Regular expression of NjRAT RAT/Backdoor Detector


NjRAT remote access trojan was created based on the leaked Njw0rm source code, and it has a wide range of backdoor capabilities. Researchers from Trend Micro encounter a new fileless version of this malicious tool that is distributed through removable media. It is also impossible to exclude the version that initially trojan can penetrate the network of the organization via phishing emails. NjRAT uses AutoIt to compile the payload and the main script into a single executable to bypass antivirus solutions. When the installer is executed, the malware tries to delete Tr.exe from the system’s %TEMP% directory and install its own version of Tr.exe on it. Then it terminates Tr.exe process and executes a dropper, which installs a hidden copy of itself on any removable drive found on the infected system.

NjRAT remote access trojan has been used repeatedly in cyberespionage campaigns and is popular on underground forums. New fileless modification poses a threat to organizations that still use removable media in the workplace. For threat detection, the following are scripts by ELKStack, QRadar and Splunk.

  • Elastic Query
url.original:("http\:\/\/ghancommercialbank.com\/msn\/newclient.exe" OR "http\:\/\/f.top4top.net\/p_3667b75e1.png" OR "http\:\/\/f.top4top.net\/p_42526hb61.png" OR "http\:\/\/cdn.discordapp.com\/attachments\/482228034632548363\/506077641061826561\/doublepumpcheck.exe" OR "http\:\/\/cdn.discordapp.com\/attachments\/482925954109276160\/507526114491498496\/photoshop.exe" OR "https\:\/\/cdn.discordapp.com\/attachments\/436298448665575427\/481620773501534208\/111111111.exe" OR "http\:\/\/ldrldr.icu\/njr.exe" OR "http\:\/\/kapitanbomba.hopto.org\/file.exe" OR "https\:\/\/s3.us\-east\-2.amazonaws.com\/qued\/xwizard.exe" OR "https\:\/\/cdn.discordapp.com\/attachments\/498525611422121996\/507533173954183170\/Server.exe")
  • QRadar AQL
SELECT UTF8(payload) as search_payload from events where ("URL" = 'http://ghancommercialbank.com/msn/newclient.exe' or "URL" = 'http://f.top4top.net/p_3667b75e1.png' or "URL" = 'http://f.top4top.net/p_42526hb61.png' or "URL" = 'http://cdn.discordapp.com/attachments/482228034632548363/506077641061826561/doublepumpcheck.exe' or "URL" = 'http://cdn.discordapp.com/attachments/482925954109276160/507526114491498496/photoshop.exe' or "URL" = 'https://cdn.discordapp.com/attachments/436298448665575427/481620773501534208/111111111.exe' or "URL" = 'http://ldrldr.icu/njr.exe' or "URL" = 'http://kapitanbomba.hopto.org/file.exe' or "URL" = 'https://s3.us-east-2.amazonaws.com/qued/xwizard.exe' or "URL" = 'https://cdn.discordapp.com/attachments/498525611422121996/507533173954183170/Server.exe')
  • Splunk
(resource.URL="http://ghancommercialbank.com/msn/newclient.exe" OR resource.URL="http://f.top4top.net/p_3667b75e1.png" OR resource.URL="http://f.top4top.net/p_42526hb61.png" OR resource.URL="http://cdn.discordapp.com/attachments/482228034632548363/506077641061826561/doublepumpcheck.exe" OR resource.URL="http://cdn.discordapp.com/attachments/482925954109276160/507526114491498496/photoshop.exe" OR resource.URL="https://cdn.discordapp.com/attachments/436298448665575427/481620773501534208/111111111.exe" OR resource.URL="http://ldrldr.icu/njr.exe" OR resource.URL="http://kapitanbomba.hopto.org/file.exe" OR resource.URL="https://s3.us-east-2.amazonaws.com/qued/xwizard.exe" OR resource.URL="https://cdn.discordapp.com/attachments/498525611422121996/507533173954183170/Server.exe")

Leave a Reply

Your email address will not be published.

15 thoughts on “Regular expression of NjRAT RAT/Backdoor Detector

  1. · 16.09.2021 at 00:49

    Wow, amazing weblog format! How long have you ever been running a blog for? you made blogging glance easy. The full glance of your web site is excellent, as smartly as the content!

  2. · 16.09.2021 at 03:04

    Wow, amazing blog layout! How lengthy have you been blogging for? you make running a blog look easy. The entire glance of your site is great, let alone the content material!

  3. Thanks for finally writing about > code – Regular expression of NjRAT RAT/Backdoor Detector < Liked it!

  4. Pretty nice post. I simply stumbled upon your weblog and wanted to mention that I have truly loved surfing
    around your weblog posts. In any case I will be subscribing on your feed and I
    am hoping you write again very soon!

  5. I was wondering if you ever considered changing the page layout of your blog?

    Its very well written; I love what youve got to say.
    But maybe you could a little more in the way of content so
    people could connect with it better. Youve got an awful lot of text for only having 1 or
    2 pictures. Maybe you could space it out better?

  6. Greetings! This is my first visit to your blog! We are a collection of volunteers and starting a new
    initiative in a community in the same niche. Your blog provided us valuable information to work on. You have done a marvellous job!

  7. Asking questions are actually good thing if you are not understanding something completely, except this article gives pleasant understanding even.

  8. Hi, Neat post. There is a problem together with your website in web explorer,
    could check this? IE still is the market chief and a huge section of folks will omit your wonderful
    writing due to this problem.

  9. Thanks for ones marvelous posting! I seriously enjoyed reading it, you will be a great
    author. I will make sure to bookmark your blog and will
    often come back in the future. I want to encourage you continue your great posts, have a nice morning!

  10. Howdy! This blog post could not be written any better!

    Looking through this post reminds me of my previous roommate!
    He continually kept preaching about this. I most certainly will forward this article to him.
    Fairly certain he’s going to have a great read.
    I appreciate you for sharing!

  11. Thanks designed for sharing such a nice idea, article is pleasant, thats why i have read it completely

  12. If you want to increase your know-how just keep visiting
    this site and be updated with the hottest information posted here.

  13. Spot on with this write-up, I actually believe that this web
    site needs a great deal more attention. I’ll probably be back again to read more, thanks for the information!

  14. We are a bunch of volunteers and opening a brand new scheme in our
    community. Your website offered us with useful
    information to work on. You’ve performed an impressive job and our whole neighborhood shall be grateful to you.

  15. Greate article. Keep posting such kind of information on your site.
    Im really impressed by it.
    Hi there, You’ve done an excellent job. I will definitely digg
    it and personally recommend to my friends. I’m confident they’ll
    be benefited from this web site.