0x0000000074DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5B3F.tmp

MD5 9b41f89f066c08039443859eab9b59dc
SHA1 2b136b1fa13669ff9c3500f9606c0cdac3c3491d
SHA256 8dded6ae15400906482f70c954d69b8fae3e5fa4ce2024159747293c7a370c42
SHA512 14bef00beb49bb6703275dcf1c856ee6f5f3ba474c3b51d1af7432a814c3d0cc8c409d6229e3e26aaa08532decf3ffeab9d27c620c76f51ccc8b42543536246b

C:\Users\Admin\AppData\Local\Temp\tmp5BCD.tmp

MD5 2271642ca970891700e3f48439739ed8
SHA1 cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA256 7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA512 4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807

memory/4512-11-0x0000000074820000-0x0000000074DD1000-memory.dmp

memory/4512-12-0x0000000074822000-0x0000000074823000-memory.dmp

memory/4512-13-0x0000000074820000-0x0000000074DD1000-memory.dmp

memory/4512-14-0x0000000074820000-0x0000000074DD1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 112.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win7-20240611-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe" C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ISS Host\isshost.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A
File opened for modification C:\Program Files (x86)\ISS Host\isshost.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe

"C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Fortnite Checker TeamzPAZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFD9.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1066.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp
US 8.8.8.8:53 maxhasminipp.ddns.net udp

Files

memory/2384-0-0x0000000074471000-0x0000000074472000-memory.dmp

memory/2384-1-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/2384-2-0x0000000074470000-0x0000000074A1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFD9.tmp

MD5 9b41f89f066c08039443859eab9b59dc
SHA1 2b136b1fa13669ff9c3500f9606c0cdac3c3491d
SHA256 8dded6ae15400906482f70c954d69b8fae3e5fa4ce2024159747293c7a370c42
SHA512 14bef00beb49bb6703275dcf1c856ee6f5f3ba474c3b51d1af7432a814c3d0cc8c409d6229e3e26aaa08532decf3ffeab9d27c620c76f51ccc8b42543536246b

C:\Users\Admin\AppData\Local\Temp\tmp1066.tmp

MD5 3d1580c0395f6de62659467f5b7f1acf
SHA1 8e73a3885896cecca7ff799a272fc9ddfe06ea96
SHA256 6f40196c42a171f24a3e16edeca664cdc5a2f7c150d468255b0e14ab10a2b714
SHA512 7637c0d9b03227dffcb00a68d97ddce60bfc40ca0f8a7a4bbd700ea56be6d570908511dea5cab9f609a7da2e558e5298c482fd1e330af085f9c52867d5a847ea

memory/2384-10-0x0000000074470000-0x0000000074A1B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Bunifu_UI_v1.5.3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\Bunifu_UI_v1.5.3.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\MailKit.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\MailKit.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 88.221.83.234:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 234.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-17 17:48

Reported

2024-06-17 17:51

Platform

win7-20240611-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\MailKit.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamzPAZ\MailKit.dll,#1

Network

N/A

Files

N/A