| File name: | njRAT-v0.6.4.zip |
| Full analysis: | https://app.any.run/tasks/a8952620-d2bc-4ecf-a48e-4d95287c3dbb |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | March 07, 2024, 20:09:36 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | 3CCCE9D87CE9EA751ABEA094D1639D0A |
| SHA1: | 427867B229E02869AC68DE3A605998A585AD6A80 |
| SHA256: | 5FF121C57E4A2F2F75E4985660C9666A44B39EF2549B29B3A4D6A1E06E6E3F65 |
| SSDEEP: | 49152:pmRkTADhN5ulDigt8pri+kxs9/z/pH+3h:pmRulu48p2VU/z/S |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 4052)
- njRAT.exe (PID: 2420)
- njq8.exe (PID: 2792)
- windows.exe (PID: 1928)
Create files in the Startup directory
- windows.exe (PID: 1928)
NJRAT has been detected (YARA)
- windows.exe (PID: 1928)
- njRAT.exe (PID: 2420)
Changes the autorun value in the registry
- windows.exe (PID: 1928)
NjRAT is detected
- windows.exe (PID: 1928)
SUSPICIOUS
Creates file in the systems drive root
- njRAT.exe (PID: 2420)
- njRAT.exe (PID: 3180)
- taskmgr.exe (PID: 3980)
- njq8.exe (PID: 2792)
Reads the Internet Settings
- njRAT.exe (PID: 2420)
- njq8.exe (PID: 2792)
Reads security settings of Internet Explorer
- njRAT.exe (PID: 2420)
- njq8.exe (PID: 2792)
Executable content was dropped or overwritten
- njRAT.exe (PID: 2420)
- windows.exe (PID: 1928)
- njq8.exe (PID: 2792)
Starts itself from another location
- njq8.exe (PID: 2792)
Uses NETSH.EXE to add a firewall rule or allowed programs
- windows.exe (PID: 1928)
INFO
Checks supported languages
- njRAT.exe (PID: 2420)
- njq8.exe (PID: 2792)
- windows.exe (PID: 1928)
- njRAT.exe (PID: 3180)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 4052)
Manual execution by a user
- njRAT.exe (PID: 3956)
- njRAT.exe (PID: 2420)
- taskmgr.exe (PID: 3980)
Reads the machine GUID from the registry
- njRAT.exe (PID: 2420)
- njq8.exe (PID: 2792)
- windows.exe (PID: 1928)
- njRAT.exe (PID: 3180)
Reads the computer name
- njRAT.exe (PID: 2420)
- njRAT.exe (PID: 3180)
- njq8.exe (PID: 2792)
- windows.exe (PID: 1928)
Creates files or folders in the user directory
- windows.exe (PID: 1928)
Create files in a temporary directory
- njq8.exe (PID: 2792)
- windows.exe (PID: 1928)
Reads Environment values
- windows.exe (PID: 1928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(1928) windows.exe
C2zaaptoo.zapto.org
Ports1177
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20
Splitter|'|'|
Version0.6.4
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2013:09:27 11:10:20 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | njRAT-v0.6.4/ |
Total processes
50
Monitored processes
8
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1888 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\windows.exe" "windows.exe" ENABLE | C:\Windows\System32\netsh.exe | — | windows.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1928 | "C:\Users\admin\AppData\Local\Temp\windows.exe" | C:\Users\admin\AppData\Local\Temp\windows.exe | njq8.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
NjRat(PID) Process(1928) windows.exe C2zaaptoo.zapto.org Ports1177 BotnetHacKed Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 Splitter|'|'| Version0.6.4 | |||||||||||||||
| 2420 | "C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\njRAT.exe" | C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\njRAT.exe | explorer.exe | ||||||||||||
User: admin Company: njq8 Integrity Level: HIGH Description: njRAT Exit code: 1 Version: 0.6.4.0 Modules
| |||||||||||||||
| 2792 | "C:\njq8.exe" | C:\njq8.exe | njRAT.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3180 | "C:\njRAT.exe" | C:\njRAT.exe | — | njRAT.exe | |||||||||||
User: admin Company: njq8 Integrity Level: HIGH Description: njRAT Exit code: 1 Version: 0.6.4.0 Modules
| |||||||||||||||
| 3956 | "C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\njRAT.exe" | C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\njRAT.exe | — | explorer.exe | |||||||||||
User: admin Company: njq8 Integrity Level: MEDIUM Description: njRAT Exit code: 3221226540 Version: 0.6.4.0 Modules
| |||||||||||||||
| 3980 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4052 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\njRAT-v0.6.4.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
9 639
Read events
8 983
Write events
656
Delete events
0
Modification events
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\njRAT-v0.6.4.zip | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
13
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4052 | WinRAR.exe | C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Plugin\Mic.dll | executable | |
MD5:F4A19D968FF6F5AF1601B97F1756D6E3 | SHA256:FDE583027A692D210E8F1F73667FA0037705128ADE8BBFBC9B780F019EAD6672 | |||
| 4052 | WinRAR.exe | C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\NAudio.dll | executable | |
MD5:422193AABD3D62275B2B98470279D9F2 | SHA256:CD9709BF1C7396F6FE3684B5177FA0890C706CA82E2B98BA58E8D8383632A3C8 | |||
| 4052 | WinRAR.exe | C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Plugin\pw.dll | executable | |
MD5:DB87DAF76C15F3808CEC149F639AA64F | SHA256:A3E4BEE1B6944AA9266BD58DE3F534A4C1896DF621881A5252A0D355A6E67C70 | |||
| 4052 | WinRAR.exe | C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\njRAT.exe | executable | |
MD5:0431311B5F024D6E66B90D59491F2563 | SHA256:FD624AA205517580E83FAD7A4CE4D64863E95F62B34AC72647B1974A52822199 | |||
| 2792 | njq8.exe | C:\Users\admin\AppData\Local\Temp\windows.exe | executable | |
MD5:EDC4F10A5E164DB64BF79ECA207F2749 | SHA256:CE6421107031175F39E61D3BCC5A98D1D94190E250034E27CDBEBBADCBA084A4 | |||
| 4052 | WinRAR.exe | C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Stub.manifest | xml | |
MD5:4D18AC38A92D15A64E2B80447B025B7E | SHA256:835A00D6E7C43DB49AE7B3FA12559F23C2920B7530F4D3F960FD285B42B1EFB5 | |||
| 4052 | WinRAR.exe | C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Plugin\cam.dll | executable | |
MD5:0A1CA904B3D688C01F4E5FAAE811922B | SHA256:B02C56D29447690CDAFD8F2F6877D526D1F6EFCAAE74017719C460D9B3EE38B8 | |||
| 4052 | WinRAR.exe | C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Mono.Cecil.dll | executable | |
MD5:851EC9D84343FBD089520D420348A902 | SHA256:CDADC26C09F869E21053EE1A0ACF3B2D11DF8EDD599FE9C377BD4D3CE1C9CDA9 | |||
| 1928 | windows.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecc7c8c51c0850c1ec247c7fd3602f20.exe | executable | |
MD5:EDC4F10A5E164DB64BF79ECA207F2749 | SHA256:CE6421107031175F39E61D3BCC5A98D1D94190E250034E27CDBEBBADCBA084A4 | |||
| 4052 | WinRAR.exe | C:\Users\admin\Desktop\njRAT-v0.6.4\njRAT-v0.6.4\Plugin\fm.dll | executable | |
MD5:51C2EE936DED2E55F8BCC8CBA6E3B330 | SHA256:F132324ACF09C0562A1CAD1288BFB4021BD991659126D21ECB9499938BF6ACB3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
1
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
zaaptoo.zapto.org |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.zapto .org |