Malware analysis NjRat-0.7D-Danger-Edition-main.7z Malicious activity

Add for printing

File name:	NjRat-0.7D-Danger-Edition-main.7z
Full analysis:	https://app.any.run/tasks/41386db1-6f66-4dd3-9774-88416d95e6ff
Verdict:	Malicious activity
Analysis date:	August 05, 2024, 10:40:01
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	BC1B18C0D46C1BEEE7603F1629AEAF97
SHA1:	0CB8D5EBF32D8CCFF35C553CD745C5A51CF8680D
SHA256:	4A0D9EB6B910990F4243CB94B7A7B3F27CA452263984F2FF92A64E905BBBA597
SSDEEP:	98304:SvKMZudyTrbKWS60juAdHjuEiq4BA6YgLMxTa1Nz/6sHfZ/4XEEXkX1Z8MhXYdBA:J9xOD+gHYswXPCPQc6WJ5DvxqsF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - NjRat 0.7D Danger Edition .exe (PID: 3028)
  - WinRAR.exe (PID: 6460)
  - system47.exe (PID: 6244)
- Runs injected code in another process
  - MicrosoftEdgeUpdateTaskMachineUAC.COM (PID: 4280)
- Known privilege escalation attack
  - dllhost.exe (PID: 6264)
- Uses Task Scheduler to autorun other applications
  - system47.exe (PID: 6244)
- Application was injected by another process
  - dllhost.exe (PID: 3032)
- Scans artifacts that could help determine the target
  - dw20.exe (PID: 6280)
- XWORM has been detected (YARA)
  - MicrosoftEdgeUpdateTaskMachineUACS.exe (PID: 6296)
SUSPICIOUS
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 6460)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 6460)
- Executable content was dropped or overwritten
  - NjRat 0.7D Danger Edition .exe (PID: 3028)
  - system47.exe (PID: 6244)
- Reads security settings of Internet Explorer
  - NjRat 0.7D Danger Edition .exe (PID: 3028)
  - system47.exe (PID: 4784)
  - system47.exe (PID: 6244)
- Reads the date of Windows installation
  - NjRat 0.7D Danger Edition .exe (PID: 3028)
  - system47.exe (PID: 4784)
  - system47.exe (PID: 6244)
  - dw20.exe (PID: 6280)
- Probably UAC bypass using CMSTP.exe (Connection Manager service profile)
  - system47.exe (PID: 4784)
- Starts application with an unusual extension
  - system47.exe (PID: 6244)
- Runs shell command (SCRIPT)
  - mshta.exe (PID: 3520)
- Uses TASKKILL.EXE to kill process
  - mshta.exe (PID: 3520)
- Connects to unusual port
  - MicrosoftEdgeUpdateTaskMachineUACS.exe (PID: 6296)
- Executes application which crashes
  - NjRat 0.7D Danger Edition.exe (PID: 7084)
INFO
- Manual execution by a user
  - NjRat 0.7D Danger Edition .exe (PID: 3028)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6460)
- Reads the computer name
  - NjRat 0.7D Danger Edition .exe (PID: 3028)
  - system47.exe (PID: 4784)
  - NjRat 0.7D Danger Edition.exe (PID: 7084)
  - system47.exe (PID: 6244)
  - MicrosoftEdgeUpdateTaskMachineUACS.exe (PID: 6296)
  - dw20.exe (PID: 6280)
  - MicrosoftEdgeUpdateTaskMachineUAC.COM (PID: 4280)
- Reads the machine GUID from the registry
  - NjRat 0.7D Danger Edition .exe (PID: 3028)
  - system47.exe (PID: 4784)
  - NjRat 0.7D Danger Edition.exe (PID: 7084)
  - system47.exe (PID: 6244)
  - MicrosoftEdgeUpdateTaskMachineUACS.exe (PID: 6296)
  - dw20.exe (PID: 6280)
- Create files in a temporary directory
  - NjRat 0.7D Danger Edition .exe (PID: 3028)
- Checks supported languages
  - NjRat 0.7D Danger Edition .exe (PID: 3028)
  - system47.exe (PID: 4784)
  - NjRat 0.7D Danger Edition.exe (PID: 7084)
  - system47.exe (PID: 6244)
  - MicrosoftEdgeUpdateTaskMachineUAC.COM (PID: 4280)
  - MicrosoftEdgeUpdateTaskMachineUACS.exe (PID: 6296)
  - dw20.exe (PID: 6280)
- Process checks computer location settings
  - NjRat 0.7D Danger Edition .exe (PID: 3028)
  - system47.exe (PID: 4784)
  - system47.exe (PID: 6244)
  - dw20.exe (PID: 6280)
- Checks transactions between databases Windows and Oracle
  - cmstp.exe (PID: 7156)
- Disables trace logs
  - cmstp.exe (PID: 7156)
  - MicrosoftEdgeUpdateTaskMachineUACS.exe (PID: 6296)
- Creates files in the program directory
  - dllhost.exe (PID: 6264)
  - dw20.exe (PID: 6280)
- Reads Internet Explorer settings
  - mshta.exe (PID: 3520)
- Reads the software policy settings
  - MicrosoftEdgeUpdateTaskMachineUACS.exe (PID: 6296)
  - dw20.exe (PID: 6280)
- Reads Environment values
  - MicrosoftEdgeUpdateTaskMachineUACS.exe (PID: 6296)
  - dw20.exe (PID: 6280)
- Checks proxy server information
  - MicrosoftEdgeUpdateTaskMachineUACS.exe (PID: 6296)
  - dw20.exe (PID: 6280)
- Reads CPU info
  - dw20.exe (PID: 6280)
- Reads product name
  - dw20.exe (PID: 6280)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

XWorm

(PID) Process(6296) MicrosoftEdgeUpdateTaskMachineUACS.exe

C267iwnduNNk0l2tXU26CE+bcrkHoGEEq1sKUig1K15uT9rdM5I1WifHuL5X9LuT6k:%IP%

Keys

AES%Port%

Options

SplitterWmmfFV/uWsBOUM/NC8qRoQ==

USB drop nameV1H0rGCW+PxNOMqVLxNGLw==

Mutex2

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

152

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7084 -s 1400

C:\Windows\SysWOW64\WerFault.exe

—

NjRat 0.7D Danger Edition.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

1248

"C:\Windows\System32\taskkill.exe" /IM cmstp.exe /F

C:\Windows\System32\taskkill.exe

—

mshta.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2132

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

2180

"C:\Windows\System32\schtasks.exe" /Create /F /TN "MicrosoftEdgeUpdateTaskMachineUACT" /SC ONLOGON /TR "C:\WINDOWS\System32\MicrosoftEdgeUpdateTaskMachineUACT.exe" /RL HIGHEST

C:\Windows\System32\schtasks.exe

—

system47.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3028

"C:\Users\admin\Desktop\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\NjRat 0.7D Danger Edition .exe"

C:\Users\admin\Desktop\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\NjRat 0.7D Danger Edition .exe

explorer.exe

User:

admin

Company:

CTRIK BY Fransesco

Integrity Level:

MEDIUM

Description:

CTRIK BY Fransesco

Exit code:

Version:

0.0.0.7

Modules

Images
c:\users\admin\desktop\njrat-0.7d-danger-edition-main\njrat-0.7d-danger-edition-main\njrat 0.7d danger edition .exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3032

C:\Windows\System32\dllhost.exe /Processid:{88021b08-9e50-4fdf-9c9e-282c35c542ec}

C:\Windows\System32\dllhost.exe

winlogon.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

COM Surrogate

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

3520

mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close")

C:\Windows\System32\mshta.exe

—

dllhost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft (R) HTML Application host

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shlwapi.dll

4280

"C:\WINDOWS\System32\MicrosoftEdgeUpdateTaskMachineUAC.COM"

C:\Windows\System32\MicrosoftEdgeUpdateTaskMachineUAC.COM

—

system47.exe

User:

admin

Integrity Level:

HIGH

Description:

Exit code:

Version:

0.0.0.0

Modules

Images
c:\windows\system32\microsoftedgeupdatetaskmachineuac.com
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

4784

"C:\Users\admin\AppData\Local\Temp\system47.exe"

C:\Users\admin\AppData\Local\Temp\system47.exe

—

NjRat 0.7D Danger Edition .exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\system47.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

18 072

Read events

17 979

Write events

Delete events

Modification events


(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\NjRat-0.7D-Danger-Edition-main.7z
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3028) NjRat 0.7D Danger Edition .exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3028) NjRat 0.7D Danger Edition .exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6460.24522\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\Stub.il		text
		MD5:ABE394D9D5139FF9C586AA7DDDC97E68	SHA256:78A156FE7E6900ECE45FDD25516C0F9FFEB2083EF3D62685F189FB5EF5A9A0A5
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6460.24522\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\Settings.ini		text
		MD5:332F4072F2109E4D81F2701C2387B186	SHA256:17F547710BF4FEFB27FF4470E0F78089C4888567EEC25380E136D9FDE1E02276
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6460.24522\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\README.md		text
		MD5:8534DD747DCDB85C71E09335A77FB864	SHA256:2A22A243D39A4DBCDED00B51D0B3C009F34A8FDEAD14BDAA8E2FEB23F5F73FE1
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6460.24522\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\ER\Apraircam.dll		text
		MD5:CC795C9C4A83AA1EDE067F96F1EB8D15	SHA256:37D23694738615464BE8A3234BCC59592987432C8863DB67E30385B8BB3EF450
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6460.24522\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\Stub.manifest		xml
		MD5:4D18AC38A92D15A64E2B80447B025B7E	SHA256:835A00D6E7C43DB49AE7B3FA12559F23C2920B7530F4D3F960FD285B42B1EFB5
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6460.24522\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\ER\Bipe.dll		text
		MD5:4992E2814A8597FB20B5282E568A032D	SHA256:C1C8AFDE84694F203EBB49766454CE17179E32C06A0BBDD272BF598C0D9B7C0E
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6460.24522\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\ER\dcr.dll		text
		MD5:1CBC3A2F81D4259E3BF61249711FEC81	SHA256:6A207F770478D59DA0D2AA43A9719EF05B3F85C8C700400746CA3AB0463D08F0
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6460.24522\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\Plugin\pw.rar		compressed
		MD5:6D59194C555D6878BCB82EBBA07AD076	SHA256:3B45B9A4541D8EB282EFB8CF55DD5070B89B7FE7AC520C79901CA1B14DF60E9D
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6460.24522\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\GeoIP.dat		binary
		MD5:797B96CC417D0CDE72E5C25D0898E95E	SHA256:8A0675001B5BC63D8389FC7ED80B4A7B0F9538C744350F00162533519E106426
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6460.24522\NjRat-0.7D-Danger-Edition-main\NjRat-0.7D-Danger-Edition-main\ER\Abrier.dll		text
		MD5:5514B7E5A95E10C6D37278BB973651B2	SHA256:ED0AA6ECBB2D5D6EF3B8431D13D4562D89C2E1C88636C22DBBBBEA81E32F913D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1344	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6804	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6832	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5388	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3164	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5388	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	2.23.209.141:443	www.bing.com	Akamai International B.V.	GB	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3260	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
www.bing.com	2.23.209.141 2.23.209.150 2.23.209.153 2.23.209.154 2.23.209.148 2.23.209.143 2.23.209.140 2.23.209.142 2.23.209.155	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
login.live.com	20.190.159.2 20.190.159.0 20.190.159.23 40.126.31.73 20.190.159.73 40.126.31.69 20.190.159.68 20.190.159.4	whitelisted
th.bing.com	2.23.209.168 2.23.209.167 2.23.209.156 2.23.209.169 2.23.209.155 2.23.209.160 2.23.209.162 2.23.209.158 2.23.209.166	whitelisted
fd.api.iris.microsoft.com	20.103.156.88	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
6296	MicrosoftEdgeUpdateTaskMachineUACS.exe	Misc activity	ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
2256	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.theworkpc .com Domain
6296	MicrosoftEdgeUpdateTaskMachineUACS.exe	Not Suspicious Traffic	INFO [ANY.RUN] Image hosting service ImgBB
2256	svchost.exe	Not Suspicious Traffic	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
6296	MicrosoftEdgeUpdateTaskMachineUACS.exe	Not Suspicious Traffic	ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.bounceme .net

Add for printing

No debug info

General Info

NjRat-0.7D-Danger-Edition-main.7z

BC1B18C0D46C1BEEE7603F1629AEAF97

0CB8D5EBF32D8CCFF35C553CD745C5A51CF8680D

4A0D9EB6B910990F4243CB94B7A7B3F27CA452263984F2FF92A64E905BBBA597

98304:SvKMZudyTrbKWS60juAdHjuEiq4BA6YgLMxTa1Nz/6sHfZ/4XEEXkX1Z8MhXYdBA:J9xOD+gHYswXPCPQc6WJ5DvxqsF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Runs injected code in another process

Known privilege escalation attack

Uses Task Scheduler to autorun other applications

Application was injected by another process

Scans artifacts that could help determine the target

XWORM has been detected (YARA)

SUSPICIOUS

The process creates files with name similar to system file names

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

Starts application with an unusual extension

Runs shell command (SCRIPT)

Uses TASKKILL.EXE to kill process

Connects to unusual port

Executes application which crashes

INFO

Manual execution by a user

Executable content was dropped or overwritten

Reads the computer name

Reads the machine GUID from the registry

Create files in a temporary directory

Checks supported languages

Process checks computer location settings

Checks transactions between databases Windows and Oracle

Disables trace logs

Creates files in the program directory

Reads Internet Explorer settings

Reads the software policy settings

Reads Environment values

Checks proxy server information

Reads CPU info

Reads product name

Malware configuration

XWorm

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity