Open in app

Sign in

Write

Sign in

njRAT injector code analysis

Shimasakisan
5 min readJul 23, 2020

Today we are analyzing an injector generated by the njRAT malware. This injector is often referred to as Bladabindi by AV engines. These are the hashes of the sample used.

MD5: 6a8e751dda2523f26223f2ae2bd55487
SHA-1: f6c1afc9ebe1ccba5bbaa8da4d1186b8c41b8f60
SHA-256: 36ef054942195766acc955222f3f4396f47bdc76fc18f24c08f586717ed461d6

Summary

  • DotNet based RAT, probably written in Visual Basic. Targets .net framework 2.0
  • Out of the box runs a keylooger.
  • Receives further code from C&C server to perform further actions.
  • Will copy itself to a TEMP directory and will persist through the registry \CurrentVersion\Run and Startup folder.
  • This particular sample connects to C2 at 80.236.91.167:5552
  • No anti-debug, no anti-sandbox, but obfuscated.

Static code analysis

This is a .Net executable. I’ll use dnSpy to export the code and debug to document the behavior. With the exported code, I’ll open in Visual Studio to statically analyze the code and be able to rename at will.

Right after start, it creates a Mutex to check if it is already running.

Persistence

First, it copies itself in the temp directory (from environment var TEMP), under the name “IMG2020–12–23.exe”:

Then it sets persistance in the HKCU\Software\CurrentVersion\Run entry

and also copies itself in the startup folder:

Firewall

It will use netsh to allow itself through the firewall

Other details

Sets the env variable “SEE_MASK_NOZONECHECKS” to 1.In the injector part, this variable is not anymore. Might be used by next stages of the malware, see plugins below.

It can register itself to be notified when the user is logging off and it sets the process critical flag, so it is harder to clean it from the system. Killing it can lead to a system crash. The trick is described here: https://appsec-labs.com/portal/protecting-a-windows-application-from-premature-termination/

It will enter in a continuous loop that will perform some checks:

  • Set the minimum working set to 1MB (memory)
  • Every 8 seconds, check the current active window title and it has changed, send to C2. (name encoded as UTF8 byte array, then base64)
  • Every second, sets the registry persistence entry in HKLM\CurrentVersion\run (in case the user removes it). It will keep adding it again and again while the process is running.

Behavior

The malware will create 2 threads, to handle communicacion with the C&C server, and a keylogger.

Communication with C&C thread

It will try to connect to the configured C&C IP address and port using a TCP connection and, once connected, it will process the commands received. This is probably the most interesting part of the malware. Here is a summary of the commands it supports:

ll: disconnects from the C&C server.

kl: sends the logs captured by the keylogger (see below).

prof: sets some registry values in the malware own entry (HKCU\Software\<mutexstring>)

rn: downloads and executes the file given as argument. The download is given a random name in the temp directory + .exe.

inv: executes an existing inv plugin downloaded before, or downloads a plugin in the same stream, containing a class named A. This DLL will be saved in the registry as a binary entry (the malware’s own registry entry HKCU\Software\<mutexstring>). The name of the key will be given as argument 1 to the inv command as well. If argument 3 is < 10 bytes, it assumes that it should load existing plugin data from the registry. Several functions can be registered this way in different keys in the registry and be used later on. The format of this class should be:

  • property h (string) will receive C2 host address.
  • property p (string) will receive C2 host port.
  • property osk (string) will receive the 2nd argument sent with the inv command.
  • method start() will be called and the execution loop will spin until the property Off is set to true or the RAT disconnects.
  • property off (bool) will be set to true when execution is done.

ret: downloads a MSIL DLL in the same stream, containing a class named A, whose method string GT() is invoked. The string result of that method is sent back to the C2 server.

CAP: sends screenshot back to C&C.

un: uninstall, terminate or restart.

up: updates the installed rat. It will download the supplied URL (will be zipped), unpack and replace the current running malware with the downloaded.

Ex: will execute the installed plugin. See PLG command below.

PLG: download a .net dll with a plugin. This DLL should contain a class named A, and this class will used as the entry point of the plugin. This type of plugin will be able to communicate with C&C server using the existing connection. It uses this interface:

  • property string H: receives the address of the C2 host.
  • property string P: receives the port of the C2 host.
  • property TcpClient c: received the current TcpClient instance used to communicate with the C2.
  • clear() method: should perform any cleanup when the malware is shutting down.
  • ind() method: this is run by the Ex command, it’s the entry point of the plugin.

Keylogger thread

The keylogger will use the polling technique using GetAsyncKeyState to check the state of every key in a continous loop.

It will store a buffer of up to 20.000 bytes in the registry with the keystroke record, including the title of the active window and a human-readable list of the keys pressed inside it. This record will be sent to the C&C server upon connection and when requested.

Malware Analysis
Dotnet
Njrat

--

--

Shimasakisan

Written by Shimasakisan

0 Followers

@shimasakisan_

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams