| File name: | avira.exe |
| Full analysis: | https://app.any.run/tasks/d108a38d-c282-4088-b6ff-1b30d762c96b |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | January 16, 2024, 17:59:04 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | BE0A43472FC227B6EE51855C7C22454A |
| SHA1: | 74F0D9EA16EE1F258B87087D227E776429928C1A |
| SHA256: | B655509B07BA4E75630E01251C626749680EF0D393E35158A7C13649435554CB |
| SSDEEP: | 49152:AgtwweC40St+rthgftZBhU9El1GV64Ulwb9GqUIXSr9qcZvMoAWaqB/O+8q/FRV0:kft+JhgftZTIatlwhGqxXSr94Qp8q/Fe |
MALICIOUS
Connects to the CnC server
- java_update.exe (PID: 1356)
NJRAT has been detected (SURICATA)
- java_update.exe (PID: 1356)
Drops the executable file immediately after the start
- java_update.exe (PID: 1356)
- avira.exe (PID: 2184)
Create files in the Startup directory
- java_update.exe (PID: 1356)
Changes the autorun value in the registry
- java_update.exe (PID: 1356)
NjRAT is detected
- java_update.exe (PID: 1356)
NJRAT has been detected (YARA)
- java_update.exe (PID: 1356)
SUSPICIOUS
Executable content was dropped or overwritten
- avira.exe (PID: 2184)
- java_update.exe (PID: 1356)
Starts itself from another location
- avira.exe (PID: 2184)
Reads the Internet Settings
- avira.exe (PID: 2184)
Uses NETSH.EXE to add a firewall rule or allowed programs
- java_update.exe (PID: 1356)
Connects to unusual port
- java_update.exe (PID: 1356)
INFO
Checks supported languages
- avira.exe (PID: 2184)
- java_update.exe (PID: 1356)
Create files in a temporary directory
- avira.exe (PID: 2184)
Creates files or folders in the user directory
- java_update.exe (PID: 1356)
Reads the machine GUID from the registry
- java_update.exe (PID: 1356)
- avira.exe (PID: 2184)
Manual execution by a user
- taskmgr.exe (PID: 1576)
Reads the computer name
- java_update.exe (PID: 1356)
- avira.exe (PID: 2184)
Reads Environment values
- java_update.exe (PID: 1356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(1356) java_update.exe
C27.tcp.eu.ngrok.io
Ports18827
Botnetpon
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\c233d3360136f8cd31c8bd3496e159a7
Splitter|'|'|
Versionim523
TRiD
| .exe | | | Win64 Executable (generic) (61.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.6) |
| .exe | | | Win32 Executable (generic) (10) |
| .exe | | | Win16/32 Executable Delphi generic (4.6) |
| .exe | | | Generic Win/DOS Executable (4.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:02:23 13:11:02+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 35840 |
| InitializedDataSize: | 28160 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x3957 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 480 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\java_update.exe" "java_update.exe" ENABLE | C:\Windows\System32\netsh.exe | — | java_update.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1356 | "C:\Users\admin\AppData\Local\Temp\java_update.exe" | C:\Users\admin\AppData\Local\Temp\java_update.exe | avira.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
NjRat(PID) Process(1356) java_update.exe C27.tcp.eu.ngrok.io Ports18827 Botnetpon Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\c233d3360136f8cd31c8bd3496e159a7 Splitter|'|'| Versionim523 | |||||||||||||||
| 1576 | "C:\Windows\system32\taskmgr.exe" | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2184 | "C:\Users\admin\AppData\Local\Temp\avira.exe" | C:\Users\admin\AppData\Local\Temp\avira.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
1 974
Read events
1 860
Write events
114
Delete events
0
Modification events
| (PID) Process: | (2184) avira.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2184) avira.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2184) avira.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2184) avira.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1356) java_update.exe | Key: | HKEY_CURRENT_USER |
| Operation: | write | Name: | di |
Value: ! | |||
| (PID) Process: | (480) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1356) java_update.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | c233d3360136f8cd31c8bd3496e159a7 |
Value: "C:\Users\admin\AppData\Local\Temp\java_update.exe" .. | |||
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2184 | avira.exe | C:\Users\admin\AppData\Local\Temp\java_update.exe | executable | |
MD5:BE0A43472FC227B6EE51855C7C22454A | SHA256:B655509B07BA4E75630E01251C626749680EF0D393E35158A7C13649435554CB | |||
| 1356 | java_update.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c233d3360136f8cd31c8bd3496e159a7.exe | executable | |
MD5:BE0A43472FC227B6EE51855C7C22454A | SHA256:B655509B07BA4E75630E01251C626749680EF0D393E35158A7C13649435554CB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
5
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1356 | java_update.exe | 3.68.56.232:18827 | 7.tcp.eu.ngrok.io | AMAZON-02 | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
7.tcp.eu.ngrok.io |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Misc activity | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |
1356 | java_update.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
3 ETPRO signatures available at the full report