njRat Trojan Alive and Kicking. A Cool Overview Into its Day to Day Operations | Anomali

njRat Trojan Alive and Kicking. A Cool Overview Into its Day to Day Operations

February 9, 2016 | Luis Mendieta

During the course of two weeks, ThreatStream labs team came across a series samples related with the infamous trojan called njrat. Labs team decided to analyze 366 samples in order to understand a little bit more about the following:

  • Geographic distribution
  • Versions that are more prevalent
  • Understand what are the hours of operation in which the actors build the malware

Geographic distribution

During the course of our investigation we discovered that most of the command and control activity was concentrated in two regions: Brazil and parts of north Africa and middle east. The map below shows a geographical distribution of the command and control servers observed.

geographic distribution of njRat

Versions that are more prevalent

On the course of our analysis we discovered the prevalence of the following njrat versions: 0.3.6, 0.4.1a, 0.5.0E, 0.6.4, 0.7.1, and 0.8d. The breakdown of the NjRat versions go as follows:

VersionSamples Observed
0.3.620
0.4.110
0.5.0E2
0.6.4311
0.7.12
0.8.d21

The version that was the most prevalent was version 0.6.4 followed by version 0.8.d and 0.3.6.

Actor's hours of operation

An interesting aspect of this analysis was the hours of operation observed from the actors that were building the malware. The actors behind the builds seem to be more active during the weekend and slowing down starting Wednesday all the way to Friday. The graph below reflects the numbers of builds on a given day.

Samples Built Daily

On Monday, Tuesday and Wednesday the active hours of operation are from 6am to 21pm UTC. On Thursday the active hours of operations are from 16pm to 01am. Friday hours of operation are from 11am to 23pm. Saturday and Sunday are very busy days starting at 9am and slowing down around 23pm. The graph below shows peak hours on a given day.

Number of Samples Built by the Hour

The actors behind the malware samples below were built during hour 21. This implies the actors were active building their tools during this timeframe.

Hashes

e42da64e4aa4c49476415df7398fce26d45eee84e1dbba87cfec020e416e696e
95552860896fbfe9ffc7c07ab1e3a4eca9e2ca40f1d501da11244f1715c798d3
e52feda706570c4c4ec0a309c8b5a501e4eb20b8757d014d32d95edffff9b7f4
c1bf63a212c9efc83cafbd319456a453e609176569d7260a1bf036971b1b9a70
2b5ff9423cdd44852b91310ed51574db8977feae42987843fed72b4c01fa7e9b
63e76dbb675a794b2a68a4b97ebcaf997085532db65e633c012b1fe863d38c04
40c5adc75ce1c1355fd44e49f528e58adae9ec013ca2039c786324d281d2669c
10d9b9030e1e805b63cca69f57c0d23653c834effc1f42ba3605bad7c7515421

Also there were a handful of samples that were built during the 17th hour as well.

Hashes

31d6180d59cebef771776bfe204d288a0da74a69da488b1bc140bd5d76adbabc
90f956c7bd78ec66fb25e1742c80cba72cd7de8a6b6574c7d7d8bc9f6d7b5db8
7f9e64d074716f60730f53fb55627024d9ad2c8fa91eea3ec4cc4acb7d4ff584
0ff1983266237c1636456203e6e3eb897f02d193daf7fee3fa1e1f46293ef1f7
536373e8fcaa1f303f44fbe075fb8071796ae06db0b577578176a61e526e1217
88bd650b304581176102cebef13f233ab35ef46fe29709ac25398fcd5089a9e1
069ae906dbb6d2a2b150cde9b3f087fff7972be27758b351b3286cee515ef57f
f7848a590d1adb3221ab4fae5da7548cbe577063d9ae9c2027c3af7d8b9b4210
e02047338a9dd32f9461777dae6957230789e6fcaa9e58f155e5e7ea94d2e120
9208a96c4c5f7b7c07423b8a8d4b4d5d935c51a3faa422689e0a1798a13a0198
d34d98f3aba239e89c3558b90798aa29077f17f0d81874a9e68bce8466437341

The remainder of the malware samples observed were built during different hours of the day without any pattern in common.

Command and control oddities

Analysis of the c2's revealed the following:

The following c2's were hardcoded addresses

IPrDNSCityCountryASNORG
62.245.47.196196.47-245-62.FTTH.rus-com.netYekaterinburgRussia39741Rus.com Co.ltd
50.7.49.82 ChicagoUnited States6461FDCservers.net |
152.232.214.88152-232-88-88.user.veloxzone.com.brBelo HorizonteBrazil7738Oi Velox
51.254.151.179ip179.ip-51-254-151.euUnknownFrance16276OVH SAS
187.56.88.251187-56-88-251.dsl.telesp.net.brCampinasBrazil27699Vivo
185.35.9.62185.35.9.62.untc.netKievUkraine41165Ukrainian Newest Telecommunication Ltd. |
46.248.196.77 AmmanKingdom of Jordan9038Batelco Jordan
189.84.245.203189.84.245.203.cable.gigalink.net.brRio das OstrasBrazil28658Gigalink de Nova Friburgo Soluções em Rede Multimi
82.178.209.212 MuscatOman28885General Telecommunication Organization |
46.29.255.11 UnknownUnited States57858Inter Connects Inc |

194 unique hosts were dynamic DNS hosts. The dynamic DNS providers observed were the following: no-ip, dDNS and thinDNS. see appendix for indicators.

Conclusion

NJrat trojan has proven to be very active during the timeframe of the analysis. The majority of the builds observed continue to use dynamic DNS for their command control operations. Several versions were observed but 0.6.4 seems to be the most popular. Also it was interesting to see the geographical distribution of the builds. Brazil seems to be the region that is most active, followed by north Africa and middle east regions.

Luis Mendieta
About the Author

Luis Mendieta

Luis Mendieta is a senior security researcher who enjoys poking inside malware and building automated systems to process threat data. He has 5 years in the security industry, focusing on intelligence and research. Currently at Anomali, Luis researches the latest malware families and builds tools that allows for faster analysis and processing. Previously, he has worked as a senior threat analyst at Verizon supporting cyber security incident response engagements with cyber intelligence capabilities. prior Verizon he worked at Terremak as SOC analyst 2 then moved up the ranks to become investigations analyst. Luis enjoys playing scenario paintball, running and outdoors.

Get the latest threat intelligence news in your email.