URL: | https://goo.gl/QN8PQH |
Full analysis: | https://app.any.run/tasks/a2e2ae92-2770-48f7-bc80-d1a230d34ba8 |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | December 06, 2018, 07:41:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 72C8F9D82F0E34631BEC379A4193D1AB |
SHA1: | 8048DE3D3A59534C23457E389BE1AC2AE67AFD54 |
SHA256: | E3DB87179832B4CD6B25D44DA6E7BB3987D42B22D95D620673D27AEE489FB672 |
SSDEEP: | 3:N8rQKvJ1U:2UKzU |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3312 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1828 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3312 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3852 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | ||||||||||||
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 Modules
| |||||||||||||||
2672 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6e1e00b0,0x6e1e00c0,0x6e1e00cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 Modules
| |||||||||||||||
4016 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3860 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 Modules
| |||||||||||||||
3232 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,6671358432236705206,11456132112566767735,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=FCAE561D6A50773D261FEFC48FE192F1 --mojo-platform-channel-handle=956 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 Modules
| |||||||||||||||
4004 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,6671358432236705206,11456132112566767735,131072 --enable-features=PasswordImport --service-pipe-token=C6C3668F2B0312EFC406FFFD09B12F34 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=C6C3668F2B0312EFC406FFFD09B12F34 --renderer-client-id=5 --mojo-platform-channel-handle=1908 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
2432 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,6671358432236705206,11456132112566767735,131072 --enable-features=PasswordImport --service-pipe-token=AD26BB8BC2C52617144F3B2C39F19D05 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=AD26BB8BC2C52617144F3B2C39F19D05 --renderer-client-id=3 --mojo-platform-channel-handle=2064 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
2120 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,6671358432236705206,11456132112566767735,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=4A7110AFD35118E1105AEA3818B0260D --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4A7110AFD35118E1105AEA3818B0260D --renderer-client-id=6 --mojo-platform-channel-handle=3576 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 Modules
| |||||||||||||||
2216 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,6671358432236705206,11456132112566767735,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5FBA95F88D2B72E7256525AD4164AF87 --mojo-platform-channel-handle=3832 --ignored=" --type=renderer " /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
|
(PID) Process: | (2156) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | APPSTARTING |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (2156) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | ARROW |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (2156) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | CROSS |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (2156) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | HAND |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (2156) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | HELP |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (2156) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | IBEAM |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (2156) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | NO |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (2156) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | SIZEALL |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (2156) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | SIZENESW |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (2156) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | SIZENS |
Value: %SystemRoot%\cursors\clearcur.cur |
PID | Process | Filename | Type | |
---|---|---|---|---|
3312 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3312 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3852 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | text | |
MD5:197882774A7ECEC9046BC48F63189B66 | SHA256:27377B0D5F989997C2C3F74ACF163EED44B60631DDAA768F6655D7BE555742B2 | |||
3852 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version | text | |
MD5:C10EBD4DB49249EFC8D112B2920D5F73 | SHA256:90A1B994CAFE902F22A88A22C0B6CC9CB5B974BF20F8964406DD7D6C9B8867D1 | |||
3312 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].png | image | |
MD5:9FB559A691078558E77D6848202F6541 | SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 | |||
3852 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:92BE6B127E72365885AD4C3FB6534EE2 | SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51 | |||
1828 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\favcenter[1] | image | |
MD5:25D76EE5FB5B890F2CC022D94A42FE19 | SHA256:07D07A467E4988D3C377ACD6DC9E53ABCA6B64E8FBF70F6BE19D795A1619289B | |||
3852 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\b00d9ba0-7222-47b1-872a-17a6f8fbdd29.tmp | — | |
MD5:— | SHA256:— | |||
3852 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp | — | |
MD5:— | SHA256:— | |||
3852 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3312 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3312 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1828 | iexplore.exe | 31.208.86.241:443 | u.lewd.se | Bredband2 AB | SE | suspicious |
3852 | chrome.exe | 216.58.215.227:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
1828 | iexplore.exe | 172.217.168.14:443 | goo.gl | Google Inc. | US | whitelisted |
3852 | chrome.exe | 172.217.168.10:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3852 | chrome.exe | 172.217.168.3:443 | www.google.de | Google Inc. | US | whitelisted |
3852 | chrome.exe | 172.217.168.14:443 | goo.gl | Google Inc. | US | whitelisted |
3852 | chrome.exe | 216.58.215.234:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3852 | chrome.exe | 216.58.215.238:443 | apis.google.com | Google Inc. | US | whitelisted |
3852 | chrome.exe | 172.217.168.36:443 | www.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
goo.gl |
| shared |
u.lewd.se |
| shared |
clientservices.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
www.google.de |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
ssl.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
1964 | MSBuild.exe | A Network Trojan was detected | MALWARE [PTsecurity] njRAT.Gen RAT outbound connection |