| File name: | NjRat-Gold-Edition-For-Scool-project-master.zip |
| Full analysis: | https://app.any.run/tasks/60548c6d-5a39-4e4c-94c4-be213587bac0 |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | January 07, 2024, 01:11:06 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract |
| MD5: | C1E7E3FF2D8700F5FA43E5F20BFE9F39 |
| SHA1: | BBA014B17A47AA26A72343326A873026AA07A871 |
| SHA256: | 4B7C4524002AB26E034B3EAFB7DD7726763BFC58B0F1BDCAA2AB04E1A0BCC441 |
| SSDEEP: | 98304:j0s3Ju7tMtCimcE5Ec5Fk2VuSku+2A1C+CaJbMXWq3oq7fbh9G59m1d1YjeucCz4:u/Z |
MALICIOUS
NJRAT has been detected (YARA)
- Server.exe (PID: 1900)
SUSPICIOUS
Reads the Internet Settings
- NjRat 0.7D Golden Edition - Rus.exe (PID: 2420)
INFO
SecurityXploded is detected
- WinRAR.exe (PID: 120)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 120)
- NjRat 0.7D Golden Edition - Rus.exe (PID: 2420)
Manual execution by a user
- NjRat 0.7D Golden Edition - Rus.exe (PID: 2420)
- Server.exe (PID: 1900)
Reads the computer name
- NjRat 0.7D Golden Edition - Rus.exe (PID: 2420)
- Server.exe (PID: 1900)
Reads the machine GUID from the registry
- NjRat 0.7D Golden Edition - Rus.exe (PID: 2420)
- Server.exe (PID: 1900)
Reads Environment values
- NjRat 0.7D Golden Edition - Rus.exe (PID: 2420)
Create files in a temporary directory
- NjRat 0.7D Golden Edition - Rus.exe (PID: 2420)
Checks supported languages
- Server.exe (PID: 1900)
- NjRat 0.7D Golden Edition - Rus.exe (PID: 2420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(1900) Server.exe
C2127.0.0.1
Ports5552
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\Windows Update
Splitter|Hassan|
VersionNjrat 0.7 Golden By Hassan Amiri
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2022:03:25 08:05:12 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | NjRat-Gold-Edition-For-Scool-project-master/ |
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\NjRat-Gold-Edition-For-Scool-project-master.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1900 | "C:\Users\admin\Desktop\Server.exe" | C:\Users\admin\Desktop\Server.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
NjRat(PID) Process(1900) Server.exe C2127.0.0.1 Ports5552 BotnetHacKed Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\Windows Update Splitter|Hassan| VersionNjrat 0.7 Golden By Hassan Amiri | |||||||||||||||
| 2420 | "C:\Users\admin\Desktop\NjRat-Gold-Edition-For-Scool-project-master\NjRat 0.7D Golden Edition - Rus.exe" | C:\Users\admin\Desktop\NjRat-Gold-Edition-For-Scool-project-master\NjRat 0.7D Golden Edition - Rus.exe | — | explorer.exe | |||||||||||
User: admin Company: Njrat 0.7d Golden Edition Integrity Level: MEDIUM Description: Njrat 0.7d Golden Edition Exit code: 0 Version: 7.1.0.0 Modules
| |||||||||||||||
Total events
5 792
Read events
5 736
Write events
53
Delete events
3
Modification events
| (PID) Process: | (120) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2420) NjRat 0.7D Golden Edition - Rus.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
Executable files
17
Suspicious files
1
Text files
16
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa120.36190\NjRat-Gold-Edition-For-Scool-project-master\GeoIP.dat | binary | |
MD5:797B96CC417D0CDE72E5C25D0898E95E | SHA256:8A0675001B5BC63D8389FC7ED80B4A7B0F9538C744350F00162533519E106426 | |||
| 120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa120.36190\NjRat-Gold-Edition-For-Scool-project-master\Plugin\mic.dll | executable | |
MD5:1607999C56366FC2096A27A8BD237B98 | SHA256:7D327985D7E4F83ADFFBDF831C1E999C68CB90238790B63260AF19D24BFA66B8 | |||
| 120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa120.36190\NjRat-Gold-Edition-For-Scool-project-master\Plugin\plg.dll | executable | |
MD5:04CB30A874EE349721B0398594DE65FE | SHA256:6F8770A35EC0845226A28DD57C8AE414DC8814A6871BD0BB818BB13CA3B82106 | |||
| 120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa120.36190\NjRat-Gold-Edition-For-Scool-project-master\Plugin\ch.dll | executable | |
MD5:2490EDA5B4450138BA79F39FCC90048A | SHA256:3BC2898DA9CD9E202B7795B330FA3DAFF81A4B02AB4ECFE47FDD712C53252F12 | |||
| 120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa120.36190\NjRat-Gold-Edition-For-Scool-project-master\Plugin\cam.dll | executable | |
MD5:7EBA4D9562BF7FC14F2C1BB142A1AA6F | SHA256:5F00CDA5808E3FD126D452708308DDEE6556CB83ADACCD02EFE83654A40FC641 | |||
| 120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa120.36190\NjRat-Gold-Edition-For-Scool-project-master\Plugin\AntiProcess.dll | executable | |
MD5:B21947A28760750689F46E071D575D07 | SHA256:F643AB116E7BD8515032A502B8700AFB5BDBFC08FC1CAA08817B3061E98B763E | |||
| 120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa120.36190\NjRat-Gold-Edition-For-Scool-project-master\NjRat 0.7D Golden Edition - Rus.exe | executable | |
MD5:8D540934A359A0480DE188A748B3D573 | SHA256:C81D701C3A4D6B7BCAA40F9C92A1BCFDF2F829954CF1CA15556712FBDC792834 | |||
| 120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa120.36190\NjRat-Gold-Edition-For-Scool-project-master\stubs\Mpress.egg | text | |
MD5:F8320B26D30AB433C5A54546D21F414C | SHA256:60A33E6CF5151F2D52EDDAE9685CFA270426AA89D8DBC7DFB854606F1D1A40FE | |||
| 120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa120.36190\NjRat-Gold-Edition-For-Scool-project-master\stubs\Anti.bin | executable | |
MD5:2170473F4F2B81E9B909996B0F459D16 | SHA256:01D0BEDCC943E13E341578423A2FC6848D9F63F1C5800B9A16BD64F65A1FCDDE | |||
| 120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa120.36190\NjRat-Gold-Edition-For-Scool-project-master\Plugin\sc2.dll | executable | |
MD5:9C8B5C9EC7D24EF02C7DF4E589DBA366 | SHA256:F97AADB4D1C59F4B3155A9EC57F91A05700AED38B0090096F8F1E0E7975B6561 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |