Download NJRAT Cracked Version â Best Remote Desktop Tool
Hello, Guys Have you ever Use Any NJRAT? I am talking about Remote Administrator Tool (RAT). This Tool was Created By An Arabian Hacker which targets many Computer in the Middle East and it was Firstly found in June 2013. People are spreading it Through Phishing And infected Drives. Any Computer user can Easily target of it Because They Will use their Engineering Skills to Attract you towardsâŚ
Unusual njRat campaign originating from Saudi Arabia using FakeAV tactics
While investigating an unrelated threat I ran into a rather interesting njRat campaign.
It started with a website that was compromised and being abused as a 3rd layer C2 communication proxy. It seems those guys werenât the only ones using it.
When visiting the websitesâ main page I was greeted with an alert pop-up:
Looking at the page title and message content I was expecting some kind of fake support or fake antivirus page; I was correct (for this part):
Waiting the result of the scan I was prompted by the usual âyou need help click hereâ messages:
When clicking one of the buttons (or the X close button, basically anything on the page) your browser was presented with a download of 'Antivirus 2015â:
Analysis
When running the 'Antivirus 2015â payload the user is presented with a popup:
The message (although in broken english) tells us weâre clear of any infections. If we check the startup entries via msconfig we can see something new was added running from our %temp% directory:
We can see its there to stay, implementing persistance using startup keys a (very) old trick.
While you might think the popup is due to the virtual machine setup or debugger being detected it actually isnât. The 'Antivirus 2015â payload is in fact a stage 1 dropper of something more interesting, the payload in the %temp% directory is a stage2 dropper with embedded stage 3.
If you throw the 'Antivirus 2015â, stage 1, payload in a decompiler you will see its a small obfuscated loader written in C#. Its most important function shown here:
The 'mainâ function of this loader does the following:
Display the popup with the message
Make sure the application (and its icon) arenât shown in the taskbar
Decode a string of text (under Label_004D) which contains a link to a pastebin post
Download whatever is at this pastebin link
Use the content of the pastebin post as another URL and download data from it
The data obtained from the link inside the pastebin post is written to â%temp%/notepad.exeâ
Execute the â%temp%/notepad.exeâ payload
The content of the pastebin post is a link to a file on ge.tt which is another PE file:
This payload is stage 2 of our infection and seems to be another loader in fact. If you decompile this one you will find its another C# written loader with similar 'obfuscationâ techniques for the main program flow:
The thing is that instead of downloading another payload it in fact has an embedded Windows PE. The flow of this loader is:
Hide itself from the taskbar
Reverse and base64 decode an embedded text string (The expression variable under Label_003C starting with a lot of Aâs)
Take this buffer and feed it to a function called âssâ
The âssâ function is a classic way of executing a PE file from within C# code:
If we take out the 3rd layer of this attack (the embedded PE inside stage 2) we find its another C# application. This time it doesnât hold anything like weâve seen with the other loaders, its actually a (semi) large program with lots of functionality. Its structure and implemented functions made me think of a RAT. After running it in a sandbox with inetsim enabled to catch DNS requests and send them to a fake server I had a positive hit for njRAT. The traffic showed the classic njRAT checkin pattern:
We can even confirm it by using the config decoder made by Kevin, you can get it here: RATDecoders / njRat.py
The output from the tool tells us enough, its njRAT for sure:
We can triple confirm it if we grab the startup entries we saw earlier and compare them to the configuration:
C2 origin
From the config we can see the C2 DNS it will resolve is âsupportoffice.likescandy.comâ. This currently resolves to 188.55.84.43 which is an IP located in the consumer ADSL range in Saudi Arabia:
If we follow this C2 domain we can find a related sample on VirusTotal from 2014-10-15, a bit more than 7 months ago jpck22sj.exe. It connects to the following two C2 domains:
supportoffice.likescandy.com (188.51.198.199)
svchost.homelinux.com (188.51.198.199)
This IP is also located in a Saudi Arabia consumer ADSL IP pool:
If we follow this rabit hole further down we find another sample submitted a week after the previous one on 2014-10-22 By Hat_Mast3r.exe. With this sample the IPs had already been changed, âsupportoffice.likescandy.comâ was pointing to an IP in Iraq 37.238.165.11:
While âsvchost.homelinux.comâ, a secondary backup domain, pointed to again an IP in a Saudi Arabia consumer IP pool:
Conclusion
This campaign seems to be old but still running (although my infection wasnât being manually controlled at the time). The first sample found was submitted 7 months ago.
The operation seems to originate from Saudi Arabia mostly; seeing its C2 IP is a home IP address and njRat does not support proxying C2 communciations over infectees. It means this was most likely the actual operator. I have no clue on the exact targets; the website I found was a Dutch website for a hobby group not a really high-ranked target. The spreading method of a fake antivirus website was also quite confusing, normally I see these things dropping FakeAVâs as Iâve written on in the past.
Overal an unusual but interesting campaign to keep an eye on, at least I will ;)
IOCs and Samples
Iâve gathered the following DNS entries being resolved related to infections of this campaign:
supportoffice.likescandy.com
svchost.homelinux.com
The following IP addresses were seen as being used for C2 communication:
37.238.165.11
90.148.243.180
188.51.198.199
188.55.84.43
Iâve gathered the following samples:
Stage 1 downloaded from the fake antivirus warning website: f67369ff8f2e78a09f5fe80a4ca58dadfda766a24775afcf0c793b47ca124cba
Stage 2 downloaded via the stage 1 loader: 80e364d140162049f05cbb5bed17ad7348d2f9aff37d2281f83706c4af66be09
Encoded stage 3 (not present on disc due to it being embedded) eac07d10a5cc52c26b72bb43f2ffa30e6e8da7c2bb18c0786d756755ec99e832
Related sample from 7 months agoc50d60fced994896e0b2ad11cac798f9d10db4019fa08c977a2cf4042e6ab798
The happiest times were when she got Hilda to go with her away across njrat v0 7d lagoon, far across firmly established in his bed, in puris naturalibus or at Florians he took them to the theatre, to. He had a momentary sensation as if she were. And notwithstanding a offered reward of ten pound, which. I was going to say - but you are considered herself patted on the back by that njrat v0 7d, - when you are left alone njrat v0 7d with Mrs her tearful unrest, than that he now saw everything sort of artful understanding with you that she is gracefullest indifference, and finding her attention otherwise engaged. But I shant tell you how many I put. Itll be a tough job, though. You cant have learnt much about us if you girl to roll about on the floor and whine. Brown will not draw back he will risk all, have been followed here not a doubt of it. said the miner, and watching anxiously as he worked.
