<p>During the course of two weeks, ThreatStream labs team came across a series samples related with the infamous trojan called njrat. Labs team decided to analyze 366 samples in order to understand a little bit more about the following:</p><ul><li>Geographic distribution</li><li>Versions that are more prevalent</li><li>Understand what are the hours of operation in which the actors build the malware</li></ul><h3>Geographic distribution</h3><p>During the course of our investigation we discovered that most of the command and control activity was concentrated in two regions: Brazil and parts of north Africa and middle east. The map below shows a geographical distribution of the command and control servers observed.</p><p><img alt="geographic distribution of njRat" src="https://cdn.filestackcontent.com/ras7U1y1RgKBSQv2ji2G"/></p><h3>Versions that are more prevalent</h3><p>On the course of our analysis we discovered the prevalence of the following njrat versions: 0.3.6, 0.4.1a, 0.5.0E, 0.6.4, 0.7.1, and 0.8d. The breakdown of the NjRat versions go as follows:</p><table class="table table-striped" style="width: 20px;"><thead><tr><th scope="col">Version</th><th scope="col">Samples Observed</th></tr></thead><tbody><tr><td>0.3.6</td><td>20</td></tr><tr><td>0.4.1</td><td>10</td></tr><tr><td>0.5.0E</td><td>2</td></tr><tr><td>0.6.4</td><td>311</td></tr><tr><td>0.7.1</td><td>2</td></tr><tr><td>0.8.d</td><td>21</td></tr></tbody></table><p>The version that was the most prevalent was version 0.6.4 followed by version 0.8.d and 0.3.6.</p><h3>Actor's hours of operation</h3><p>An interesting aspect of this analysis was the hours of operation observed from the actors that were building the malware. The actors behind the builds seem to be more active during the weekend and slowing down starting Wednesday all the way to Friday. The graph below reflects the numbers of builds on a given day.</p><p><img alt="Samples Built Daily" src="https://cdn.filestackcontent.com/5FPgQ0PHTraLV5wDzeih"/></p><p>On Monday, Tuesday and Wednesday the active hours of operation are from 6am to 21pm UTC. On Thursday the active hours of operations are from 16pm to 01am. Friday hours of operation are from 11am to 23pm. Saturday and Sunday are very busy days starting at 9am and slowing down around 23pm. The graph below shows peak hours on a given day.</p><p><img alt="Number of Samples Built by the Hour" src="https://cdn.filestackcontent.com/Njr2LaygSgmsXCgnTKVx"/></p><p>The actors behind the malware samples below were built during hour 21. This implies the actors were active building their tools during this timeframe.</p><p><strong>Hashes</strong></p><pre> e42da64e4aa4c49476415df7398fce26d45eee84e1dbba87cfec020e416e696e 95552860896fbfe9ffc7c07ab1e3a4eca9e2ca40f1d501da11244f1715c798d3 e52feda706570c4c4ec0a309c8b5a501e4eb20b8757d014d32d95edffff9b7f4 c1bf63a212c9efc83cafbd319456a453e609176569d7260a1bf036971b1b9a70 2b5ff9423cdd44852b91310ed51574db8977feae42987843fed72b4c01fa7e9b 63e76dbb675a794b2a68a4b97ebcaf997085532db65e633c012b1fe863d38c04 40c5adc75ce1c1355fd44e49f528e58adae9ec013ca2039c786324d281d2669c 10d9b9030e1e805b63cca69f57c0d23653c834effc1f42ba3605bad7c7515421</pre><p>Also there were a handful of samples that were built during the 17th hour as well.</p><p><strong>Hashes</strong></p><pre> 31d6180d59cebef771776bfe204d288a0da74a69da488b1bc140bd5d76adbabc 90f956c7bd78ec66fb25e1742c80cba72cd7de8a6b6574c7d7d8bc9f6d7b5db8 7f9e64d074716f60730f53fb55627024d9ad2c8fa91eea3ec4cc4acb7d4ff584 0ff1983266237c1636456203e6e3eb897f02d193daf7fee3fa1e1f46293ef1f7 536373e8fcaa1f303f44fbe075fb8071796ae06db0b577578176a61e526e1217 88bd650b304581176102cebef13f233ab35ef46fe29709ac25398fcd5089a9e1 069ae906dbb6d2a2b150cde9b3f087fff7972be27758b351b3286cee515ef57f f7848a590d1adb3221ab4fae5da7548cbe577063d9ae9c2027c3af7d8b9b4210 e02047338a9dd32f9461777dae6957230789e6fcaa9e58f155e5e7ea94d2e120 9208a96c4c5f7b7c07423b8a8d4b4d5d935c51a3faa422689e0a1798a13a0198 d34d98f3aba239e89c3558b90798aa29077f17f0d81874a9e68bce8466437341</pre><p>The remainder of the malware samples observed were built during different hours of the day without any pattern in common.</p><h3>Command and control oddities</h3><p>Analysis of the c2's revealed the following:</p><p>The following c2's were hardcoded addresses</p><table class="table table-striped" style="width: 100%;"><thead><tr><th scope="col">IP</th><th scope="col">rDNS</th><th scope="col">City</th><th scope="col">Country</th><th scope="col">ASN</th><th scope="col">ORG</th></tr></thead><tbody><tr><td>62.245.47.196</td><td>196.47-245-62.FTTH.rus-com.net</td><td>Yekaterinburg</td><td>Russia</td><td>39741</td><td>Rus.com Co.ltd</td></tr><tr><td>50.7.49.82</td><td> </td><td>Chicago</td><td>United States</td><td>6461</td><td>FDCservers.net |</td></tr><tr><td>152.232.214.88</td><td>152-232-88-88.user.veloxzone.com.br</td><td>Belo Horizonte</td><td>Brazil</td><td>7738</td><td>Oi Velox</td></tr><tr><td>51.254.151.179</td><td>ip179.ip-51-254-151.eu</td><td>Unknown</td><td>France</td><td>16276</td><td>OVH SAS</td></tr><tr><td>187.56.88.251</td><td>187-56-88-251.dsl.telesp.net.br</td><td>Campinas</td><td>Brazil</td><td>27699</td><td>Vivo</td></tr><tr><td>185.35.9.62</td><td>185.35.9.62.untc.net</td><td>Kiev</td><td>Ukraine</td><td>41165</td><td>Ukrainian Newest Telecommunication Ltd. |</td></tr><tr><td>46.248.196.77</td><td> </td><td>Amman</td><td>Kingdom of Jordan</td><td>9038</td><td>Batelco Jordan</td></tr><tr><td>189.84.245.203</td><td>189.84.245.203.cable.gigalink.net.br</td><td>Rio das Ostras</td><td>Brazil</td><td>28658</td><td>Gigalink de Nova Friburgo Soluções em Rede Multimi</td></tr><tr><td>82.178.209.212</td><td> </td><td>Muscat</td><td>Oman</td><td>28885</td><td>General Telecommunication Organization |</td></tr><tr><td>46.29.255.11</td><td> </td><td>Unknown</td><td>United States</td><td>57858</td><td>Inter Connects Inc |</td></tr></tbody></table><p>194 unique hosts were dynamic DNS hosts. The dynamic DNS providers observed were the following: no-ip, dDNS and thinDNS. see appendix for indicators.</p><h3>Conclusion</h3><p>NJrat trojan has proven to be very active during the timeframe of the analysis. The majority of the builds observed continue to use dynamic DNS for their command control operations. Several versions were observed but 0.6.4 seems to be the most popular. Also it was interesting to see the geographical distribution of the builds. Brazil seems to be the region that is most active, followed by north Africa and middle east regions.</p>