njRat malware

 

Technical details of njRat malware


Identification

Malware didn’t exist in virus total as shown in figure below.




The following table contains list of artifacts that had been analyzed within this document.


PE timestamp

Md5

Size in bytes

Filename

Description

Thu Jun 25 03:38:24 2020

 

BD5358AD05577CF798B3EABBBC9029B7

1506554 bytes

Discord Card.exe

Dropper

 

 Summary

njRAT is a remote access Trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information.so nJRAT has 3 stages. First stage contains dropper of nJRAT after that malware files overwrites itself multiple times then creates clear malicious code which enable attacker get control of machine remotely.


Technical Details

First Stage

It gets processes called SetDllDirectoryW and SetDefaultDllDirectories as shown in figure below.




It resolves a lot of dll libraries as shown in figure below.





It gets operating system version as shown in figure below.





It gets information about any valid installed or available code page as shown in figure below.




It sets new environment variable called "sfxcmd" as shown in figure below.





It sets another environment variable called "sfxpar" as shown in figure below.




It sets new variable called "sfxname" as shown in figure below.




It gets current date and time including minutes and seconds based on pattern as shown in figure below.




 

It unlocks resource called png as shown in figure below.




It control current window using GetDC ,GetWindowLongW and GetWindow as shown in figures below.






It creates new file called __tmp_rar_sfx_access_check_ as shown in figure with the following parameters as shown in table below.




hTemplateFile

NULL

dwFlagsAndAttributes

NULL

dwCreationDisposition

CREATE_ALWAYS

dwDesiredAccess

GENERIC_READ_WRITE

lpSecurityAttributes

FILE_SHARE_READ

dwShareMode

GENERIC_READ_WRITE

lpFileNam

__tmp_rar_sfx_access_check_0

 

It map to new file called winrarsfxmappingfile.tmp and run it as shown in figure below.





Second Stage

It creates child process called flone.exe and created new path in temp called RarSFX1 as shown in figure below.





It drops new file called at temp path called flone.exe as shown in figure below.





Based on import table of FLone.exe file, you will discover that file is packed.




If you try to check strings of file you will see it resolves dll during runtime of Flone.exe file as shown in figure below.






It creates new file called chrome.exe at roaming path as shown in figures below.







Note

  • Both files are in hidden mode.
  • Chrome.exe file is exactly same Flone.exe file as shown in two figures below.






Chrome file is packed and it resolves whole code of file during runtime.


Final Stage

After you unpacked it, you will get malicious clear .Net file.


 

PE timestamp

Md5

Size in bytes

Filename

Description

Wed Mar 24 06:41:49 2021

 

C15C14868D8BB70DD030A12C467FBC9A

3916288 bytes

Chrome.exe

RAT

File didn’t exist in virus total as shown in figure below.






 

It connects to malicious domain called "8.tcp.ngrok.io" as shown in figure below.




Domain

"8.tcp.ngrok.io"

 

Some vendors detect this domain in virus total.




Some Important Function of malware

  • get_Computer
  • get_Application 
  • get_User 
  • get_WebServices 
  • GetHashCode
  • get_GetInstance 
  • GetForegroundWindow
  • GetVolumeInformationA
  • GetWindowTextA
  • GetWindowTextLengthA
  • capGetDriverDescriptionA 
  • CompDir
  • connect 
  • BlockInput
  • SendMessage
  • SetWindowPos
  • GetAsyncKeyState     
  • GetKeyboardLayout
  • GetKeyboardState
  • GetWindowThreadProcessId 
  • MapVirtualKey           
  • EnableWindow 
  • EnumChildWindows 
  • EnumChild




You can’t kill malware process as shown in figure below because it disables end process.





But you can terminate it using CMD as shown in figure below.



If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  
YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA



 

Reference

  • https://www.reddit.com/r/Malware/comments/hcrnts/remote_access_trojan_njrat_malware_analysis/.
  • https://cert.bournemouth.ac.uk/njrat-malware-analysis/.
  • https://blogs.infoblox.com/cyber-threat-intelligence/njrat-malspam-campaign/.


Comments

Post a Comment

Popular posts from this blog

Phishing Attacks 3_3_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 45.137.22.124 From "Cheng Yong"<rosa@franball.net>" Subject "RV: Shipping advice - 2nd container under ct.876" Attachment "SHIPPING ADVICE#202203.zip" MD5 aa2d18552a8d5041e4c757cee09f2c4d SHA256 0628b564bad3c4e59644e91398899f88143aa2eb3473e720270fb1566c628d60 Family AgentTesla If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .       (2) Sender ip 2.56.56.35 From "contato@vastoverde.com.br" Subject "fwd :Outstanding Remittance payment" Attachment "receipt_pdf.z" ...
Read more

Phishing Attacks 23_4_2022

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course   (1) Sender ip 180.214.238.82 From "Dang Thi Thu Hien<hiendang@panpacific.co.kr>" Subject "RE: [SSC CS] F22 03/09 Buy Shipping request_04062022" Attachment "SEALOGISTICS DEBIT NOTE.zip" MD5 add8e964a595d7af30f02783943c3a00 SHA256 24f6485539bc5d700d17ec8d629827ea80dfae2eb2189e872f4b8ae0e7f1d66f Family AgentTesla   If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .         (2) Sender ip 138.197.200.182 From "Nguyen Thi Quy <nguyen@47.fximnii.sbs>" Subject "RE: Purchase Inquiry: KPC/PU-231(MECH...
Read more

Phishing Attacks 24_3_2022

Image
If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 185.222.58.240 From "flocon acc" <accounts@flocon-industries.com>" Subject "Re: RE: RE: RE: RE: RE: RE: RE: Re: RE: RE: Purchase of Wire Cutting, Stripping and Twisting Machine" Attachment "Sales Contract Copy.TAR" MD5 40e05d66fa334f0e1595c1a6417fecab SHA256 c57086d514c801eaded5f2b6e02b21784c8154f1423693bc9c40454c6bb79d85 Family Formbook   (2) Sender ip 107.173.104.75 From "Yergazy Nurbekuly<info@highomeleds.com>" Subject "=?UTF-8?B?UmU6IFJFOiBBV1M6IG5ldyBvcmRlciAvUHJvZm9ybWEtSW52b2ljZSAvIE0vNDU2IOKAkyBNaWQgTWFyY2g=?=" Attachment ...
Read more