analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

index.html

Full analysis: https://app.any.run/tasks/20a9894e-6e76-459f-af79-a69e195933d5
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: May 29, 2020, 23:23:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
njrat
bladabindi
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines
MD5:

EFD7252BBD0F532D60D606633A9DBCD3

SHA1:

EAC9530D75EC32A12CBFBD3BDF12ACEB88EDD495

SHA256:

FC6F931FD99E1CEEDA12539C3096F3F5F999DCA3739283A1D6237607BA2BA3CE

SSDEEP:

3072:P6+ChrmdcUDl0A8Cup+8OIAk8CQn93Wqb3E3P3Bvo3v3pQo3v3/WgG/kPJmG+Jm9:PB6ChDlJWgSUJN+JmKoma

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • CHAYCAINAY.exe (PID: 1548)
    • Application was dropped or rewritten from another process

      • CHAYCAINAY.exe (PID: 1548)
      • Synaptics.exe (PID: 2476)
      • ._cache_CHAYCAINAY.exe (PID: 1896)
      • ._cache_CHAYCAINAY.exe (PID: 2484)
      • VC2015X86.EXE (PID: 2792)
      • ._cache_CHAYCAINAY.exe (PID: 2724)
    • Loads dropped or rewritten executable

      • VC2015X86.EXE (PID: 2792)
  • SUSPICIOUS

    • Creates files in the program directory

      • firefox.exe (PID: 2716)
      • CHAYCAINAY.exe (PID: 1548)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4008)
      • CHAYCAINAY.exe (PID: 1548)
      • WinRAR.exe (PID: 1904)
      • VC2015X86.EXE (PID: 2792)
    • Reads Internet Cache Settings

      • ._cache_CHAYCAINAY.exe (PID: 2484)
      • ._cache_CHAYCAINAY.exe (PID: 1896)
      • Synaptics.exe (PID: 2476)
      • ._cache_CHAYCAINAY.exe (PID: 2724)
    • Searches for installed software

      • VC2015X86.EXE (PID: 2792)
  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 832)
    • Application launched itself

      • firefox.exe (PID: 2716)
    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 2716)
    • Manual execution by user

      • firefox.exe (PID: 380)
    • Reads CPU info

      • firefox.exe (PID: 2716)
    • Changes internet zones settings

      • iexplore.exe (PID: 1192)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1192)
      • firefox.exe (PID: 2716)
    • Creates files in the user directory

      • firefox.exe (PID: 2716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml/atom | Atom web feed (92.2)
.html | HyperText Markup Language (7.7)

EXIF

HTML

twitterCreator: @username
twitterSite: @username
twitterTitle: -
twitterCard: summary
twitterDomain: https://www.vnhax.site/
Keywords: YOUR KEYWORDS HERE
Description: YOUR DESCRIPTION HERE
Title: Vn-Hax PUBG Mobile Game
Generator: blogger
ContentType: text/html; charset=UTF-8
viewport: width=device-width, initial-scale=1, maximum-scale=1
googleSiteVerification: xPvbMKtymrsIa1kxhbmbXOH0zfoovK087jzqA68FIWE
msvalidate01: BD9F757CB13949150F5BD95C75056F1F
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
17
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe winrar.exe firefox.exe winrar.exe ._cache_chaycainay.exe chaycainay.exe ._cache_chaycainay.exe synaptics.exe vc2015x86.exe ._cache_chaycainay.exe

Process information

PID
CMD
Path
Indicators
Parent process
1192"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
832"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1192 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
380"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
2716"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
68.0.1
2316"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.0.493259387\1219946460" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 1188 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
68.0.1
2424"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.3.1392187240\2044403809" -childID 1 -isForBrowser -prefsHandle 1700 -prefMapHandle 1672 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 1688 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
3884"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.13.50069995\595599916" -childID 2 -isForBrowser -prefsHandle 2892 -prefMapHandle 2896 -prefsLen 5997 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 2916 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
2892"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.20.1509801051\1420397729" -childID 3 -isForBrowser -prefsHandle 3672 -prefMapHandle 3676 -prefsLen 7299 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 3688 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
4008"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SETUP-Thuvien.rar"C:\Program Files\WinRAR\WinRAR.exe
firefox.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3224"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.27.1592879477\827383403" -childID 4 -isForBrowser -prefsHandle 8068 -prefMapHandle 1356 -prefsLen 8707 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 3084 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
Total events
2 904
Read events
2 721
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
571
Text files
338
Unknown types
284

Dropped files

PID
Process
Filename
Type
1192iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1192iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF9FB1A45ED5180F41.TMP
MD5:
SHA256:
1192iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF331C36C92FF1603B.TMP
MD5:
SHA256:
1192iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8CD42A5A7163B533.TMP
MD5:
SHA256:
1192iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{65BE88EF-A203-11EA-9EB1-5254004A04AF}.dat
MD5:
SHA256:
1192iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF71D61B06E87D1CAA.TMP
MD5:
SHA256:
2716firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
2716firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2716firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2716firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
91
TCP/UDP connections
291
DNS requests
574
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2716
firefox.exe
POST
200
195.138.255.16:80
http://ocsp.int-x3.letsencrypt.org/
DE
der
527 b
whitelisted
2716
firefox.exe
GET
301
216.239.36.21:80
http://vnhax.site/
US
html
219 b
malicious
2716
firefox.exe
POST
200
216.58.212.163:80
http://ocsp.pki.goog/gts1o1
US
der
472 b
whitelisted
2716
firefox.exe
POST
200
216.58.212.163:80
http://ocsp.pki.goog/gts1o1
US
der
471 b
whitelisted
2716
firefox.exe
GET
301
216.239.34.21:80
http://www.vnhax.site/
US
html
172 b
malicious
2716
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2716
firefox.exe
POST
200
216.58.212.163:80
http://ocsp.pki.goog/gts1o1
US
der
471 b
whitelisted
2716
firefox.exe
POST
200
195.138.255.16:80
http://ocsp.int-x3.letsencrypt.org/
DE
der
527 b
whitelisted
2716
firefox.exe
POST
200
216.58.212.163:80
http://ocsp.pki.goog/gts1o1
US
der
471 b
whitelisted
2716
firefox.exe
POST
200
216.58.212.163:80
http://ocsp.pki.goog/gts1o1
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
216.58.208.42:445
fonts.googleapis.com
Google Inc.
US
whitelisted
1192
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2716
firefox.exe
2.16.107.40:80
detectportal.firefox.com
Akamai International B.V.
malicious
2716
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4
System
216.58.208.42:139
fonts.googleapis.com
Google Inc.
US
whitelisted
2716
firefox.exe
216.58.212.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2716
firefox.exe
34.211.106.52:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2716
firefox.exe
172.217.18.4:443
www.google.com
Google Inc.
US
whitelisted
2716
firefox.exe
35.165.138.131:443
push.services.mozilla.com
Amazon.com, Inc.
US
unknown
2716
firefox.exe
216.58.206.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
fonts.googleapis.com
  • 216.58.208.42
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
detectportal.firefox.com
  • 2.16.107.40
  • 2.16.107.58
whitelisted
a1089.dscd.akamai.net
  • 2.16.107.58
  • 2.16.107.40
whitelisted
search.services.mozilla.com
  • 34.211.106.52
  • 52.26.114.88
  • 52.41.191.52
whitelisted
search.r53-2.services.mozilla.com
  • 52.41.191.52
  • 52.26.114.88
  • 34.211.106.52
whitelisted
push.services.mozilla.com
  • 35.165.138.131
whitelisted
autopush.prod.mozaws.net
  • 35.165.138.131
whitelisted
snippets.cdn.mozilla.net
  • 143.204.201.78
  • 143.204.201.83
  • 143.204.201.119
  • 143.204.201.68
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
3 ETPRO signatures available at the full report
No debug info