| File name: | patch.exe |
| Full analysis: | https://app.any.run/tasks/049dab26-643f-488a-9543-23ae77636072 |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | July 20, 2024, 16:19:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 6EE5F36D22FD78BFE00EA7528336DF0C |
| SHA1: | A43C74AAACF783A3DF5DD00F4C847639C76AC5B9 |
| SHA256: | 09F16DD7B31711BC7AB2DC82489C4B4BAC4EB957FB24DD91CCAA44709B0CD707 |
| SSDEEP: | 49152:PX6zDHF2y/roKOKqdHoy07LjCpA9jxLQ3PPOn2TqaQkjUeu8LdvJ5L2ctO9xHiSI:PR |
MALICIOUS
Drops the executable file immediately after the start
- patch.exe (PID: 3400)
- lsass.exe (PID: 3328)
- patch.exe (PID: 4028)
NjRAT is detected
- tmp.exe (PID: 2916)
- .exe (PID: 2920)
NJRAT has been detected (YARA)
- tmp.exe (PID: 2916)
NJRAT has been detected (SURICATA)
- tmp.exe (PID: 2916)
Connects to the CnC server
- tmp.exe (PID: 2916)
SUSPICIOUS
Executable content was dropped or overwritten
- patch.exe (PID: 4028)
- lsass.exe (PID: 3328)
Reads the Internet Settings
- lsass.exe (PID: 3328)
- patch.exe (PID: 4028)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 2020)
Starts CMD.EXE for commands execution
- lsass.exe (PID: 3328)
Reads security settings of Internet Explorer
- lsass.exe (PID: 3328)
- patch.exe (PID: 4028)
Process creates executable files without a name
- lsass.exe (PID: 3328)
- .exe (PID: 2920)
Process drops legitimate windows executable
- lsass.exe (PID: 3328)
Uses NETSH.EXE to add a firewall rule or allowed programs
- tmp.exe (PID: 2916)
Starts a Microsoft application from unusual location
- .exe (PID: 2920)
Contacting a server suspected of hosting an CnC
- tmp.exe (PID: 2916)
The process creates files with name similar to system file names
- patch.exe (PID: 4028)
Starts itself from another location
- patch.exe (PID: 4028)
INFO
Checks supported languages
- patch.exe (PID: 3400)
- lsass.exe (PID: 3328)
- patch.exe (PID: 4028)
- tmp.exe (PID: 2916)
- .exe (PID: 2920)
- patch.exe (PID: 2060)
- patch.exe (PID: 2712)
- Patch.exe (PID: 2180)
Manual execution by a user
- patch.exe (PID: 4028)
- explorer.exe (PID: 3280)
- cmd.exe (PID: 2704)
- notepad++.exe (PID: 3712)
- WinRAR.exe (PID: 3660)
Reads the machine GUID from the registry
- lsass.exe (PID: 3328)
- Patch.exe (PID: 2180)
- patch.exe (PID: 3400)
- patch.exe (PID: 4028)
- .exe (PID: 2920)
- tmp.exe (PID: 2916)
- patch.exe (PID: 2712)
- patch.exe (PID: 2060)
Reads the computer name
- lsass.exe (PID: 3328)
- patch.exe (PID: 4028)
- .exe (PID: 2920)
- tmp.exe (PID: 2916)
Create files in a temporary directory
- patch.exe (PID: 4028)
- lsass.exe (PID: 3328)
The process uses the downloaded file
- cmd.exe (PID: 3632)
Reads Environment values
- tmp.exe (PID: 2916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(2916) tmp.exe
C2109.236.87.41
Ports443
BotnetHacKed-AC
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\fa495dcf7cb214091a14210574f2c6ff
Splitter|'|'|
Version0.7d
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (55.8) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21) |
| .scr | | | Windows screen saver (9.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:10:07 23:50:07+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 46592 |
| InitializedDataSize: | 15360 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xd532 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | exeBase |
| FileVersion: | 1.0.0.0 |
| InternalName: | exeBase.exe |
| LegalCopyright: | Copyright © 2012 |
| OriginalFileName: | exeBase.exe |
| ProductName: | exeBase |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
67
Monitored processes
17
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1164 | "C:\Windows\System32\cmd.exe" /c copy "C:/Users/admin/AppData/Local/Temp/lsass.exe" "%temp%\FolderN\name.exe" /Y | C:\Windows\System32\cmd.exe | — | lsass.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1804 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\tmp.exe" "tmp.exe" ENABLE | C:\Windows\System32\netsh.exe | — | tmp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2020 | "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f | C:\Windows\System32\cmd.exe | — | lsass.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2060 | patch.exe | C:\Users\admin\Desktop\patch.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: exeBase Version: 1.0.0.0 Modules
| |||||||||||||||
| 2180 | "C:\Users\admin\AppData\Local\Temp\Patch.exe" | C:\Users\admin\AppData\Local\Temp\Patch.exe | — | patch.exe | |||||||||||
User: admin Integrity Level: HIGH Description: exeBase Version: 1.0.0.0 Modules
| |||||||||||||||
| 2704 | "C:\Windows\system32\cmd.exe" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225786 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2712 | patch.exe //help | C:\Users\admin\Desktop\patch.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: exeBase Version: 1.0.0.0 Modules
| |||||||||||||||
| 2916 | "C:\Users\admin\AppData\Local\Temp\tmp.exe" | C:\Users\admin\AppData\Local\Temp\tmp.exe | lsass.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
NjRat(PID) Process(2916) tmp.exe C2109.236.87.41 Ports443 BotnetHacKed-AC Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\fa495dcf7cb214091a14210574f2c6ff Splitter|'|'| Version0.7d | |||||||||||||||
| 2920 | "C:\Users\admin\AppData\Local\Temp\.exe" | C:\Users\admin\AppData\Local\Temp\.exe | lsass.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: MSBuild.exe Exit code: 0 Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
| 3280 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
13 864
Read events
13 766
Write events
98
Delete events
0
Modification events
| (PID) Process: | (4028) patch.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (4028) patch.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (4028) patch.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (4028) patch.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3328) lsass.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3328) lsass.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3328) lsass.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3328) lsass.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3820) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows |
| Operation: | write | Name: | Load |
Value: C:\Users\admin\AppData\Local\Temp\FolderN\name.exe.lnk | |||
| (PID) Process: | (2916) tmp.exe | Key: | HKEY_CURRENT_USER |
| Operation: | write | Name: | di |
Value: ! | |||
Executable files
4
Suspicious files
1
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3632 | cmd.exe | C:\Users\admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | text | |
MD5:130A75A932A2FE57BFEA6A65B88DA8F6 | SHA256:F2B79CAE559D6772AFC1C2ED9468988178F8B6833D5028A15DEA73CE47D0196E | |||
| 3328 | lsass.exe | C:\Users\admin\AppData\Local\Temp\tmp.exe | executable | |
MD5:10D1A363E59E985F5DEF1E864035602E | SHA256:FB0328B3A5331C05DD2E15F239EB13344825D98F1CFECE70DB5A9C04BBD3EE8B | |||
| 4028 | patch.exe | C:\Users\admin\AppData\Local\Temp\lsass.exe | executable | |
MD5:293EF24A61017A0FEBEA13FDA57CBB5C | SHA256:0261B322F9669A754116F3CB391489413B97B31994DC55CB5BC17EBBA1AE3DB5 | |||
| 3328 | lsass.exe | C:\Users\admin\AppData\Local\Temp\.exe | executable | |
MD5:C1BE61F3DE532751D6C1A35B851B0367 | SHA256:D94E9EA7DCE3DD4760F48356F14A986EA1FC8F1C84864105BF815A32284296AB | |||
| 3328 | lsass.exe | C:\Users\admin\AppData\Local\Temp\FolderN\name.exe.lnk | binary | |
MD5:B7F2CFEC6823A438DBA7530A8F4AE648 | SHA256:612F6D646DAAA368D40443AB894042EBB8B93AC485658E78682731BAD9AB52CC | |||
| 4028 | patch.exe | C:\Users\admin\AppData\Local\Temp\Patch.exe | executable | |
MD5:403468A6CA25096AC6265A238B59B9FE | SHA256:0AD775F16E43EB1CEE6CF35BB63FD6145009F9A67A25E6EB2419C82FE8DAF57F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
97
DNS requests
6
Threats
86
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1372 | svchost.exe | GET | 304 | 217.20.56.42:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33 | unknown | — | — | whitelisted |
1060 | svchost.exe | GET | 304 | 23.50.131.200:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75 | unknown | — | — | whitelisted |
1372 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1372 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | whitelisted |
— | — | 239.255.255.250:3702 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
1372 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1372 | svchost.exe | 217.20.56.42:80 | ctldl.windowsupdate.com | — | US | unknown |
1372 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1372 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2916 | tmp.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
2916 | tmp.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
2916 | tmp.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
2916 | tmp.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
2916 | tmp.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
2916 | tmp.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
2916 | tmp.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
2916 | tmp.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
2916 | tmp.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
2916 | tmp.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
Process | Message |
|---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|