| File name: | wscript.exe |
| Full analysis: | https://app.any.run/tasks/10d3bc68-2015-4403-a7b2-6dbdd38d3d6e |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | January 20, 2024, 19:25:23 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 894E27D44327F16F9562E8B759EF2E34 |
| SHA1: | 5F297FA7B127900E3301970CC88FE9F3553FD20C |
| SHA256: | 95035C92A927AA7137875101433C7AB89D94D59AB92059C749C21A5D9120F1EE |
| SSDEEP: | 3072:HOjcBGjZas4YnDruoVJom1C+cksfVhQuJ:ENiYfuQCWU |
MALICIOUS
Drops the executable file immediately after the start
- wscript.exe (PID: 124)
- wscript.exe (PID: 1308)
- Trojan.exe (PID: 2016)
NjRAT is detected
- Trojan.exe (PID: 2016)
Create files in the Startup directory
- Trojan.exe (PID: 2016)
Changes the autorun value in the registry
- Trojan.exe (PID: 2016)
SUSPICIOUS
Process drops legitimate windows executable
- wscript.exe (PID: 124)
- wscript.exe (PID: 1308)
- Trojan.exe (PID: 2016)
Application launched itself
- wscript.exe (PID: 124)
- Trojan.exe (PID: 2072)
Executable content was dropped or overwritten
- wscript.exe (PID: 1308)
- Trojan.exe (PID: 2016)
Starts itself from another location
- wscript.exe (PID: 1308)
Reads the Internet Settings
- wscript.exe (PID: 1308)
Uses NETSH.EXE to add a firewall rule or allowed programs
- Trojan.exe (PID: 2016)
INFO
Checks supported languages
- wscript.exe (PID: 124)
- wscript.exe (PID: 1308)
- Trojan.exe (PID: 2072)
- Trojan.exe (PID: 2016)
Reads the computer name
- wscript.exe (PID: 124)
- wscript.exe (PID: 1308)
- Trojan.exe (PID: 2072)
- Trojan.exe (PID: 2016)
Reads the machine GUID from the registry
- wscript.exe (PID: 124)
- wscript.exe (PID: 1308)
- Trojan.exe (PID: 2072)
- Trojan.exe (PID: 2016)
Create files in a temporary directory
- wscript.exe (PID: 1308)
- Trojan.exe (PID: 2016)
Creates files or folders in the user directory
- Trojan.exe (PID: 2016)
- Trojan.exe (PID: 2072)
Reads Environment values
- Trojan.exe (PID: 2016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2014:03:02 02:50:47+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 144384 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x25308 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 5.8.7601.18283 |
| ProductVersionNumber: | 5.8.7601.18283 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft ® Windows Based Script Host |
| FileVersion: | 5.8.7601.18283 |
| InternalName: | wscript.exe |
| LegalCopyright: | © Microsoft Corporation. All rights reserved. |
| OriginalFileName: | wscript.exe |
| ProductName: | Microsoft ® Windows Script Host |
| ProductVersion: | 5.8.7601.18283 |
Total processes
39
Monitored processes
5
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 124 | "C:\Users\admin\Desktop\wscript.exe" | C:\Users\admin\Desktop\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7601.18283 Modules
| |||||||||||||||
| 316 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE | C:\Windows\System32\netsh.exe | — | Trojan.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1308 | C:\Users\admin\Desktop\wscript.exe | C:\Users\admin\Desktop\wscript.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7601.18283 Modules
| |||||||||||||||
| 2016 | C:\Users\admin\AppData\Local\Temp\Trojan.exe | C:\Users\admin\AppData\Local\Temp\Trojan.exe | Trojan.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7601.18283 Modules
| |||||||||||||||
| 2072 | "C:\Users\admin\AppData\Local\Temp\Trojan.exe" | C:\Users\admin\AppData\Local\Temp\Trojan.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7601.18283 Modules
| |||||||||||||||
Total events
1 940
Read events
1 880
Write events
60
Delete events
0
Modification events
| (PID) Process: | (1308) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1308) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1308) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1308) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (316) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2016) Trojan.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | 5cd8f17f4086744065eb0992a09e05a2 |
Value: "C:\Users\admin\AppData\Local\Temp\Trojan.exe" .. | |||
Executable files
2
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2072 | Trojan.exe | C:\Users\admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new | binary | |
MD5:498BD9D892F9BA17057705539967CFEF | SHA256:F8F01F4DB44FD337BCF09ECDF9CBEB97B987F7B6F1DF5A0E019EDBC8EE2D7334 | |||
| 2072 | Trojan.exe | C:\Users\admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch | binary | |
MD5:498BD9D892F9BA17057705539967CFEF | SHA256:F8F01F4DB44FD337BCF09ECDF9CBEB97B987F7B6F1DF5A0E019EDBC8EE2D7334 | |||
| 1308 | wscript.exe | C:\Users\admin\AppData\Local\Temp\Trojan.exe | executable | |
MD5:894E27D44327F16F9562E8B759EF2E34 | SHA256:95035C92A927AA7137875101433C7AB89D94D59AB92059C749C21A5D9120F1EE | |||
| 2016 | Trojan.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | executable | |
MD5:894E27D44327F16F9562E8B759EF2E34 | SHA256:95035C92A927AA7137875101433C7AB89D94D59AB92059C749C21A5D9120F1EE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |