Introduction

This article is part of my series: Inside Different Generations of RATs and part of the njRAT Family.

If you are interested in the full series, please refer to the linked pages above.

Key Takeaways

• It is based on njRAT v0.7
• Some features are not relatively primitive
• Some features are incomplete

njRAT Danger Edition 2017

njRAT Danger Edition is a variant of the njRAT Family and is based on njRAT v0.7.

njRAT Danger Edition was initially released in 2017 by FranhSko.

Based on information available online, the author was reportedly active on the dark web at the time of release. However, this information cannot be fully verified.

At the time of writing, there are three versions of njRAT Danger Edition available online: 2017, 2018 and 2020. The later versions will be analyzed in future articles.

This article focuses on njRAT Danger Edition 2017 and analyzes its underlying mechanisms.

About

Timestamp

Experimental Environment

To safely conduct malware analysis, the environment should be isolated using virtual machines. Under no circumstances should malware be executed on a personal or production system.

Tool	Description
ExeInfo PE	Detect packers, compilers, and basic file metadata
Detect It Easy (DIE)	Identify packers, protectors, and signatures
Wireshark	Network traffic analysis
de4dot	.NET de-obfuscation
dnSpy	.NET reverse engineering and debugging
pestudio	Static PE analysis tool

---

Device	IP Address	Description
Windows 7 x64 (VM)	192.168.85.5	Victim machine
Windows 10 x64 (VM)	192.168.85.3	Analysis machine

The two virtual machines were configured within an isolated internal network to prevent unintended external communication. If you want to know how to set up your experimental environment, please view:

• How to Setup Your Experimental Environment for Malware Analysis
• Installing VMware Tools on Windows XP and Windows 95 with VMware WorkStation 17

Usage

Note: To distinguish the terms “server”, “client”, “controller” and “payload”, please refer to this section.
Some features are not easily observable, so they will be explained in the reverse engineering section instead of being shown in this section.

The graphical user interface of the controller application is shown below:

njRAT Danger Edition 2017

Build the payload using the provided builder. Note that njRAT Danger Edition provides two builder panel. These will be analyzed in the reverse engineering section.

Builder 1

Builder 2

In this article, I used the first and second builder to generate server.exe and Patsh.exe respectively.

After deploying the payload on the target machine, the compromised machine appears in the controller application once the connection is established.

Online machine

File Manager

File Manager

Process Manager

Process Manager

Connections

Connections

Registry

Registry

Remote Shell

Remote Shell

Monitor (Remote Desktop)

Monitor

Funny

Funny

VPN

VPN

This feature will be analyzed in the reverse engineering section.

Protocol Analysis

As in njRAT v0.7, the data is transferred in plain text without any protection. Some fields are encoded using Base64 and hashed for validation.

Reverse Engineering

Payload

As mentioned earlier, I generated server.exe and Patsh.exe via Builder 1 and Builder 2, respectively.

server.exe is compressed using Mpress. Therefore, I used de4dot to decompress it and saved it as server_cleaned.exe

de4dot

Open server_cleaned.exe and Patsh.exe using ExeInfo PE and DIE (Detect It Easy):

server_cleaned.exe — ExeInfo PE

server_cleaned.exe - DIE

Patsh.exe — ExeInfo PE

Patsh.exe — DIE

Open server_cleaned.exe using dnSpy:

Payload — ko()

After further investigation, I believe that the core functionalities of Patsh.exe and server-cleaned are identical, with only minor differences in naming and API usage. Therefore, the following analysis focuses on a single payload.

Spread the Disk

Spreading

USB Spreading

This functionality appears to be incomplete, as the spreading routine is not invoked during the initial execution phase.

ko() — No spreading function

Installation — No spreading function

Process Protection (BSOD)

The payload attempts to protect itself by marking its process as critical:

Patsh.exe — DIE

If you are interested in this mechanism, please refer to this article.

Controller application

In this section, I focused on specific features, as most functionalities are identical to njRAT v0.7.

The controller application is not packed, so it can be directly analyzed using dnSpy.

VPN

The controller application provides a VPN feature. However, after further investigation, this functionality does not significantly improve attacker anonymity.

The mechanism is summarized below:

flowchart TD A[User Opens Form8] --> B[Enter VPN Host / Username / Password] B --> C[Click Connect Button] C --> D{vpnconnector Directory Exists?} D -- No --> E[Create Directory\n Documents/vpnconnector/] D -- Yes --> F E --> F[Write connection.pbk\n IKEv2 VPN Config File] F --> G[Write connection.bat\n rasdial Connect Command] G --> H[Execute connection.bat\n Process.Start + WaitForExit] H --> I{Connection Successful?} I -- Success --> J[Disable Connect Button\nEnable Disconnect Button] I -- Failure --> K[No Error Handling\nSilent Failure] L[Click Disconnect Button] --> M[Write disconnect.bat\n rasdial /d] M --> N[Execute disconnect.bat]

Other Features

Although the builder panel provides many options, several of them appear to be incomplete or non-functional.

Builder

Functions that are never used

No parameters are associated with some of the provided options

Conclusion

This article presents an analysis of njRAT Danger Edition 2017, which is based on njRAT v0.7.

However, some features are less advanced than initially expected, and several appear to be incomplete or poorly implemented, suggesting a lack of maturity in this version.

THANKS FOR READING