njRat Trojan Alive and Kicking. A Cool Overview Into its Day to Day Operations | Anomali
Get COVID-19 Cyber Security Resources Learn More

njRat Trojan Alive and Kicking. A Cool Overview Into its Day to Day Operations

February 9, 2016 | Luis Mendieta

During the course of two weeks, ThreatStream labs team came across a series samples related with the infamous trojan called njrat. Labs team decided to analyze 366 samples in order to understand a little bit more about the following:

  • Geographic distribution
  • Versions that are more prevalent
  • Understand what are the hours of operation in which the actors build the malware

Geographic distribution

During the course of our investigation we discovered that most of the command and control activity was concentrated in two regions: Brazil and parts of north Africa and middle east. The map below shows a geographical distribution of the command and control servers observed.

geographic distribution of njRat

Versions that are more prevalent

On the course of our analysis we discovered the prevalence of the following njrat versions: 0.3.6, 0.4.1a, 0.5.0E, 0.6.4, 0.7.1, and 0.8d. The breakdown of the NjRat versions go as follows:

VersionSamples Observed

The version that was the most prevalent was version 0.6.4 followed by version 0.8.d and 0.3.6.

Actor's hours of operation

An interesting aspect of this analysis was the hours of operation observed from the actors that were building the malware. The actors behind the builds seem to be more active during the weekend and slowing down starting Wednesday all the way to Friday. The graph below reflects the numbers of builds on a given day.

Samples Built Daily

On Monday, Tuesday and Wednesday the active hours of operation are from 6am to 21pm UTC. On Thursday the active hours of operations are from 16pm to 01am. Friday hours of operation are from 11am to 23pm. Saturday and Sunday are very busy days starting at 9am and slowing down around 23pm. The graph below shows peak hours on a given day.

Number of Samples Built by the Hour

The actors behind the malware samples below were built during hour 21. This implies the actors were active building their tools during this timeframe.



Also there were a handful of samples that were built during the 17th hour as well.



The remainder of the malware samples observed were built during different hours of the day without any pattern in common.

Command and control oddities

Analysis of the c2's revealed the following:

The following c2's were hardcoded addresses

IPrDNSCityCountryASNORG Co.ltd ChicagoUnited States6461FDCservers.net | HorizonteBrazil7738Oi Velox SAS Newest Telecommunication Ltd. | AmmanKingdom of Jordan9038Batelco Jordan das OstrasBrazil28658Gigalink de Nova Friburgo Soluções em Rede Multimi MuscatOman28885General Telecommunication Organization | UnknownUnited States57858Inter Connects Inc |

194 unique hosts were dynamic DNS hosts. The dynamic DNS providers observed were the following: no-ip, dDNS and thinDNS. see appendix for indicators.


NJrat trojan has proven to be very active during the timeframe of the analysis. The majority of the builds observed continue to use dynamic DNS for their command control operations. Several versions were observed but 0.6.4 seems to be the most popular. Also it was interesting to see the geographical distribution of the builds. Brazil seems to be the region that is most active, followed by north Africa and middle east regions.

Luis Mendieta
About the Author

Luis Mendieta

Luis Mendieta is a senior security researcher who enjoys poking inside malware and building automated systems to process threat data. He has 5 years in the security industry, focusing on intelligence and research. Currently at Anomali, Luis researches the latest malware families and builds tools that allows for faster analysis and processing. Previously, he has worked as a senior threat analyst at Verizon supporting cyber security incident response engagements with cyber intelligence capabilities. prior Verizon he worked at Terremak as SOC analyst 2 then moved up the ranks to become investigations analyst. Luis enjoys playing scenario paintball, running and outdoors.

Subscribe to the Anomali Newsletter—get the latest Anomali updates and cybersecurity news straight to your inbox each month.

Subscribe Now