Introduction

This article is part of my series: Inside Different Generations of RATs and part of the njRAT Family.

If you are interested in the full series, please refer to the linked pages above.

This article presents an analysis of njRAT Danger Edition 2020, with a particular focus on its newly introduced features.

Key Takeaways

• This version contains several defective features
• The Ransomware functionality is likely inspired by WannaCry
• The graphical user interface resembles that of Cobalt Strike (or Armitage, although it lacks pivoting capabilities)

njRAT Danger Edition 2020

njRAT Danger Edition 2020 (For convenience, I use “the 2020 version” in this article) is the third version of the Danger Edition.

Compared to the previous version (2018), it introduces more features (although some of them are defective).

About

Experimental Environment

To safely conduct malware analysis, the environment should be isolated using virtual machines. Under no circumstances should malware be executed on a personal or production system.

Tool	Description
ExeInfo PE	Detect packers, compilers, and basic file metadata
Detect It Easy (DIE)	Identify packers, protectors, and signatures
Wireshark	Network traffic analysis
de4dot	.NET de-obfuscation
dnSpy	.NET reverse engineering and debugging
pestudio	Static PE analysis tool

---

Device	IP Address	Description
Windows 7 x64 (VM)	192.168.85.5	Victim machine
Windows 10 x64 (VM)	192.168.85.3	Analysis machine

The two virtual machines were configured within an isolated internal network to prevent unintended external communication. If you want to know how to set up your experimental environment, please view:

• How to Setup Your Experimental Environment for Malware Analysis
• Installing VMware Tools on Windows XP and Windows 95 with VMware WorkStation 17

Usage

Note: To distinguish the terms “server”, “client”, “controller” and “payload”, please refer to this section.
Some features are not easily observable, so they will be explained in the reverse engineering section instead of being shown in this section.

The graphical user interface of the controller application is shown below:

Controller application

Generate the payload using the provided builder:

Builder

After deploying the payload on the target machine, the compromised machine appears in the controller application once the connection is established:

Controller application

File Manager

File Manager

Connected UDP

Connected UDP

Info

Info

Hide (Hidden) RDP

The 2020 version provides hidden RDP. I will analyze this feature in the reverse engineering section.

RDP

Funny

Funny

Ransomware

The 2020 version provides Ransomware capabilities. However, it is not user-friendly since attackers are required to specify target files (not directories!) one by one manually:

In addition, the implementation appears to be defective.

The dialog still appears even when attackers do not configure any target files

Crashed for unknown reason

Protocol Analysis

As in the previous analysis articles, the 2020 version transfers data in plain text without any protection.

Reverse Engineering

Since the implementations of this variant are almost identical to njRAT v0.7. Therefore, I only focused on new features in this section.

Payload

Open the payload using ExeInfo PE and DIE (Detect It Easy):

ExeInfo PE

DIE

DIE — Entropy

Open the payload using dnSpy:

main()

ko()

Hidden RDP

Create account

Enable Terminal Server for remote desktop

Install RDP

The mechanism of the Hidden RDP is described as follows:

1. Create local user
2. Add user to the Administrators group
3. Set hidden description
4. Enable RDP

graph TD subgraph Execution_Flow [Malware Execution] A[Start: njRAT Payload] --> B[Initialize Invisible Form] B --> C[Check Architecture: x86/x64] end subgraph Privilege_Escalation [Account Provisioning] C --> D[Create Local User] D --> E[Add User to Administrators Group] E --> F[Set Hidden Description: Unicode Space] end subgraph Stealth_Persistence [Registry & Environment] F --> G[Enable RDP: fDenyTSConnections = 0] G --> H[Hide User from Login Screen: SpecialAccounts/UserList] H --> I[UAC Bypass Indicator: Write UAC.Temp] end subgraph Payload_Injection [Code Obfuscation] I --> J[Read Embedded Resource: byte array] J --> K[Decompress: 4-Layer GZip] K --> L[Process Hollowing: Inject into vbc.exe] end style A fill:#f9f,stroke:#333,stroke-width:2px,color:#000 style L fill:#f66,stroke:#333,stroke-width:2px style H fill:#69f,stroke:#333,stroke-width:2px,color:#000 style L color:#000

This raises a question: If the RDP, Remote Desktop Protocol is applied, how can attackers connect to the compromised machine if they only have the public IP behind a NAT?

The answer is: attackers can use the provided reverse proxy feature.

VB.NET Compiler

The 2020 version provides a VB.NET compiler for remote code execution:

Compile()

Ransomware

After further investigation, I clearly understand the mechanism and the vulnerabilities of this feature.

The Ransomware feature uses 3DES to encrypt the specified files. It uses an MD5-derived key for the 3DES algorithm.

Encrypt()

In addition, it sets itself as a critical process to avoid termination (If you are interested in the underlying mechanism, please refer to this article).

Critical Process

However, the secret key is constant. It means all victims can use the same secret to decrypt their files (However, I think the decryption algorithm is incomplete and defective. Fortunately, the provided encryption user interface is not user-friendly for attackers).

Conclusion

This article presents an analysis of njRAT Danger Edition 2020. Compared to the previous article, it introduces more functionalities, although several of them are poorly implemented or incomplete.

Initially, I was suprised by its multiple features, even though I was not fully familiar with their underlying principles and implementations.

However, after further investigation, some features are not as robust (or advanced) as initially expected.

At the time of writing, I only found three versions of the Danger Edition branch. Therefore, this article is probably the last analysis article of the Danger Edition. Of course, I will try to find any other versions of this branch.

If you have any comments or suggestions, please feel free to leave them below!

THANKS FOR READING