| File name: | dds.rar |
| Full analysis: | https://app.any.run/tasks/2c1f644b-0b64-4f5a-a0e0-71530139c66a |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | April 16, 2024, 22:54:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | AB3EFAA1F43CF97E1E855F1F9225B531 |
| SHA1: | FAFFA35DBF0536CB61E0F06752EBDA87D8D88B76 |
| SHA256: | 1CF476BF6C70C72EB73DF35EBB56AE9113DFE863F53839B6CA51B7FE3B90A32A |
| SSDEEP: | 1536:a/q2DGmU3VOu11Dui/4R48JdO8sY7HsbAsfJrhDx:a/ecu11SSu4qhHhsfJ9V |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2068)
- Server1111.exe (PID: 2192)
- server.exe (PID: 1736)
- Server (2).exe (PID: 3780)
- svchost.exe (PID: 4084)
- detect.exe (PID: 548)
NjRAT is detected
- Server1111.exe (PID: 2192)
- server.exe (PID: 1736)
- tete1.exe (PID: 1504)
- Server (2).exe (PID: 3780)
- svchost.exe (PID: 4084)
- server.exe (PID: 1604)
- detect.exe (PID: 548)
Changes the autorun value in the registry
- svchost.exe (PID: 4084)
- server.exe (PID: 1604)
- Server (2).exe (PID: 3780)
- detect.exe (PID: 548)
Create files in the Startup directory
- Server (2).exe (PID: 3780)
- svchost.exe (PID: 4084)
- detect.exe (PID: 548)
NJRAT has been detected (YARA)
- Server (2).exe (PID: 3780)
- tete1.exe (PID: 1504)
- server.exe (PID: 1604)
- svchost.exe (PID: 4084)
- detect.exe (PID: 548)
SUSPICIOUS
Creates file in the systems drive root
- WinRAR.exe (PID: 2068)
The process creates files with name similar to system file names
- WinRAR.exe (PID: 2068)
Reads security settings of Internet Explorer
- server.exe (PID: 1736)
- Server1111.exe (PID: 2192)
Executable content was dropped or overwritten
- server.exe (PID: 1736)
- Server1111.exe (PID: 2192)
- svchost.exe (PID: 4084)
- Server (2).exe (PID: 3780)
- detect.exe (PID: 548)
Reads the Internet Settings
- Server1111.exe (PID: 2192)
- server.exe (PID: 1736)
Starts itself from another location
- server.exe (PID: 1736)
- Server1111.exe (PID: 2192)
Uses NETSH.EXE to add a firewall rule or allowed programs
- Server (2).exe (PID: 3780)
- svchost.exe (PID: 4084)
- tete1.exe (PID: 1504)
- server.exe (PID: 1604)
- detect.exe (PID: 548)
Connects to unusual port
- Server (2).exe (PID: 3780)
- tete1.exe (PID: 1504)
- svchost.exe (PID: 4084)
- detect.exe (PID: 548)
INFO
Checks supported languages
- server.exe (PID: 1736)
- Server (2).exe (PID: 3780)
- Server1111.exe (PID: 2192)
- svchost.exe (PID: 4084)
- tete1.exe (PID: 1504)
- detect.exe (PID: 548)
- server.exe (PID: 1604)
Manual execution by a user
- server.exe (PID: 1736)
- Server1111.exe (PID: 2192)
- Server (2).exe (PID: 3780)
- tete1.exe (PID: 1504)
- svchost.exe (PID: 4084)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2068)
Create files in a temporary directory
- server.exe (PID: 1736)
- Server1111.exe (PID: 2192)
Reads the computer name
- Server1111.exe (PID: 2192)
- server.exe (PID: 1736)
- svchost.exe (PID: 4084)
- Server (2).exe (PID: 3780)
- tete1.exe (PID: 1504)
- detect.exe (PID: 548)
- server.exe (PID: 1604)
Reads the machine GUID from the registry
- server.exe (PID: 1736)
- Server1111.exe (PID: 2192)
- Server (2).exe (PID: 3780)
- tete1.exe (PID: 1504)
- svchost.exe (PID: 4084)
- detect.exe (PID: 548)
- server.exe (PID: 1604)
Creates files or folders in the user directory
- svchost.exe (PID: 4084)
- Server (2).exe (PID: 3780)
- detect.exe (PID: 548)
Reads Environment values
- tete1.exe (PID: 1504)
- Server (2).exe (PID: 3780)
- server.exe (PID: 1604)
- detect.exe (PID: 548)
- svchost.exe (PID: 4084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(3780) Server (2).exe
C2pepito1337.hopto.org
Ports3000
Botnetd1
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\d80b60fd415c385c20d192d942bfcd81
Splitter|'|'|
Version0.7d
(PID) Process(1504) tete1.exe
C2pepito1337.hopto.org
Ports3000
Botnetasd1
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\a9a91d2e35a696af41d3a5cac7cdeca8
Splitter|'|'|
Version0.7d
(PID) Process(1604) server.exe
C2127.0.0.1
Ports3045
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\acf263b9d2fca5560e61376c23af7cc8
Splitter|'|'|
Version0.7d
(PID) Process(4084) svchost.exe
C2pepito1337.hopto.org
Ports3000
Botnet1337
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\93adab7f5ac1532204ea9421de9ebf2e
Splitter|'|'|
Version0.7d
(PID) Process(548) detect.exe
C2searchwin.ddns.net
Ports3045
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\7ae147c5a862d761abd85c91b64cecec
Splitter|'|'|
Version0.7d
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
56
Monitored processes
13
Malicious processes
7
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 548 | "C:\Users\admin\AppData\Local\Temp\detect.exe" | C:\Users\admin\AppData\Local\Temp\detect.exe | Server1111.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
NjRat(PID) Process(548) detect.exe C2searchwin.ddns.net Ports3045 BotnetHacKed Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\7ae147c5a862d761abd85c91b64cecec Splitter|'|'| Version0.7d | |||||||||||||||
| 1504 | "C:\Users\admin\Desktop\dds\tete1.exe" | C:\Users\admin\Desktop\dds\tete1.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
NjRat(PID) Process(1504) tete1.exe C2pepito1337.hopto.org Ports3000 Botnetasd1 Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\a9a91d2e35a696af41d3a5cac7cdeca8 Splitter|'|'| Version0.7d | |||||||||||||||
| 1604 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | server.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
NjRat(PID) Process(1604) server.exe C2127.0.0.1 Ports3045 BotnetHacKed Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\acf263b9d2fca5560e61376c23af7cc8 Splitter|'|'| Version0.7d | |||||||||||||||
| 1736 | "C:\Users\admin\Desktop\dds\server.exe" | C:\Users\admin\Desktop\dds\server.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2068 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\dds.rar | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2192 | "C:\Users\admin\Desktop\dds\Server1111.exe" | C:\Users\admin\Desktop\dds\Server1111.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2652 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\detect.exe" "detect.exe" ENABLE | C:\Windows\System32\netsh.exe | — | detect.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3248 | netsh firewall add allowedprogram "C:\Users\admin\Desktop\dds\tete1.exe" "tete1.exe" ENABLE | C:\Windows\System32\netsh.exe | — | tete1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3492 | netsh firewall add allowedprogram "C:\Users\admin\Desktop\dds\svchost.exe" "svchost.exe" ENABLE | C:\Windows\System32\netsh.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3588 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE | C:\Windows\System32\netsh.exe | — | server.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
16 123
Read events
15 429
Write events
694
Delete events
0
Modification events
| (PID) Process: | (2068) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2068) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2068) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2068) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2068) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2068) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2068) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\dds.rar | |||
| (PID) Process: | (2068) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2068) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2068) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
10
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2068 | WinRAR.exe | C:\Users\admin\Desktop\dds\tete1.exe | executable | |
MD5:— | SHA256:— | |||
| 2068 | WinRAR.exe | C:\Users\admin\Desktop\dds\Server (2).exe | executable | |
MD5:— | SHA256:— | |||
| 2068 | WinRAR.exe | C:\Users\admin\Desktop\dds\server.exe | executable | |
MD5:— | SHA256:— | |||
| 2068 | WinRAR.exe | C:\Users\admin\Desktop\dds\Server1111.exe | executable | |
MD5:— | SHA256:— | |||
| 2068 | WinRAR.exe | C:\Users\admin\Desktop\dds\svchost.exe | executable | |
MD5:— | SHA256:— | |||
| 1736 | server.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:— | SHA256:— | |||
| 2192 | Server1111.exe | C:\Users\admin\AppData\Local\Temp\detect.exe | executable | |
MD5:— | SHA256:— | |||
| 3780 | Server (2).exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d80b60fd415c385c20d192d942bfcd81.exe | executable | |
MD5:— | SHA256:— | |||
| 4084 | svchost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93adab7f5ac1532204ea9421de9ebf2e.exe | executable | |
MD5:— | SHA256:— | |||
| 548 | detect.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ae147c5a862d761abd85c91b64cecec.exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
240
DNS requests
6
Threats
10
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1504 | tete1.exe | 141.95.84.40:3000 | pepito1337.hopto.org | OVH SAS | FR | malicious |
4084 | svchost.exe | 141.95.84.40:3000 | pepito1337.hopto.org | OVH SAS | FR | malicious |
3780 | Server (2).exe | 141.95.84.40:3000 | pepito1337.hopto.org | OVH SAS | FR | malicious |
548 | detect.exe | 186.123.151.110:3045 | searchwin.ddns.net | Techtel LMDS Comunicaciones Interactivas S.A. | AR | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pepito1337.hopto.org |
| malicious |
searchwin.ddns.net |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1080 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1080 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1080 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
1080 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1080 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
3 ETPRO signatures available at the full report