100 Days of YARA – Day 15: njrat

Malware Bazaar: https://bazaar.abuse.ch/browse/signature/njrat/

njrat was written in Visual Basic. The source code has been leaked, and samples have been observed in the wild which have been modified/customized by attackers:

0c588a633e7979a81579f3317dd735884f660ccc7b78ebf20be8654f2546a915.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
48cc6bd83e2933df14dafd0ed0e119215ed134fc57167b768c48202b54d4bb41.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
4ef128a8ae0eb9a7ab045791ddcfd834f173ad5cb98dd51c9cc84fb99f8cbef2.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
5a89e39ab6b87ed1d0810009c093db235fca513f11a49d13653dfb26534cb265.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Analyzing a few samples, I was able to find some unique command line strings. I wrote a one-liner to find common strings within these samples:

for i in *.exe; do strings $i | sort | uniq; ; done | sort | uniq -c | sort -n

I ended up with this YARA rule:

rule njrat
{
	meta:
		description = "njrat"

	strings:
		$c1 = "cmd.exe /k ping 0 & del " ascii wide
		$c2 = "cmd.exe /c ping 0 -n 2 & del" ascii wide
		$c3 = "ping -n 3 127.0.0.1 & copy /Y" ascii wide

		$g1  = "get_OSFullName"
		$g2  = "get_OSVersion"
		$g3  = "get_Parent"
		$g4  = "get_Position"
		$g5  = "get_PrimaryScreen"
		$g6  = "get_Registry"
		$g7  = "get_ServicePack"
		$g8  = "get_UserName"
		$g9  = "get_Width"
		$g10 = "get_Default"

	condition:
		any of ($c*) or 6 of ($g*)
}

YARA Rules Index

2 thoughts on “100 Days of YARA – Day 15: njrat

  1. Pingback: YARA Rules Index – DMFR SECURITY

  2. Pingback: Week 02 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s