njRAT

3
Global rank
5
Month rank
6
Week rank
13831
IOCs

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Trojan
Type
Middle East
Origin
1 January, 2013
First seen
3 June, 2023
Last seen
Also known as
Bladabindi
Njw0rm

How to analyze njRAT with ANY.RUN

Trojan
Type
Middle East
Origin
1 January, 2013
First seen
3 June, 2023
Last seen

IOCs

IP addresses
3.142.167.4
209.25.141.181
193.27.12.10
209.25.141.212
3.64.4.198
209.25.141.194
141.8.192.151
1.1.1.1
46.183.187.61
104.22.48.74
172.67.20.89
141.95.84.40
209.25.141.223
91.109.190.3
194.87.151.75
188.116.145.233
102.156.150.127
18.136.148.247
18.139.9.214
18.141.129.246
Hashes
308293f7fd3893ebfebccf2d879fff6596708dfd22850e808e9211e4038c0953
f0064253880c737b594156d3e2d13c539a6712ca05d7d9e0b32107a6275d0982
17a66e2c27636489392e05df97d7c5f4735f2a2e2e1bae42b82505c68dd9b8c9
95026b172d2e0dfd1fba9b0892ecf5569605e0950b97d5af563f7a22b1409c4e
f3f3fee0e272e4766061161496cce13d0f018f837dac7f66078b13c1889ded20
ec2eeeaf0e2e9204cca91d7a16569883ff4898acfa1e3edd411dc98d5d39f500
530aaa67ab7c03edadfbbdfc3a352a9f0bdfd413063bab2f9f150f3899365144
36dc4bab14321855a59102fa29dae275ec0e85ec1c071ba9c2629682d3e804e3
686eb16ea290b1fc6b574fa3d8d12b235872ba9d2fd338e3bb68ddf537c2673a
700acf4d272ca742b28f545ad0745d1f5357c5a9a8516ec9d6b516ff411cef98
79696ff06ddab8b831190d37b360bb4befe7dfe1d7c2afb95584576fddecc220
d1222f381653d8c97ab6504f45f8bec4efbfe04d2fc216f3f30a5dd123d06873
5acc192328ff8da64e933aedb47108bf1e8caef9ebe4fe7846b080cdf8bc8428
97ec50a547356f6bcd294a20368256666395c0a58a371bfae0fb1295b5e1c17b
8a81c4593c14c03f61d8cd1e9f574344705fb1f3c6a970b16c852feb9b898b0e
19a983f53591fefea90fcd99603476bfec48f45522dbfdb4589d7971315d2cd8
5244a6ddd051c42fc0c8f012ae2be6cda6afeb629b4c70807ce2ed6d2507d195
07fa425039403fb7a4b08dc8511d2fdc41efa0248fd04bca026f97e91978a6bc
4e8e57f292f4bd8a2b3ec49356ed0c7e263e4ae14eebc6ac029cb73b916a9e5d
32c4797b62efdeabfab34d4ff2247f50ab1d956bf2f08f7c97dc6aaf42610848
Domains
njxyro.ddns.net
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
joemclean.duckdns.org
microsoftfixer.duckdns.org
fevertoxs.duckdns.org
adenere.duckdns.org
fevertox.duckdns.org
8.tcp.ngrok.io
move-liability.at.ply.gg
tips-longer.at.ply.gg
consider-brochure.at.ply.gg
browser-geology.at.ply.gg
american-command.at.ply.gg
bit-dedicated.at.ply.gg
its-tension.at.ply.gg
called-yemen.at.ply.gg
driver-computational.at.ply.gg
players-rights.at.ply.gg
body-scholarships.at.ply.gg
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 306
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5380
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3235
comments 3

What is njRAT Malware?

njRAT, also called Bladabindi and Njw0rm is a remote access trojan that is used to remotely control infected machines. Because of its availability, excess of online tutorials, plenty of information, and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.

This malware was detected for the first time in 2013, however, some related RATs have been observed by researchers in 2012. The highest surge of njRAT trojan attacks was recorded in 2014 in the middle east, which is the most targeted region for this malware.

General Information about njRAT

njRAT trojan is built on the .NET framework. This RAT gives hackers the ability to control the victim’s PC remotely. njRAT allows attackers to activate the webcam, log keystrokes, and steal passwords from web browsers as well as multiple desktop apps.

In addition, the malware gives hackers access to the command line on the infected machine. It allows to kill processes as well as remotely execute and manipulate files. On top of that, njRAT is capable of manipulating the system registry. When infected, Bladabindi trojan will collect several bits of information about the PC that it got into, including the name of the computer, operating system number, country of the computer, usernames, and OS version.

Also, this malware is able to target cryptocurrency wallet applications and steal cryptocurrency from PCs. For example, it is known to be able to grab bitcoins and even access credit card information which sometimes can be stored in crypto apps as a means to purchase cryptocurrency.

After infecting a computer the malware uses a variable name and copies into %TEMP%, %APPDATA%, %USERPROFILE%,%ALLUSERSPROFILE% or %windir% – a behavior not uncommon for this time of malware. It can also copy itself into <any string>.exe, to ensure that it will be activated every time the victim switches on their computer.

njRAT trojan has a few tricks up its sleeve to avoid detection by antivirus software. For example, it uses multiple .NET obfuscators to obstruct its code. Another technique that the malware uses is disguising itself into a critical process. This does not allow the user to shut it down. It also makes njRAT hard to remove from the infected PCs. Bladabindi RAT can also deactivate processes that belong to antivirus software, allowing it to stay hidden. njRAT also knows how to detect if it has been run on a virtual machine which helps the attackers to set up countermeasures against researchers.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Authors of Bladabindi are leveraging Pastebin to avoid investigation by cybersecurity researchers. njRAT downloads additional components and executes secondary-stage payloads from Pastebin. So, the malware has no need to establish a traditional command-and-control (C2) server. The Pastebin creates a pathway between njRAT infections and new payloads. With the trojan acting as a downloader, it will grab encoded data dumped on Pastebin, decode, and deploy.

For spreading, njRAT can detect external hard drives connected via USB. Once such a device is detected, the RAT will copy itself onto the connected drive and create a shortcut.

Who created njRAT?

Creators of njRAT are members of an underground hacker community named Sparclyheason. Evidently, they have created a very popular and destructive malware. njRAT was classified as “severe” by Microsoft Malware Protection Center.

In fact, following a large malicious campaign in 2014, Microsoft shut down four million websites in an effort to filter traffic that was going through no-ip.com domains.

njRAT malware analysis

ANY.RUN allows researchers to watch the njRAT in action in an interactive sandbox simulation.

njRAT execution process graph

Figure 1: Displays the lifecycle of njRAT in a visual form as a process graph generated by ANY.RUN malware hunting service

text report of the njRAT malware analysis

Figure 2: A customizable text report generated by ANY.RUN allows to take an even deeper look at the malware and helps to share the research results

njRAT execution process

In our simulation, after njRAT got into the target device and began execution it instantly started its malicious activity. Usually, the initial file renames itself and creates a child process. Sometimes njRAT trojan injects its code into legitimate processes such as RegSvcs.exe and RegAsm.exe.

The malware also has the ability to run itself through Task Scheduler. This child process executes the main malicious activity. Such activity includes stealing information, connecting to C2 servers, and changing the autorun value in the registry to run itself when the operating system starts.

Distribution of njRAT

njRAT trojan uses quite a few attack vectors to infect its victims. For example, the malware is known to target Discord users as part of spam campaigns. In addition, leverage cracks and keygens in well-known software in order to trick users. It installs malicious packages to infect the machine.

Another known distribution method was through a compromised website that tricked users into downloading a fake Adobe product update which in turn installed njRAT malware to the PC. Bladabindi was also featured in spam email campaigns. In this case, it was delivered to potential victims as a malicious attachment.

In October 2020 mailspam used the 'shipment tracking' theme, faking popular courier and postal services. Malicious packages contain attachments in Zip format with an encoded Visual Basic script (VBE) payload and components.

Moreover, crooks use cloud-based storage platforms more often. Attackers host malicious files there to deliver malicious software, and even use them as part of a command and control (C&C) architecture. That is why it's crucial to know general malware removal instructions and analyze viruses in a safe environment.

How to detect NJRAT using ANY.RUN?

To determine whether the sample under review is njRAT or not, you can take a look at the changes that it made in the registry. To do so, open the "Advanced details of process" of the malicious process and look at the "Registry changes" tab in the "Events" section. If a process has created a key with the name [kl] into the path HKEY_CURRENT_USER\Software\32_characters_and_digits, you can be sure that the given sample is njRAT.

njrat registry changes Figure 3: Сhanges made by njRAT in registry

Conclusion

The relative ease of operation, multiple tutorials on how to set up this malware, and very extensive information stealing feature set have made this RAT one of the most popular remote access trojans in the world.

Even though the peak of its activity was recorded in 2014 and targeted mostly the middle east and India, the njRAT trojan remains to be extremely popular today. This malware is known to have targeted both private and corporate victims and poses a lot of danger to internet users, especially considering that it can be delivered by packages to potential victims in several ways, and preventing infection is much harder in some cases than in others.

Even though Bladabindi malware creators have taken several steps to hinder the analysis, malware hunting services like ANY.RUN allows professionals to easily study njRAT malware samples or other RATs like Orcus RAT or WSHRAT and share the research results with the world to improve global cybersecurity.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy