| File name: | دمج سيرفر نجرات مع برنامج.exe |
| Full analysis: | https://app.any.run/tasks/59d12af0-fa04-414b-9685-f6f55e3f4df8 |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | January 09, 2024, 01:14:12 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 6F252B813CA2B87F88E198CAA10A3E9D |
| SHA1: | 95EFC6E7E600A181201D81F3380AF49C0C943376 |
| SHA256: | AC342799FF94CAF70B9269EAC129C07CF17A9C6C5BB7CE69A171ABE6B039423C |
| SSDEEP: | 12288:pMSXXEY20NRiWwrVdghMSXXEY20NRiWwrV:lHEY20NRBwrVdgdHEY20NRBwrV |
MALICIOUS
NJRAT has been detected (YARA)
- دمج سيرفر نجرات مع برنامج.exe (PID: 128)
Starts NET.EXE for service management
- powershell.exe (PID: 2384)
Runs injected code in another process
- powershell.exe (PID: 2384)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 3060)
Bypass execution policy to execute commands
- powershell.exe (PID: 3064)
SUSPICIOUS
Executing commands from a ".bat" file
- دمج سيرفر نجرات مع برنامج.exe (PID: 128)
- wscript.exe (PID: 2528)
Starts CMD.EXE for commands execution
- دمج سيرفر نجرات مع برنامج.exe (PID: 128)
- powershell.exe (PID: 584)
- powershell.exe (PID: 2384)
- wscript.exe (PID: 2528)
Found strings related to reading or modifying Windows Defender settings
- powershell.exe (PID: 584)
- powershell.exe (PID: 2384)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 1504)
- powershell.exe (PID: 584)
- cmd.exe (PID: 3060)
Starts SC.EXE for service management
- powershell.exe (PID: 584)
- powershell.exe (PID: 2384)
Identifying current user with WHOAMI command
- powershell.exe (PID: 584)
- powershell.exe (PID: 2384)
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 1504)
- powershell.exe (PID: 584)
Reads the Internet Settings
- powershell.exe (PID: 584)
- powershell.exe (PID: 2384)
- دمج سيرفر نجرات مع برنامج.exe (PID: 128)
- wscript.exe (PID: 2528)
- powershell.exe (PID: 3064)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 1504)
- powershell.exe (PID: 584)
- cmd.exe (PID: 3060)
The process executes Powershell scripts
- cmd.exe (PID: 3060)
Using PowerShell to operate with local accounts
- powershell.exe (PID: 3064)
The process executes VB scripts
- دمج سيرفر نجرات مع برنامج.exe (PID: 128)
Runs shell command (SCRIPT)
- wscript.exe (PID: 2528)
INFO
Checks supported languages
- دمج سيرفر نجرات مع برنامج.exe (PID: 128)
Reads the computer name
- دمج سيرفر نجرات مع برنامج.exe (PID: 128)
Create files in a temporary directory
- دمج سيرفر نجرات مع برنامج.exe (PID: 128)
- powershell.exe (PID: 1904)
- powershell.exe (PID: 2384)
Reads the machine GUID from the registry
- دمج سيرفر نجرات مع برنامج.exe (PID: 128)
Drops the executable file immediately after the start
- دمج سيرفر نجرات مع برنامج.exe (PID: 128)
Application launched itself
- powershell.exe (PID: 584)
Application was injected by another process
- powershell.exe (PID: 1904)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 1904)
Starts SC.EXE for service management
- powershell.exe (PID: 1904)
Disables Windows Defender
- powershell.exe (PID: 1904)
Found strings related to reading or modifying Windows Defender settings
- powershell.exe (PID: 1904)
Identifying current user with WHOAMI command
- powershell.exe (PID: 1904)
Starts NET.EXE for service management
- powershell.exe (PID: 1904)
Reads security settings of Internet Explorer
- powershell.exe (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (45.1) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (19.2) |
| .exe | | | Win64 Executable (generic) (17) |
| .scr | | | Windows screen saver (8) |
| .dll | | | Win32 Dynamic Link Library (generic) (4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:10:31 20:10:19+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 192512 |
| InitializedDataSize: | 125952 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x30f1e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | دمج سيرفر نجرات مع برنامج |
| FileVersion: | 1.0.0.0 |
| InternalName: | دمج سيرفر نجرات مع برنامج.exe |
| LegalCopyright: | Copyright © 2022 |
| OriginalFileName: | دمج سيرفر نجرات مع برنامج.exe |
| ProductName: | دمج سيرفر نجرات مع برنامج |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
67
Monitored processes
15
Malicious processes
5
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 128 | "C:\Users\admin\AppData\Local\Temp\دمج سيرفر نجرات مع برنامج.exe" | C:\Users\admin\AppData\Local\Temp\دمج سيرفر نجرات مع برنامج.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: دمج سيرفر نجرات مع برنامج Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 584 | powershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0)) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1504 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\dev.bat" " | C:\Windows\System32\cmd.exe | — | دمج سيرفر نجرات مع برنامج.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1600 | "C:\Windows\system32\net1.exe" start TrustedInstaller | C:\Windows\System32\net1.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1624 | "C:\Windows\system32\sc.exe" qc windefend | C:\Windows\System32\sc.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1792 | "C:\Windows\system32\whoami.exe" /groups | C:\Windows\System32\whoami.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: whoami - displays logged on user information Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1832 | "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe" | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1904 | powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | TrustedInstaller.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 2384 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 2464 | "C:\Windows\system32\whoami.exe" /groups | C:\Windows\System32\whoami.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: whoami - displays logged on user information Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 983
Read events
4 846
Write events
124
Delete events
13
Modification events
| (PID) Process: | (128) دمج سيرفر نجرات مع برنامج.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (128) دمج سيرفر نجرات مع برنامج.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 06000000000000000B0000000100000002000000070000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
| (PID) Process: | (128) دمج سيرفر نجرات مع برنامج.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 0200000006000000000000000B00000001000000070000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
| (PID) Process: | (128) دمج سيرفر نجرات مع برنامج.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_FolderType |
Value: {FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | |||
| (PID) Process: | (128) دمج سيرفر نجرات مع برنامج.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_TopViewID |
Value: {82BA0782-5B7A-4569-B5D7-EC83085F08CC} | |||
| (PID) Process: | (128) دمج سيرفر نجرات مع برنامج.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_TopViewVersion |
Value: 0 | |||
| (PID) Process: | (128) دمج سيرفر نجرات مع برنامج.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (128) دمج سيرفر نجرات مع برنامج.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU |
| Operation: | delete value | Name: | 4 |
Value: 2F0645062C06200033064A06310641063106200046062C06310627062A062000450639062000280631064606270645062C062E006500780065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000880000009B000000080300007B020000000000000000000000000000000000000100000000000000 | |||
| (PID) Process: | (128) دمج سيرفر نجرات مع برنامج.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU |
| Operation: | write | Name: | MRUListEx |
Value: 02000000030000000000000001000000FFFFFFFF | |||
| (PID) Process: | (128) دمج سيرفر نجرات مع برنامج.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
| Operation: | write | Name: | Mode |
Value: 4 | |||
Executable files
1
Suspicious files
9
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1904 | powershell.exe | C:\Users\admin\AppData\Local\Temp\kw24ibfg.wia.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 2384 | powershell.exe | C:\Users\admin\AppData\Local\Temp\0krytkar.het.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 128 | دمج سيرفر نجرات مع برنامج.exe | C:\Users\admin\AppData\Local\Temp\dev.bat | text | |
MD5:361D0F711E6208C3D8F904BBB6955B56 | SHA256:8BA9FF923DF7E6063220042174F2838FBA0D578266619425EB3391D2188CBCE9 | |||
| 128 | دمج سيرفر نجرات مع برنامج.exe | C:\Users\Public\install.ps1 | text | |
MD5:3DF18BB58C70FA15ACDC77F03759279B | SHA256:127AB498872D71A611E2E9BA29530DCCE52C15483A5E230AEFC336DFE3A7B52D | |||
| 128 | دمج سيرفر نجرات مع برنامج.exe | C:\Users\Public\Microsoft.exe | executable | |
MD5:B14C5E9746EE06B12FF3F67390194490 | SHA256:CF03D2E5EFC3D0CE33DDDD8609E6DEC655F449B2C66F14CE4F9AFF8C0CA82CD7 | |||
| 584 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
| 128 | دمج سيرفر نجرات مع برنامج.exe | C:\Users\Public\install.bat | text | |
MD5:3DE2E075A406692FC7ED7C78DB7830EF | SHA256:8A43FEC1BB264AC7D68B2E49E34D8BB0A25E38901B03001B8BF6D2FD8F65A938 | |||
| 3064 | powershell.exe | C:\Users\admin\AppData\Local\Temp\0dxn3obl.mep.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 3064 | powershell.exe | C:\Users\admin\AppData\Local\Temp\2yf5fmzt.3ul.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 584 | powershell.exe | C:\Users\admin\AppData\Local\Temp\pfqm51wi.ulx.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |