| File name: | Minecraft.exe |
| Full analysis: | https://app.any.run/tasks/bc387c19-c74c-47c5-a74b-e476dd9df3de |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | January 12, 2024, 19:10:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 0B5E0D4139374742081802665B721E3D |
| SHA1: | 1B13EEA17B756D3E81A2DCB4B675438997F6C3A0 |
| SHA256: | F04F66D50DD76C140AC4DED22F2550CCB89CED88F7AB70A15290B54580BFA563 |
| SSDEEP: | 768:jsPjReRZxqCHXt62PSr1/HyWZxgAGSKCnWCHOkaiajVQNPl1Rz4Rk3MsOdMTBBto:w+t6qSR9UiKCnmuZl1dDESTBP |
MALICIOUS
Drops the executable file immediately after the start
- Minecraft.exe (PID: 1776)
- server.exe (PID: 2256)
Create files in the Startup directory
- server.exe (PID: 2256)
NJRAT has been detected (SURICATA)
- server.exe (PID: 2256)
Connects to the CnC server
- server.exe (PID: 2256)
NJRAT has been detected (YARA)
- server.exe (PID: 2256)
Uses Task Scheduler to run other applications
- server.exe (PID: 2256)
SUSPICIOUS
Reads the Internet Settings
- Minecraft.exe (PID: 1776)
Starts itself from another location
- Minecraft.exe (PID: 1776)
Executable content was dropped or overwritten
- Minecraft.exe (PID: 1776)
- server.exe (PID: 2256)
Connects to unusual port
- server.exe (PID: 2256)
The process executes via Task Scheduler
- StUpdate.exe (PID: 2564)
- StUpdate.exe (PID: 2760)
Uses NETSH.EXE to add a firewall rule or allowed programs
- server.exe (PID: 2256)
INFO
Checks supported languages
- Minecraft.exe (PID: 1776)
- Minecraft.exe (PID: 1972)
- StUpdate.exe (PID: 2760)
- server.exe (PID: 2256)
Reads the computer name
- Minecraft.exe (PID: 1776)
- Minecraft.exe (PID: 1972)
- StUpdate.exe (PID: 2760)
- server.exe (PID: 2256)
Creates files or folders in the user directory
- Minecraft.exe (PID: 1776)
- server.exe (PID: 2256)
Create files in a temporary directory
- server.exe (PID: 2256)
- Minecraft.exe (PID: 1972)
- StUpdate.exe (PID: 2760)
- Minecraft.exe (PID: 1776)
Reads the machine GUID from the registry
- server.exe (PID: 2256)
- Minecraft.exe (PID: 1972)
- StUpdate.exe (PID: 2760)
- Minecraft.exe (PID: 1776)
Manual execution by a user
- Minecraft.exe (PID: 1972)
Reads Environment values
- server.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(2256) server.exe
C25.tcp.eu.ngrok.io
Ports15087
BotnetXyesos-Ebanniy
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\a5fd96b89f458a3718773258c4640896
Splitter|'|'|
Version0.7d
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:01:12 20:05:54+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 94208 |
| InitializedDataSize: | 512 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x18f0e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
47
Monitored processes
7
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 532 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE | C:\Windows\System32\netsh.exe | — | server.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 572 | schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\admin\AppData\Local\Temp/StUpdate.exe | C:\Windows\System32\schtasks.exe | — | server.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1776 | "C:\Users\admin\Desktop\Minecraft.exe" | C:\Users\admin\Desktop\Minecraft.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1972 | "C:\Users\admin\Desktop\Minecraft.exe" | C:\Users\admin\Desktop\Minecraft.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2256 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | Minecraft.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
NjRat(PID) Process(2256) server.exe C25.tcp.eu.ngrok.io Ports15087 BotnetXyesos-Ebanniy Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\a5fd96b89f458a3718773258c4640896 Splitter|'|'| Version0.7d | |||||||||||||||
| 2564 | C:\Users\admin\AppData\Local\Temp/StUpdate.exe | C:\Users\admin\AppData\Local\Temp\StUpdate.exe | — | taskeng.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 2760 | C:\Users\admin\AppData\Local\Temp/StUpdate.exe | C:\Users\admin\AppData\Local\Temp\StUpdate.exe | taskeng.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
2 172
Read events
2 118
Write events
54
Delete events
0
Modification events
| (PID) Process: | (1776) Minecraft.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1776) Minecraft.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1776) Minecraft.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1776) Minecraft.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (532) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
6
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1776 | Minecraft.exe | C:\Users\admin\AppData\Roaming\app | text | |
MD5:311D687FAFFAED10F44EA27C024986B6 | SHA256:608547D80BF0E4B3D9CFFFD324702B4AA38DB2F0BFB3DB4BD517B556FDF4DE2B | |||
| 2256 | server.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Explower.exe | executable | |
MD5:0B5E0D4139374742081802665B721E3D | SHA256:F04F66D50DD76C140AC4DED22F2550CCB89CED88F7AB70A15290B54580BFA563 | |||
| 1776 | Minecraft.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:0B5E0D4139374742081802665B721E3D | SHA256:F04F66D50DD76C140AC4DED22F2550CCB89CED88F7AB70A15290B54580BFA563 | |||
| 2256 | server.exe | C:\Users\admin\AppData\Local\Temp\StUpdate.exe | executable | |
MD5:0B5E0D4139374742081802665B721E3D | SHA256:F04F66D50DD76C140AC4DED22F2550CCB89CED88F7AB70A15290B54580BFA563 | |||
| 2256 | server.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a5fd96b89f458a3718773258c4640896Windows Update.exe | executable | |
MD5:0B5E0D4139374742081802665B721E3D | SHA256:F04F66D50DD76C140AC4DED22F2550CCB89CED88F7AB70A15290B54580BFA563 | |||
| 2256 | server.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | executable | |
MD5:0B5E0D4139374742081802665B721E3D | SHA256:F04F66D50DD76C140AC4DED22F2550CCB89CED88F7AB70A15290B54580BFA563 | |||
| 2256 | server.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | executable | |
MD5:0B5E0D4139374742081802665B721E3D | SHA256:F04F66D50DD76C140AC4DED22F2550CCB89CED88F7AB70A15290B54580BFA563 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
1
Threats
17
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2256 | server.exe | 18.158.58.205:15087 | 5.tcp.eu.ngrok.io | AMAZON-02 | DE | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
5.tcp.eu.ngrok.io |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Misc activity | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |
2256 | server.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
2256 | server.exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop) |
2256 | server.exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) |
2256 | server.exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone) |
2256 | server.exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone) |
2256 | server.exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone) |
2256 | server.exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone) |
2256 | server.exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone) |
2256 | server.exe | Malware Command and Control Activity Detected | ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone) |
2 ETPRO signatures available at the full report