Timeline

• Infected with njRAT
• MD5: 43671d11ed11b2764a660c5bfbb83067
• This is a real njRAT connecting to a real domain in the wild.

Fri Apr 10 11:40:29 CEST 2015

started win3

Fri Apr 10 11:42:32 CEST 2015

Start installing .net 4.5 from microsoft

Fri Apr 10 11:50:55 CEST 2015

win3 restarted to use the new .net 4.5

Fri Apr 10 12:00:57 CEST 2015

Infected

The domain zunigle.ddns.net is being requested but no ip is going back.. I will redirect it to a honeypot to see what happens.

Fri Apr 10 15:15:09 CEST 2015

I installed a honeypot in other machine and changed the etc/hosts file fo win3 to point to the honeypot. However it used a custom port. So I used ncat to open the port and receive data...

It send!!!! lv|'|'|SGFja2VkXzFDMTAwNjFD|'|'|WIN3|'|'|Administrator|'|'|2015-04-10|'|'|USA|'|'|Win 7 Ultimate SP0 x86|'|'|No|'|'|0.5.0E|'|'|--|'|'||'|'|[endof]

The message SGFja2VkXzFDMTAwNjFD in base64 is is Hacked_1C10061C (without the slash)

Fri Apr 10 16:26:38 CEST 2015

I stopped the ncat program. The connection to port 1177 was broken and now is trying to connect again.

Fri Apr 10 16:28:18 CEST 2015

I tried to install a real njRat in linux. The port is open and the program is working. But I think is an incorrect version because it is not working..

Fri Apr 10 17:06:14 CEST 2015

I stopped the rat in the honeypot, but the redirection is working

Fri Apr 10 17:36:55 CEST 2015

stopped the socat and jrat

Fri Apr 10 17:39:22 CEST 2015

started socat and jrat again. Versions of the client rat and server rat are not the same.

Sat Apr 11 14:15:18 CEST 2015

stopped the vm win3