| File name: | njratrisk.exe |
| Full analysis: | https://app.any.run/tasks/398f4846-75a6-4aa2-ba61-a247edf98760 |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | April 29, 2025, 15:24:58 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 2 sections |
| MD5: | 73B58FD85C56F80FA3A1E76BB6768EE4 |
| SHA1: | 7E652EA9B9C02352FECA9C7367DC13F143FBDFDC |
| SHA256: | D4C19E1F1CAAB0F724BBA70B3C57D1C42EB7C7CC49C3A2882B211DB80FC13A58 |
| SSDEEP: | 768:ssPPyLipEImFtP5/rn77VWXVYpPPSiC2ahiajVQNPl1Rz4Rk3IsOdMTHBto:ZUtP5/rYXSCiC2CuZl1dDwSTHP |
MALICIOUS
Uses Task Scheduler to run other applications
- server.exe (PID: 7876)
Create files in the Startup directory
- server.exe (PID: 7876)
NJRAT has been detected (YARA)
- server.exe (PID: 7876)
SUSPICIOUS
Executable content was dropped or overwritten
- njratrisk.exe (PID: 7808)
- server.exe (PID: 7876)
Reads security settings of Internet Explorer
- njratrisk.exe (PID: 7808)
Starts itself from another location
- njratrisk.exe (PID: 7808)
Probably fake Windows Update file has been dropped
- server.exe (PID: 7876)
Creates file in the systems drive root
- server.exe (PID: 7876)
Uses NETSH.EXE to add a firewall rule or allowed programs
- server.exe (PID: 7876)
Uses NETSH.EXE to delete a firewall rule or allowed programs
- server.exe (PID: 7876)
The process executes via Task Scheduler
- StUpdate.exe (PID: 5968)
- StUpdate.exe (PID: 4988)
INFO
Creates files or folders in the user directory
- njratrisk.exe (PID: 7808)
- server.exe (PID: 7876)
Reads the computer name
- njratrisk.exe (PID: 7808)
- server.exe (PID: 7876)
- Microsoft Corporation.exe (PID: 7552)
Create files in a temporary directory
- njratrisk.exe (PID: 7808)
- server.exe (PID: 7876)
- Microsoft Corporation.exe (PID: 7552)
Checks supported languages
- njratrisk.exe (PID: 7808)
- server.exe (PID: 7876)
- Microsoft Corporation.exe (PID: 7552)
Process checks computer location settings
- njratrisk.exe (PID: 7808)
Auto-launch of the file from Startup directory
- server.exe (PID: 7876)
Reads the software policy settings
- slui.exe (PID: 5116)
Manual execution by a user
- Microsoft Corporation.exe (PID: 7552)
Checks proxy server information
- slui.exe (PID: 5116)
Reads the machine GUID from the registry
- server.exe (PID: 7876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:04:10 08:18:04+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 94208 |
| InitializedDataSize: | 512 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x18f5e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
133
Monitored processes
14
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4988 | "C:\Users\admin\AppData\Local\Temp/StUpdate.exe" | C:\Users\admin\AppData\Local\Temp\StUpdate.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 5116 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5968 | "C:\Users\admin\AppData\Local\Temp/StUpdate.exe" | C:\Users\admin\AppData\Local\Temp\StUpdate.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 7552 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7808 | "C:\Users\admin\Desktop\njratrisk.exe" | C:\Users\admin\Desktop\njratrisk.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7876 | "C:\Users\admin\AppData\Roaming\server.exe" | C:\Users\admin\AppData\Roaming\server.exe | njratrisk.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 7932 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\server.exe" "server.exe" ENABLE | C:\Windows\SysWOW64\netsh.exe | — | server.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7940 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netsh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8028 | netsh firewall delete allowedprogram "C:\Users\admin\AppData\Roaming\server.exe" | C:\Windows\SysWOW64\netsh.exe | — | server.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8040 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\server.exe" "server.exe" ENABLE | C:\Windows\SysWOW64\netsh.exe | — | server.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 356
Read events
5 355
Write events
1
Delete events
0
Modification events
| (PID) Process: | (7876) server.exe | Key: | HKEY_CURRENT_USER\Environment |
| Operation: | write | Name: | SEE_MASK_NOZONECHECKS |
Value: 1 | |||
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7876 | server.exe | C:\Users\admin\AppData\Local\Temp\StUpdate.exe | executable | |
MD5:73B58FD85C56F80FA3A1E76BB6768EE4 | SHA256:D4C19E1F1CAAB0F724BBA70B3C57D1C42EB7C7CC49C3A2882B211DB80FC13A58 | |||
| 7808 | njratrisk.exe | C:\Users\admin\AppData\Roaming\app | text | |
MD5:112317D572CE0538D2D1B20D7F32170E | SHA256:FD9E9A8BE71786826787D6EB9AA28371D09B0515DDF0C19B082FE7BAC57A88A9 | |||
| 7808 | njratrisk.exe | C:\Users\admin\AppData\Roaming\server.exe | executable | |
MD5:73B58FD85C56F80FA3A1E76BB6768EE4 | SHA256:D4C19E1F1CAAB0F724BBA70B3C57D1C42EB7C7CC49C3A2882B211DB80FC13A58 | |||
| 7876 | server.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | executable | |
MD5:73B58FD85C56F80FA3A1E76BB6768EE4 | SHA256:D4C19E1F1CAAB0F724BBA70B3C57D1C42EB7C7CC49C3A2882B211DB80FC13A58 | |||
| 7876 | server.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf7aef3201890a6941a13b2b6818eae8Windows Update.exe | executable | |
MD5:73B58FD85C56F80FA3A1E76BB6768EE4 | SHA256:D4C19E1F1CAAB0F724BBA70B3C57D1C42EB7C7CC49C3A2882B211DB80FC13A58 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7444 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5116 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |