| File name: | Bluetooth discovery protocol.exe |
| Full analysis: | https://app.any.run/tasks/70802ee5-0a37-415b-a2cd-b39db0cf410a |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | February 12, 2024, 10:08:42 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 928C4DB95D7945CDB61E3659011D34A3 |
| SHA1: | 19A882C56D719EAA307A7B866D63B491BAFDA649 |
| SHA256: | 7FB57ABDAA15DC159207E857A41F45D61D1769D52F8D46A098E0D983862497CC |
| SSDEEP: | 1536:Uma4Xx/j78E3NhaEigxFhhJhhXyg9J3hGYBBQg/:Umy83VfhhJhhiuJ3sYvQg/ |
MALICIOUS
NjRAT is detected
- Bluetooth discovery protocol.exe (PID: 3288)
- Bluetooth discovery protocol servises.exe (PID: 3664)
Drops the executable file immediately after the start
- Bluetooth discovery protocol.exe (PID: 3288)
- Bluetooth discovery protocol servises.exe (PID: 3664)
Changes the autorun value in the registry
- Bluetooth discovery protocol servises.exe (PID: 3664)
NJRAT has been detected (SURICATA)
- Bluetooth discovery protocol servises.exe (PID: 3664)
Connects to the CnC server
- Bluetooth discovery protocol servises.exe (PID: 3664)
NJRAT has been detected (YARA)
- Bluetooth discovery protocol servises.exe (PID: 3664)
Create files in the Startup directory
- Bluetooth discovery protocol servises.exe (PID: 3664)
SUSPICIOUS
Executable content was dropped or overwritten
- Bluetooth discovery protocol.exe (PID: 3288)
- Bluetooth discovery protocol servises.exe (PID: 3664)
Reads the Internet Settings
- Bluetooth discovery protocol.exe (PID: 3288)
Reads security settings of Internet Explorer
- Bluetooth discovery protocol.exe (PID: 3288)
Starts itself from another location
- Bluetooth discovery protocol.exe (PID: 3288)
Uses NETSH.EXE to add a firewall rule or allowed programs
- Bluetooth discovery protocol servises.exe (PID: 3664)
Connects to unusual port
- Bluetooth discovery protocol servises.exe (PID: 3664)
INFO
Checks supported languages
- Bluetooth discovery protocol.exe (PID: 3288)
- Bluetooth discovery protocol servises.exe (PID: 3664)
Creates files in the program directory
- Bluetooth discovery protocol.exe (PID: 3288)
Reads the machine GUID from the registry
- Bluetooth discovery protocol.exe (PID: 3288)
- Bluetooth discovery protocol servises.exe (PID: 3664)
Reads the computer name
- Bluetooth discovery protocol.exe (PID: 3288)
- Bluetooth discovery protocol servises.exe (PID: 3664)
Reads Environment values
- Bluetooth discovery protocol servises.exe (PID: 3664)
Creates files or folders in the user directory
- Bluetooth discovery protocol servises.exe (PID: 3664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(3664) Bluetooth discovery protocol servises.exe
C2photography-ringtones.gl.at.ply.gg
Ports29246
BotnetXer
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\e9dbc39bf7d7c86cdeb9bb1f7473e919
Splitter|'|'|
Versionim523
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:02:12 02:29:34+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 36352 |
| InitializedDataSize: | 51200 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xac6e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
41
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3288 | "C:\Users\admin\Desktop\Bluetooth discovery protocol.exe" | C:\Users\admin\Desktop\Bluetooth discovery protocol.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3660 | netsh firewall add allowedprogram "C:\ProgramData\Bluetooth discovery protocol servises.exe" "Bluetooth discovery protocol servises.exe" ENABLE | C:\Windows\System32\netsh.exe | — | Bluetooth discovery protocol servises.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3664 | "C:\ProgramData\Bluetooth discovery protocol servises.exe" | C:\ProgramData\Bluetooth discovery protocol servises.exe | Bluetooth discovery protocol.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
NjRat(PID) Process(3664) Bluetooth discovery protocol servises.exe C2photography-ringtones.gl.at.ply.gg Ports29246 BotnetXer Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\e9dbc39bf7d7c86cdeb9bb1f7473e919 Splitter|'|'| Versionim523 | |||||||||||||||
Total events
2 246
Read events
2 107
Write events
139
Delete events
0
Modification events
| (PID) Process: | (3288) Bluetooth discovery protocol.exe | Key: | HKEY_CURRENT_USER |
| Operation: | write | Name: | di |
Value: ! | |||
| (PID) Process: | (3288) Bluetooth discovery protocol.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3288) Bluetooth discovery protocol.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3288) Bluetooth discovery protocol.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3288) Bluetooth discovery protocol.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3664) Bluetooth discovery protocol servises.exe | Key: | HKEY_CURRENT_USER |
| Operation: | write | Name: | di |
Value: ! | |||
| (PID) Process: | (3664) Bluetooth discovery protocol servises.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | e9dbc39bf7d7c86cdeb9bb1f7473e919 |
Value: "C:\ProgramData\Bluetooth discovery protocol servises.exe" .. | |||
| (PID) Process: | (3660) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3660) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-100 |
Value: DHCP Quarantine Enforcement Client | |||
| (PID) Process: | (3660) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-101 |
Value: Provides DHCP based enforcement for NAP | |||
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3664 | Bluetooth discovery protocol servises.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e9dbc39bf7d7c86cdeb9bb1f7473e919.exe | executable | |
MD5:928C4DB95D7945CDB61E3659011D34A3 | SHA256:7FB57ABDAA15DC159207E857A41F45D61D1769D52F8D46A098E0D983862497CC | |||
| 3288 | Bluetooth discovery protocol.exe | C:\ProgramData\Bluetooth discovery protocol servises.exe | executable | |
MD5:928C4DB95D7945CDB61E3659011D34A3 | SHA256:7FB57ABDAA15DC159207E857A41F45D61D1769D52F8D46A098E0D983862497CC | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
5
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3664 | Bluetooth discovery protocol servises.exe | 147.185.221.18:29246 | photography-ringtones.gl.at.ply.gg | PLAYIT-GG | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
photography-ringtones.gl.at.ply.gg |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Potentially Bad Traffic | ET INFO playit .gg Tunneling Domain in DNS Lookup |
3664 | Bluetooth discovery protocol servises.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
3 ETPRO signatures available at the full report