Analysis Overview
SHA256
89f5228a44831406867a425dd8315bea802df8fadb84c3add2e4e30f0d739cb2
Threat Level: Known bad
The file BO2 Destiny CRAK By Nice Tutorial.rar was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Obfuscated with Agile.Net obfuscator
Drops startup file
Adds Run key to start application
Drops autorun.inf file
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-03 01:20
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-03 01:20
Reported
2024-09-03 01:22
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fffdfaa66ba1e7c60e37f984374eb2b4.exe | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fffdfaa66ba1e7c60e37f984374eb2b4.exe | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fffdfaa66ba1e7c60e37f984374eb2b4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\BO2 Destiny CRAK By Nice Tutorial.exe\" .." | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fffdfaa66ba1e7c60e37f984374eb2b4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\BO2 Destiny CRAK By Nice Tutorial.exe\" .." | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | N/A |
| File created | D:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 4468 | N/A | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | C:\Windows\SYSTEM32\netsh.exe |
| PID 1400 wrote to memory of 4468 | N/A | C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe | C:\Windows\SYSTEM32\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe
"C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe"
C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe" "BO2 Destiny CRAK By Nice Tutorial.exe" ENABLE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | GoogleChromeServer.ddns.net | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/1400-0-0x00007FFDDAEC5000-0x00007FFDDAEC6000-memory.dmp
memory/1400-1-0x000000001BC60000-0x000000001BD06000-memory.dmp
memory/1400-2-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp
memory/1400-3-0x000000001C1E0000-0x000000001C6AE000-memory.dmp
memory/1400-4-0x000000001C7A0000-0x000000001C83C000-memory.dmp
memory/1400-5-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp
memory/1400-6-0x000000001BBE0000-0x000000001BBE8000-memory.dmp
memory/1400-7-0x000000001C900000-0x000000001C94C000-memory.dmp
memory/1400-8-0x000000001C9C0000-0x000000001CA26000-memory.dmp
memory/1400-9-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp
memory/1400-10-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp
memory/1400-11-0x000000001C8E0000-0x000000001C8F0000-memory.dmp
memory/1400-12-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp
memory/1400-13-0x00007FFDDAEC5000-0x00007FFDDAEC6000-memory.dmp
memory/1400-14-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp
memory/1400-15-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp
F:\svchost.exe
| MD5 | 0334d91acae1fd486041114e1412a5c5 |
| SHA1 | 913f48c32a9ee734475638e0830f038cfa0abd9f |
| SHA256 | f5d807a8dd24d15bb164528e7141f2daa80f3464e3e1f3b5088ec5829cc40f99 |
| SHA512 | 227b3a1ef30f00d065c042d5a11c5f8c4a0f27aab4dda452a52dcd7e90b5d91584642abac0fbcdf0bdc3111cd86e4cb7f2f95e383fdbcb5699ac3747459ef192 |
memory/1400-25-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp
memory/1400-26-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp
memory/1400-27-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp
memory/2604-28-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp
memory/2604-30-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp
memory/2604-29-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp
memory/2604-37-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp
memory/2604-38-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp
memory/2604-40-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp
memory/2604-39-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp
memory/2604-36-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp
memory/2604-35-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp
memory/2604-34-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-03 01:20
Reported
2024-09-03 01:22
Platform
win10v2004-20240802-en
Max time kernel
126s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MetroFramework.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-03 01:20
Reported
2024-09-03 01:22
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
148s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PS3Lib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |