Threat Research

Malware Analysis — njRAT

admin

The analysis documents an njRAT infection chain beginning with a malicious PowerPoint (AutoOpen macro) that fetches staged payloads from Pastebin/textbin, ultimately decoding into two .NET binaries (a DLL and an EXE) with keylogger and C2 functionality. Analysts used OLEtools/olevba, curl, CyberChef, DiE, and PEstudio plus dynamic execution to deobfuscate stages and extract file hashes and network indicators. #njRAT #PowerPoint

Keypoints

  • Initial delivery via a PowerPoint file containing an AutoOpen macro that executes on presentation open.
  • Macros contained Pastebin/textbin URLs; curl followed redirects to retrieve staged payloads.
  • Stage 3 was an obfuscated VBS that used Base64 and string-replacement techniques, identified by tokens like ‘replace’, ‘base64’, ‘WScript’, and ‘PowerShell’.
  • CyberChef was used to decode Base64 and perform replacements, revealing two obfuscated blobs that reconstructed into a .NET DLL and a .NET executable.
  • Static analysis with DiE and PEstudio revealed keylogger functions and socket-based network communication in the final payloads.
  • Dynamic execution produced network-related IOCs (multiple pastebin/textbin URLs) and file hashes for the intermediate and final files.

MITRE Techniques

  • [T1566] Phishing – Initial delivery via a malicious PowerPoint attached to a phishing email; (‘Malware is delivered via a PowerPoint file attached to a phishing email.’)
  • [T1204] User Execution – The user triggers execution by opening the PowerPoint and allowing macros; (‘The user unwittingly executes the malicious macro by opening the PowerPoint file.’)
  • [T1064] Scripting – Macros contained scripts that downloaded additional payloads from Pastebin/textbin URLs; (‘The macro contains a script that downloads additional payloads from Pastebin URLs.’)
  • [T1027] Obfuscated Files or Information – The VBS stage and other payloads were obfuscated to hinder detection; (‘The downloaded VBS script is obfuscated to evade detection.’)
  • [T1140] Deobfuscate/Decode Files or Information – Analysts decoded Base64 and applied replacements to reveal final payloads and URLs; (‘The obfuscated VBS script is decoded to reveal the final payload URLs.’)
  • [T1071] Application Layer Protocol – The malware communicates with C2 over HTTP to download payloads and exfiltrate data; (‘The malware communicates with the attacker’s C2 server over HTTP to download the final payloads and send stolen data.’)
  • [T1056] Input Capture – The final payload implements a keylogger to capture keystrokes; (‘The final payload includes a keylogger function to capture keystrokes.’)
  • [T1113] Screen Capture – The malware can take screenshots of the victim desktop; (‘The malware has the capability to take screenshots of the victim’s desktop.’)
  • [T1041] Exfiltration Over C2 Channel – Captured data (keystrokes/screenshots) is sent back to the attacker’s C2 server; (‘Captured data, such as keystrokes and screenshots, is exfiltrated to the attacker’s C2 server over the established communication channel.’)
  • [T1543] Create or Modify System Process – The malware may create processes or services for persistence; (‘The malware may create a new process or service to ensure persistence on the victim’s system.’)

Indicators of Compromise

  • [File Hashes] hashes for stages and final payloads – 6175e14e465756c626ccc0f398fcdcb0, 4b7d118b20d8854372129f53365d529f, and 2 more hashes
  • [File Names] filenames observed in the chain – cefa4ebf82b3d077a68ce1933be3dc6e9cadce8bc27671a5fcd76ee2f4d04977.ppam, stage3.vbs, and 2 more names
  • [URLs] pastebin/textbin/paste.ee staging URLs retrieved during analysis – hxxps://pt[.]textbin[.]net/download/itm1dkgz7c, hxxps://paste[.]ee/d/ESa4q/0, and other 5 items

After extracting the provided ZIP, the analyst treated the file as an Office PowerPoint and used OLEtools/olevba to inspect macros. The macro was configured under AutoOpen and contained suspicious Pastebin/textbin URLs; curl retrieved those URLs, which redirected to a second-stage payload. The second-stage output was an obfuscated VBS script featuring tokens like “replace”, “base64”, “WScript”, and “PowerShell”, indicating layered encoding and script-based execution.

Using CyberChef, the analyst decoded Base64 strings and applied string-replacement operations to deobfuscate long encoded blobs; this process produced two distinct files reconstructed from the decoded strings — a .NET DLL and a .NET executable. Static inspection with DiE and PEstudio revealed functions tied to keylogging and socket-based network communication, confirming capabilities for input capture and C2 traffic. Finally, the analyst executed the payload in a controlled environment to capture network-related IOCs (multiple pastebin/textbin URLs) and collect file hashes for the intermediate and final artifacts.

Read more: https://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint