Name | Last modified | Size | Description | |
---|---|---|---|---|
Parent Directory | - | |||
2015-04-22_capture-win4.pcap | 2015-04-22 09:24 | 9.4M | ||
2015-04-22_capture-win4.rrd | 2015-04-22 09:29 | 8.0M | ||
2015-04-22_capture-win4.json | 2015-06-01 20:07 | 1.9M | ||
2015-04-22_capture-win4.html | 2015-06-01 20:07 | 1.4M | ||
2015-04-22_capture-win4.biargus | 2015-06-04 15:28 | 547K | ||
2015-04-22_capture-win4.large.binetflow | 2015-06-20 15:15 | 85K | ||
2015-04-22_capture-win4.capinfos | 2015-07-23 20:02 | 763 | ||
2015-04-22_capture-win4.binetflow | 2015-09-17 17:16 | 470K | ||
d1e1acd259b5548c2f09906dc3efa7df.exe.zip | 2015-12-16 10:26 | 11K | ||
2015-04-22_capture-win4.dnstop | 2016-01-14 21:37 | 7.3K | ||
2015-04-22_capture-win4.passivedns | 2016-01-14 21:37 | 12K | ||
2015-04-22_capture-win4.weblogng | 2016-06-15 18:04 | 47K | ||
README.md | 2016-08-27 21:55 | 4.7K | ||
2015-04-22_capture-win4.tcpdstat | 2016-12-05 22:30 | 1.9K | ||
fast-flux-dga-first-analysis.txt | 2017-01-15 13:04 | 23K | ||
README.html | 2017-01-15 13:04 | 7.1K | ||
bro/ | 2017-08-31 09:45 | - | ||
SHA256: 4de5b61a739d18302dbc037b2322085aabc2151dba844c236ac242b00f7c2bc3
Warning: This malware was connected to our server and NOT to a real njRat server on internet.
started win4
With the njRat with MD5 d30b4088f7a5a2c762792dbbae90f197 (file njrat0.7d.zip), I created a client to connect to our server.
It was perfecty connected!
Get passwords
I stopped the client in the honeynet and I started it again
manager
keylogger activated
something was not working in the client in the honeypot, so I restarted the client
the client is up again
tried to use some features... it is difficult because is very slow.
power off the client and the honeypot.
up again the client in the honeypot
keylogger access, various actions
ask for all the passwords
Now I leave the server (windows) connected to the client in the honeypot without doing nothing.
I'm going to send some orders from the C&C to the bot, to see how the periodicity changes. I'm going to ask for get passwords
keylogger
manager
manager
remote desktop
Since nothing is working, I'm going to reboot the server program in the bot remotely
keylogger
remote desktop still not working.
I rebooted the bot from the windows itself.
I stopped the C&C server, because it was getting false connections. It showed like 20 bots.
I started the C&C server again. No orders.
ask for keylogger
ask for keylogger. Every time I ask for something, the server is sending stuff
Now it showed the windows in the server... Now sure why!
Asked for the remote desktop It seems it didn't work.
manager Did not worked.
network connections in the manager Did not worked.
microphone Did not worked.
Mon Apr 13 14:20:06 CEST 2015
Mon Apr 13 14:20:42 CEST 2015 I changed the positions of the windows in the bot, to see if it is reflected in the thumbnail in the C&C server. It did not.
So it seems that the bot and the server are communicating, but something is broken.
I stopped the C&C server. Now the bot started to ask again for the C&C server (time 21:31:29.237683 in pcap)
I started the C&C server again The thumbnail is ok, so the communication is working.
keylogger Worked.
it seems that if i ask for stuff just after the bot is connected, everything is working fine.
remote desktop, it worked.
manager
tcp connections. It worked.
get passwords. It worked.
i will stop here doing actions
I waited for a long time. Ask for keylogger Seems not to be working! or is taking a lot of time.
At some point it was shown. But very late.
ask for keylogger
The data from the keylogger come back!
Get passwords.
The passwords come back in the network. But they didn't appeared in the C&C interface quickly. They appeared later.
remote desktop
Not sure when it poped up. Could be now. It took long, but maybe it was some issue with the display in the linux remote desktop.
During this day I play a little with the commands and then I stopped the server2.exe process.
Today I reinfected it again
poweroff