Guest Blog Post: njRat Analysis with Volatility

This blog post was submitted by @Malware_Rat, a friend and mentor in the information security community.

njRat is an older Remote access Trojan known to give an attacker control over machines compromised by the malware. Credit for the initial file goes to @Scumbot for tweeting about an njRat sample posted on Pastebin. For the sake of this analysis the file has been named Remittance 20180323-9953-00.exe.

Remittance 20180323-9953-00.exe – njRat binary
SHA-256:
dacab3f01eaf2e8c59256124dc47ab03d472a46739918f707f752d9c8d473c1e
VirusTotal Link

njRat along with many other remote access Trojans will commonly host their command and control infrastructure on dynamic DNS domains, communicating over an encrypted channel.  The downside of this for typical network analysis is little information can be obtained beyond the hostname and SSL certificate in use.

Shown Above: A PCAP snippet of the C2 communication generated by the njRat sample.

This post will attempt to ascertain more information on a host infected with njRat through the use of the open source memory forensics framework Volatility.

The first step we will take is to identify the correct profile to use while analyzing the memory sample.  The imageinfo plugin can be used, however in this instance I opted for the kdbgscan plugin to obtain this information.

root@broadanalysis:~# python vol.py -f Desktop/MemSample.raw kdbgscan


Based on the suggested profile recommendation, we will use Win7SP1x64 for our profile.  Now that we have this information we can start gathering information on the infected machine, beginning with  processes and network connections.  Multiple Volatility commands can return process information.  In this instance we will be using pstree to list out process data in a tree format.

root@broadanalysis:~# python vol.py -f Desktop/MemSample.raw pstree

Looking through the above, one process that stands out is Windows Defend.  This may seem like a benign process name, however this is not the name which a legitimate Windows Defender process uses.  In addition to this, we see an instance of netsh.exe spawned from Windows Defend.

While it can be nice to view the above data in a tree format, one thing we miss out on by choosing this over one of the other plugins used to list processes is we do not have an exact start and exit time listed.  Running the pslist plugin can give us this additional information.

root@broadanalysis:~# python vol.py -f Desktop/MemSample.raw pslist

With the start and exit timestamps listed, we notice something else interesting.  The process netsh.exe appears to have started and exited at the same time.

To gather any network connections that the host may have initiated, we can scan for network artifacts using the netscan plugin.

root@broadanalysis:~# python vol.py -f Desktop/MemSample.raw netscan

Right away two entries stand out (shown above).  Examining these entries we see that the suspect process Windows Defend initiated a network connection to the Swedish IP address 93.182.171.134 over the non-standard port 1177. The IP appears to be associated with dynamic DNS domains.  While not indicative of malicious activity, dynamic DNS domains are often used within the infrastructure of remote access Trojans.

Now that we have reviewed process and network artifacts, having identified some suspect activity, lets continue to triage the system.  We can check to see what services are registered by using Volatility’s svcscan plugin.

root@broadanalysis:~# python vol.py -f Desktop/MemSample.raw svcscan

Another suspicious entry similar to the Windows Defend process stands out. Looking at the binary path it appears to be loaded into an instance of svchost.exe.

Our next step is to review the Master File Table (MFT) entries.  This can be done with the mftparser plugin.  So far we have seen a few suspect pieces of evidence referencing Windows Defender.  Since this is a known artifact, we can begin by saving a copy of the MFT entries and searching for Windows Defender references. If any results are found, we can then take the creation timestamp for the MFT entry and attempt to identify any other suspicious entries with similar timestamps.

root@broadanalysis:~# python vol.py -f Desktop/MemSample.raw mftparser –output-file=Desktop/njRatEvidence/MFTParser.txt

Shown above we see three files with a creation date of 2018-03-25 00:14:05 UTC, including

  • Windows Defender.exe
  • 07db318145681dc5e0cbb8c76a1a4fa9.exe
  • TMP000000A901E8CAA0638F55E1

Researching the above information reveals an njRat configuration file on malwareconfig.com referencing a sample with an installation name of Windows Defender.exe and a registry value listed as 07db318145681dc5e0cbb8c76a1a4fa9. This gives us further supporting evidence to link the signs of compromise back to the initial njRat sample.

Further digging within the MFT entries reveal our initial sample listed as well:


At this point we have quite a bit of evidence to link this back to njRat, but let’s see what else we can find.  Knowing that the process Windows Defend (pid:2400) is likely malicious, lets dump its memory and search its strings for anything interesting.  We can dump the process memory using the memdump plugin.

  1. root@broadanalysis:~# python vol.py -f Desktop/MemSample.raw memdump -p 2400 –dump-dir=Desktop/njRatEvidence/
  2. Strings Desktop/njRatEvidence/2400.dmp > 2400.txt

Searching through the strings reveals the dynamic DNS domain id7oomz.ddns[.]net, a known njRat C2 server.  Performing a WHOIS lookup on the domain shows it currently resolves to 93.182.171[.]134, the C2 IP address identified earlier.

Evidence of keylogging was also observed within the strings.  Prior to taking the memory dump, I performed multiple Google searches for bankofamerica.  This search is shown in the snippet below:

The last two plugins we will run are userassist and printkey.  The userassist plugin shows programs executed on a Windows machine, including the count of times executed and the timestamp of when execution last took place.   The below data shows us the original malware sample which infected the host.  This is one area that can be used to check for execution.  Other great forensic resources to investigate for file execution include shimcache entries and prefetch files.

root@broadanalysis:~# python vol.py -f Desktop/MemSample.raw userassist

Finally we will check if the malware has any persistence mechanisms in place.  The area we will check in this instance is the Run registry key.  As shown below, there is a registry value within the Run key for Windows Defender.exe, causing this malware file to be executed upon user login.

root@broadanalysis:~# python vol.py -f Desktop/MemSample.raw printkey -K “Software\Microsoft\Windows\CurrentVersion\Run”

There are many additional areas that can be explored with Volatility than what was covered above, however by looking at the data obtained from memory we can see a greater amount of detail that otherwise would not have been available if we only had a packet capture from the infected machine.  A summary of findings can be viewed below.

Summary of Findings:

  • A malicious Process titled Windows Defender.exe (69f670be3277ef484bc1f702dc52eb8b) was identified.
  • Windows Defender.exe is a known installation name for njRat. A spawned instance of netsh.exe was also observed. Using netsh.exe to modify Windows Firewall settings is known behavior for njRat.
  • Network communication to the external host 93.182.171.134:1177 was observed from the malicious  Windows Defend process.
  • Reviewing the strings of the Windows Defender.exe process show signs of keylogging activity.
  • A file titled 07db318145681dc5e0cbb8c76a1a4fa9.exe was found within the Master File Table. This filename matches the registry value of a known njRat configuration sample.  In addition to the MFT entries, this filename was found as a registry value under the Software\Microsoft\Windows\CurrentVersion\Run key.