| File name: | Roblx Cheats .exe |
| Full analysis: | https://app.any.run/tasks/ed213109-7f1b-4892-9f10-659e055d984c |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | December 02, 2023, 13:56:51 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 82D5D2D666446A7DF24D9824AF9884B8 |
| SHA1: | 1BEF21FC971110F52AE801DDDE2EBC27A50A60A7 |
| SHA256: | 0383785DEB9DB9CC6A87F7B511C8D855FAB95DB937611F3DBF33393B2EF6A345 |
| SSDEEP: | 384:7GaqtREU9twsodxOvC4XeK99KjGn2pssIJqqah0I8ZumTG3IBL+EcoinblneHQM+:UtREWmOvbXe8IGnLJqqiD8ZuSNuzfcI |
MALICIOUS
Create files in the Startup directory
- Roblx Cheats .exe (PID: 3976)
Drops the executable file immediately after the start
- Roblx Cheats .exe (PID: 3976)
NjRAT is detected
- Roblx Cheats .exe (PID: 3976)
Connects to the CnC server
- Roblx Cheats .exe (PID: 3976)
Changes the autorun value in the registry
- Roblx Cheats .exe (PID: 3976)
NJRAT has been detected (SURICATA)
- Roblx Cheats .exe (PID: 3976)
NJRAT has been detected (YARA)
- Roblx Cheats .exe (PID: 3976)
SUSPICIOUS
Uses NETSH.EXE to add a firewall rule or allowed programs
- Roblx Cheats .exe (PID: 3976)
Connects to unusual port
- Roblx Cheats .exe (PID: 3976)
INFO
Checks supported languages
- Roblx Cheats .exe (PID: 3976)
- wmpnscfg.exe (PID: 2528)
Reads the computer name
- Roblx Cheats .exe (PID: 3976)
- wmpnscfg.exe (PID: 2528)
Reads the machine GUID from the registry
- Roblx Cheats .exe (PID: 3976)
Creates files or folders in the user directory
- Roblx Cheats .exe (PID: 3976)
Reads Environment values
- Roblx Cheats .exe (PID: 3976)
Manual execution by a user
- wmpnscfg.exe (PID: 2528)
- WINWORD.EXE (PID: 1036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(3976) Roblx Cheats .exe
C245.153.230.56
Ports25264
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\73fcd7a7907fbbeafe1fb23fee56d70d
Splitter|'|'|
Versionim523
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:12:02 09:31:07+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 35840 |
| InitializedDataSize: | 1536 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xabbe |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
43
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1036 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\someonexml.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 1584 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\Roblx Cheats .exe" "Roblx Cheats .exe" ENABLE | C:\Windows\System32\netsh.exe | — | Roblx Cheats .exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2528 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3976 | "C:\Users\admin\AppData\Local\Temp\Roblx Cheats .exe" | C:\Users\admin\AppData\Local\Temp\Roblx Cheats .exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
NjRat(PID) Process(3976) Roblx Cheats .exe C245.153.230.56 Ports25264 BotnetHacKed Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\73fcd7a7907fbbeafe1fb23fee56d70d Splitter|'|'| Versionim523 | |||||||||||||||
Total events
3 404
Read events
3 135
Write events
126
Delete events
143
Modification events
| (PID) Process: | (1584) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3976) Roblx Cheats .exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | 73fcd7a7907fbbeafe1fb23fee56d70d |
Value: "C:\Users\admin\AppData\Local\Temp\Roblx Cheats .exe" .. | |||
| (PID) Process: | (1036) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (1036) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: On | |||
| (PID) Process: | (1036) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: On | |||
| (PID) Process: | (1036) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: On | |||
| (PID) Process: | (1036) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: On | |||
| (PID) Process: | (1036) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: On | |||
| (PID) Process: | (1036) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: On | |||
| (PID) Process: | (1036) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: On | |||
Executable files
2
Suspicious files
6
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1036 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREBFA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 1036 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | binary | |
MD5:4816F2AE3D5A0B00BF612C5356098FEF | SHA256:C0DFF851A50C52D894DA0A5E9C32B12E8E169585BF5EAD09AE8451B3E146491A | |||
| 3976 | Roblx Cheats .exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73fcd7a7907fbbeafe1fb23fee56d70d.exe | executable | |
MD5:82D5D2D666446A7DF24D9824AF9884B8 | SHA256:0383785DEB9DB9CC6A87F7B511C8D855FAB95DB937611F3DBF33393B2EF6A345 | |||
| 1036 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:83E3EE4D0885000AFFE07DA4410FD556 | SHA256:00B08D0A4D2337AB9F3C3643E5FC4A05717AE6F88F8014D609696217A89C6340 | |||
| 1036 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8F757C56-3EF9-478A-A3E1-D63C2D47A36D}.tmp | binary | |
MD5:0423AC80DE4FC8AEBBE921149F6D64ED | SHA256:CD17F5513E946E716A1D0FF2186130970A08AA14BA806FEBE4539FD5F215B977 | |||
| 1036 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\someonexml.rtf.LNK | binary | |
MD5:BA00F758595819B17778467D5499F1BB | SHA256:C40326B743B190C7E94D2FE57C895BF64FF7466D4BF009195278724B76903BF7 | |||
| 1036 | WINWORD.EXE | C:\Users\admin\Desktop\~$meonexml.rtf | binary | |
MD5:5960D9981ACF575A495521C86EA71AD0 | SHA256:1E3A4173FCF8CC753262CF23F1D583A368EA4F93B4BF6F3876DFD85C2AD8784E | |||
| 1036 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{673A5A7C-6C95-4EA1-865F-D1E638ABCCE1}.tmp | binary | |
MD5:5D4D94EE7E06BBB0AF9584119797B23A | SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 | |||
| 1036 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2022D4E0-3696-4293-9C87-6518C92A162F}.tmp | binary | |
MD5:5259D03A4E37A4241F2B630A79EACC9D | SHA256:01FBABD3360D0DEC483960F08BF798FB839A7D0E5B0F0A95D8FD0E55B8C9BBD6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
0
Threats
18
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3976 | Roblx Cheats .exe | 45.153.230.56:25264 | — | MIRholding B.V. | DE | malicious |
DNS requests
Threats
PID | Process | Class | Message |
|---|---|---|---|
3976 | Roblx Cheats .exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
3976 | Roblx Cheats .exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop) |
3976 | Roblx Cheats .exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
3976 | Roblx Cheats .exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
3976 | Roblx Cheats .exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
3976 | Roblx Cheats .exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
3976 | Roblx Cheats .exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
3976 | Roblx Cheats .exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
3976 | Roblx Cheats .exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
3976 | Roblx Cheats .exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
5 ETPRO signatures available at the full report