njRat malware

 

Technical details of njRat malware


Identification

Malware didn’t exist in virus total as shown in figure below.




The following table contains list of artifacts that had been analyzed within this document.


PE timestamp

Md5

Size in bytes

Filename

Description

Thu Jun 25 03:38:24 2020

 

BD5358AD05577CF798B3EABBBC9029B7

1506554 bytes

Discord Card.exe

Dropper

 

 Summary

njRAT is a remote access Trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information.so nJRAT has 3 stages. First stage contains dropper of nJRAT after that malware files overwrites itself multiple times then creates clear malicious code which enable attacker get control of machine remotely.


Technical Details

First Stage

It gets processes called SetDllDirectoryW and SetDefaultDllDirectories as shown in figure below.




It resolves a lot of dll libraries as shown in figure below.





It gets operating system version as shown in figure below.





It gets information about any valid installed or available code page as shown in figure below.




It sets new environment variable called "sfxcmd" as shown in figure below.





It sets another environment variable called "sfxpar" as shown in figure below.




It sets new variable called "sfxname" as shown in figure below.




It gets current date and time including minutes and seconds based on pattern as shown in figure below.




 

It unlocks resource called png as shown in figure below.




It control current window using GetDC ,GetWindowLongW and GetWindow as shown in figures below.






It creates new file called __tmp_rar_sfx_access_check_ as shown in figure with the following parameters as shown in table below.




hTemplateFile

NULL

dwFlagsAndAttributes

NULL

dwCreationDisposition

CREATE_ALWAYS

dwDesiredAccess

GENERIC_READ_WRITE

lpSecurityAttributes

FILE_SHARE_READ

dwShareMode

GENERIC_READ_WRITE

lpFileNam

__tmp_rar_sfx_access_check_0

 

It map to new file called winrarsfxmappingfile.tmp and run it as shown in figure below.





Second Stage

It creates child process called flone.exe and created new path in temp called RarSFX1 as shown in figure below.





It drops new file called at temp path called flone.exe as shown in figure below.





Based on import table of FLone.exe file, you will discover that file is packed.




If you try to check strings of file you will see it resolves dll during runtime of Flone.exe file as shown in figure below.






It creates new file called chrome.exe at roaming path as shown in figures below.







Note

  • Both files are in hidden mode.
  • Chrome.exe file is exactly same Flone.exe file as shown in two figures below.






Chrome file is packed and it resolves whole code of file during runtime.


Final Stage

After you unpacked it, you will get malicious clear .Net file.


 

PE timestamp

Md5

Size in bytes

Filename

Description

Wed Mar 24 06:41:49 2021

 

C15C14868D8BB70DD030A12C467FBC9A

3916288 bytes

Chrome.exe

RAT

File didn’t exist in virus total as shown in figure below.






 

It connects to malicious domain called "8.tcp.ngrok.io" as shown in figure below.




Domain

"8.tcp.ngrok.io"

 

Some vendors detect this domain in virus total.




Some Important Function of malware

  • get_Computer
  • get_Application 
  • get_User 
  • get_WebServices 
  • GetHashCode
  • get_GetInstance 
  • GetForegroundWindow
  • GetVolumeInformationA
  • GetWindowTextA
  • GetWindowTextLengthA
  • capGetDriverDescriptionA 
  • CompDir
  • connect 
  • BlockInput
  • SendMessage
  • SetWindowPos
  • GetAsyncKeyState     
  • GetKeyboardLayout
  • GetKeyboardState
  • GetWindowThreadProcessId 
  • MapVirtualKey           
  • EnableWindow 
  • EnumChildWindows 
  • EnumChild




You can’t kill malware process as shown in figure below because it disables end process.





But you can terminate it using CMD as shown in figure below.



If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  
YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA



 

Reference

  • https://www.reddit.com/r/Malware/comments/hcrnts/remote_access_trojan_njrat_malware_analysis/.
  • https://cert.bournemouth.ac.uk/njrat-malware-analysis/.
  • https://blogs.infoblox.com/cyber-threat-intelligence/njrat-malspam-campaign/.


Comments

Post a Comment

Popular posts from this blog

IOCs 7_8_2021

Image
  (1) File Name Netflix Checker AutoProxy.rar Created process Qsbb.exe Connected (Ip/Dns) Fhruhceio[.]eu5[.]org MD5 54407258f1e20055897fe7dad504a5dc SHA256 4c54592475d4636eb0fe0555dbe44813332059d787c755571797484b87983a50 Family njRAT   (2) File Name Start.exe Created process yGYkD7gHOX.exe Connected (Ip/Dns) Telete[.]in MD5 e123bd2a5d074027510e792b92bce913 SHA256 245c87b29983815f1bad519d8490e4fae064ec3f4788781f3944cbe4ad7e8e8b Family Raccoon   (3) File Name Banco do Brasil_eDeclaração_SMX_046_6-08-2021_SWIFT.COPY.exe Created process Banco do Brasil_eDeclaração_SMX_046_6-08-2021_SWIFT.COPY.exe Connected (Ip/Dns) www[.]transinta[.]com MD5 c5
Read more

Phishing Attacks 23_4_2022

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course   (1) Sender ip 180.214.238.82 From "Dang Thi Thu Hien<hiendang@panpacific.co.kr>" Subject "RE: [SSC CS] F22 03/09 Buy Shipping request_04062022" Attachment "SEALOGISTICS DEBIT NOTE.zip" MD5 add8e964a595d7af30f02783943c3a00 SHA256 24f6485539bc5d700d17ec8d629827ea80dfae2eb2189e872f4b8ae0e7f1d66f Family AgentTesla   If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .         (2) Sender ip 138.197.200.182 From "Nguyen Thi Quy <nguyen@47.fximnii.sbs>" Subject "RE: Purchase Inquiry: KPC/PU-231(MECH)NBI/20-22"
Read more

Phishing Attacks 15_2_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 137.184.90.200 From "<zita@anthonybirch.ml>" Subject "Attached our formal P/O : 4501226854." Attachment "PO - 4501226854,pdf (1).iso" MD5 9addd85060db79af3b0ac0e3011c69c1 SHA256 b0b0135c292340ab5993a9f2bea6f3f6e6478fb5883fe2e1ef67c60cf3dd0944 Family Formbook   (2) Sender ip 143.198.41.151 From "Gilbert Anderson <info@digimaincheckshower.com>" Subject "Please accept my applicant " Attachment "Approvald-32134.doc" MD5 40582aacc0f7f8a0946a64249dae4767 SHA256 1b97ac97a845c9f63cf7308e3f6f983
Read more