njRat malware

 

Technical details of njRat malware


Identification

Malware didn’t exist in virus total as shown in figure below.




The following table contains list of artifacts that had been analyzed within this document.


PE timestamp

Md5

Size in bytes

Filename

Description

Thu Jun 25 03:38:24 2020

 

BD5358AD05577CF798B3EABBBC9029B7

1506554 bytes

Discord Card.exe

Dropper

 

 Summary

njRAT is a remote access Trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information.so nJRAT has 3 stages. First stage contains dropper of nJRAT after that malware files overwrites itself multiple times then creates clear malicious code which enable attacker get control of machine remotely.


Technical Details

First Stage

It gets processes called SetDllDirectoryW and SetDefaultDllDirectories as shown in figure below.




It resolves a lot of dll libraries as shown in figure below.





It gets operating system version as shown in figure below.





It gets information about any valid installed or available code page as shown in figure below.




It sets new environment variable called "sfxcmd" as shown in figure below.





It sets another environment variable called "sfxpar" as shown in figure below.




It sets new variable called "sfxname" as shown in figure below.




It gets current date and time including minutes and seconds based on pattern as shown in figure below.




 

It unlocks resource called png as shown in figure below.




It control current window using GetDC ,GetWindowLongW and GetWindow as shown in figures below.






It creates new file called __tmp_rar_sfx_access_check_ as shown in figure with the following parameters as shown in table below.




hTemplateFile

NULL

dwFlagsAndAttributes

NULL

dwCreationDisposition

CREATE_ALWAYS

dwDesiredAccess

GENERIC_READ_WRITE

lpSecurityAttributes

FILE_SHARE_READ

dwShareMode

GENERIC_READ_WRITE

lpFileNam

__tmp_rar_sfx_access_check_0

 

It map to new file called winrarsfxmappingfile.tmp and run it as shown in figure below.





Second Stage

It creates child process called flone.exe and created new path in temp called RarSFX1 as shown in figure below.





It drops new file called at temp path called flone.exe as shown in figure below.





Based on import table of FLone.exe file, you will discover that file is packed.




If you try to check strings of file you will see it resolves dll during runtime of Flone.exe file as shown in figure below.






It creates new file called chrome.exe at roaming path as shown in figures below.







Note

  • Both files are in hidden mode.
  • Chrome.exe file is exactly same Flone.exe file as shown in two figures below.






Chrome file is packed and it resolves whole code of file during runtime.


Final Stage

After you unpacked it, you will get malicious clear .Net file.


 

PE timestamp

Md5

Size in bytes

Filename

Description

Wed Mar 24 06:41:49 2021

 

C15C14868D8BB70DD030A12C467FBC9A

3916288 bytes

Chrome.exe

RAT


File didn’t exist in virus total as shown in figure below.






 

It connects to malicious domain called "8.tcp.ngrok.io" as shown in figure below.




Domain

"8.tcp.ngrok.io"

 

Some vendors detect this domain in virus total.




Some Important Function of malware

  • get_Computer
  • get_Application 
  • get_User 
  • get_WebServices 
  • GetHashCode
  • get_GetInstance 
  • GetForegroundWindow
  • GetVolumeInformationA
  • GetWindowTextA
  • GetWindowTextLengthA
  • capGetDriverDescriptionA 
  • CompDir
  • connect 
  • BlockInput
  • SendMessage
  • SetWindowPos
  • GetAsyncKeyState     
  • GetKeyboardLayout
  • GetKeyboardState
  • GetWindowThreadProcessId 
  • MapVirtualKey           
  • EnableWindow 
  • EnumChildWindows 
  • EnumChild




You can’t kill malware process as shown in figure below because it disables end process.





But you can terminate it using CMD as shown in figure below.




Reference

  • https://www.reddit.com/r/Malware/comments/hcrnts/remote_access_trojan_njrat_malware_analysis/.
  • https://cert.bournemouth.ac.uk/njrat-malware-analysis/.
  • https://blogs.infoblox.com/cyber-threat-intelligence/njrat-malspam-campaign/.


Comments

Popular posts from this blog

Sunburst Solarwinds Backdoor

Ragnarok Ransomware

Conti Ransomware