njRAT runs MassLogger

njRAT is a remote access trojan that has been around for more than 10 years and still remains one of the most popular RATs among criminal threat actors. This blog post demonstrates how NetworkMiner Professional can be used to decode the njRAT C2 traffic to extract artifacts like screenshots, commands and transferred files.

A PCAP file with njRAT traffic was published on malware-traffic-analysis.net last week. After loading this PCAP file, NetworkMiner Professional reveals that the attacker downloaded full resolution screenshots of the victim’s screen.

Image: Overview of screenshots sent to C2 server

Image: Screenshot extracted from njRAT traffic by NetworkMiner

The file “New Purchase Order and Specifications.exe” in this screenshot is the njRAT binary that was used to infect the PC.

A list of njRAT commands sent from the C2 server to the victim can be viewed on NetworkMiner’s Parameters tab by filtering for ”njRAT server command”.

The following njRAT commands are present here:

• CAP = take screenshot
• inv = invoke (run) a plugin (dll)
• rn = run a tool (executable)

Additional njRAT commands can be found in our writeup for the Decoding njRAT traffic with NetworkMiner video, which we published last year.

njRAT File Transfers

The “inv” and “rn” commands both transfer and execute additional code on the victim machine. The “inv” command typically transfers a DLL file that is used as a plugin, while the “rn” commands sends an executable file. These DLL and EXE files are transferred in gzip compressed format, which is why NetworkMiner extracts them as .gz files.

Image: Gzip compressed files extracted from njRAT traffic

This oneliner command lists the internal/original file names and corresponding MD5 hashes of the gzip compressed executables sent to the victim PC:

• for f in njRAT-rn*.gz; do echo $f; gunzip -c $f | exiftool - | grep Original; gunzip -c $f | md5sum; done
• njRAT-rn-260129030403.gz
• Original File Name : Stub.exe
• ca819e936f6b913e2b80e9e4766b8e79 -
• njRAT-rn-260129030433.gz
• Original File Name : Stub.exe
• e422a4ce321be1ed989008d74ddb6351 -
• njRAT-rn-260129030451.gz
• Original File Name : CloudServices.exe
• fcbb7c0c68afa04139caa55efe580ff5 -
• njRAT-rn-260129031041.gz
• Original File Name : Stub.exe
• 0ae3798c16075a9042c5dbb18bd10a5c -

The MD5 hashes of the files inside the gzip compressed streams can also be seen on the Parameters tab in NetworkMiner.

MassLogger

The “CloudServices.exe” executable is a known credential stealer called MassLogger. This particular MassLogger sample is hard coded to exfiltrate data in an email to kingsnakeresult@mcnzxz[.]com. The email is sent through the SMTP server cphost14.qhoster[.]net. See the execution of this sample on Triage for additional details regarding the MassLogger payload in CloudServices.exe.

IOC List

njRAT (splitter = "|Ghost|")

• 58f1a46dba84d31257f1e0f8c92c59ec = njRAT sample
• 104.248.130.195:7492 = njRAT C2 server
• burhanalassad.duckdns[.]org:7492 = njRAT C2 server
• 801a5d1e272399ca14ff7d6da60315ef = sc2.dll
• ca819e936f6b913e2b80e9e4766b8e79 = Stub.exe
• e422a4ce321be1ed989008d74ddb6351 = Stub.exe
• fcbb7c0c68afa04139caa55efe580ff5 = CloudServices.exe
• 0ae3798c16075a9042c5dbb18bd10a5c = Stub.exe

MassLogger

• fcbb7c0c68afa04139caa55efe580ff5
• kingsnakeresult@mcnzxz[.]com
• cphost14.qhoster.net:587
• 78.110.166.82:587

Posted by Erik Hjelmvik on Monday, 02 February 2026 19:39:00 (UTC/GMT)

Tags: #njRAT​ #NetworkMiner Professional​ #malware-traffic-analysis.net​

NetworkMiner 3.1 Released

This NetworkMiner release brings improved extraction of artifacts like usernames, passwords and hostnames from network traffic. We have also made some updates to the user interface and continued our effort to extract even more details from malware C2 traffic.

More Artifacts Extracted

Usernames and passwords are now extracted from Proxy-Authenticate headers. NetworkMiner’s username extraction support for SMTP AUTH LOGIN requests has also been improved.

Image: Username and password extracted from HTTP Proxy-Authenticate header

NetworkMiner has several methods for passively identifying host names of clients and servers. We’ve added a few additional hostname sources to this release, such as client hostnames from SMTP EHLO requests and TLS SNI fields from RDP traffic.

User Interface Improvements

The most significant user interface update in the 3.1 release is probably the new “Not in” keyword filter mode. I received this feature request when teaching a network forensics class (thanks for the great idea Lukas!). This filter mode is the opposite to the default “Exact Phrase” setting.

Image: Parameters extracted from anything but HTTP traffic in Johannes Weber's Ultimate PCAP

The “Not in” filter mode comes in very handy when the information you’re interested in is drowning in a sea of non-relevant, but easily identifiable, data.

Malware C2 Traffic

NetworkMiner can extract information from various malware Command-and-Control (C2) protocols like Latrodectus/IcedID BackConnect, Meterpreter, njRAT, Redline Stealer, Remcos, RMS and StealC. The free version of NetworkMiner can extract information, such as commands or transferred files, from these malware protocols as long as the C2 server listens on a “standard” port number. But if the C2 server runs on some other port (which often is the case), then NetworkMiner Professional’s Port Independent Protocol Identification (PIPI) feature is required to identify the correct parser for the network traffic.

Implementing malware C2 protocol parsers is sometimes a thankless task because these protocols tend to get replaced at a much higher rate compared to legitimate network protocols. But it is an important task nevertheless.

njRAT

A popular malware for which the C2 protocol hasn’t changed much during the past decade is njRAT. In fact, new njRAT samples are discovered by security researchers pretty much every day despite it being a 13 years old trojan. NetworkMiner’s njRAT support has therefore been improved in this release. NetworkMiner can extract files that are uploaded or downloaded to/from a PC infected with njRAT. This file extraction feature also includes the ability to extract plugins for specific tasks, such as to run a reverse shell, see camera images or steal passwords. njRAT C2 servers transmit these plugins as gzip compressed DLL files to victim computers when needed.

Image: Files extracted from njRAT in PCAP from our network forensics class

NetworkMiner extracts these gz compressed plugin DLL files to disk. A new feature in the 3.1 release is that it then decompresses the gz data and calculates an MD5 hash of the file contents, but without saving the decompressed data to disk. The MD5 hash of the transferred files are instead displayed on the Parameters tab as seen in this screenshot:

Image: MD5 hashes of njRAT plugin DLLs

The following njRAT plugin MD5 hashes can be seen in this screenshot:

• cef141d894400bc2e0096d1ed0c8f95b (aka inf.dll)
• a73edb60b80a2dfa86735d821bea7b19 (aka cam.dll)
• a93349ba5e621cfb7a46dc9f401fd998 (aka plg.dll)
• 11375fb0cee4c06b5cefa2031ee2ed6d (aka pw.dll)
• 19967e886edcd2f22f8d4a58c8ea3773 (aka sc2.dll)

See our video Decoding njRAT traffic with NetworkMiner for a more in-depth demonstration of NetworkMiner’s njRAT parsing features.

Redline Stealer

Another common malware is Redline Stealer. It uses a legitimate protocol called MC-NMF to send instructions and exfiltrate data from victim computers. Basic support for the MC-NMF protocol has therefore been added to NetworkMiner 3.1. MC-NMF is also used by legitimate services like Microsoft’s Service Bus, so as a bonus you can now analyze such traffic with NetworkMiner as well. The MC-NMF protocol has a compression routine called MC-NBFSE, which is utilized by Redline Stealer. NetworkMiner can’t decompress this format, so files are extracted to disk in compressed form.

Image: Files extracted from Redline execution on Joe Sandbox

You can probably spot some interesting details in the extracted data even when viewing the NBFSE compressed contents though.

Image: NBFSE compressed file contents extracted from Redline execution on Joe Sandbox

Bug Fixes

NetworkMiner 3.1 also resolves several minor bugs. One of these bugs could cause NetworkMiner to hang when showing file details in Linux. Another resolved bug prevented some IPv6 payload from being parsed correctly if the Ethernet frame contained trailing padding data. The VoIP call metadata extraction has also been improved in NetworkMiner Professional.

Upgrading to Version 3.1

Users who have purchased NetworkMiner Professional can download version 3.1 from our customer portal, or use the “Check for Updates” feature from NetworkMiner's Help menu. Those who instead prefer to use the free and open source version can grab the latest release of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Monday, 01 December 2025 08:20:00 (UTC/GMT)

Tags: #NetworkMiner​ #NetworkMiner Professional​ #njRAT​

VoIP tab in NetworkMiner Professional

The VoIP tab is a unique feature only available in NetworkMiner Professional. The analyzed PcapNG file comes from a blog post by Johannes Weber titled VoIP Captures.

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Friday, 04 October 2024 06:20:00 (UTC/GMT)

Tags: #NetworkMiner Professional​ #Video​ #Tutorial​ #VoIP​

Browsers tab in NetworkMiner Professional

The Browsers tab is a unique feature only available in NetworkMiner Professional. The PCAP files analyzed in this video are pwned-se_150312_outgoing.pcap and pwned-se_150312_incoming.pcap, which are snippets of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides).

More information about NetworkMiner Professional's Browsers tab can be found in our blog post Analyzing Web Browsing Activity.

See our NetworkMiner Professional tutorial videos for additional tips and hints.

Posted by Erik Hjelmvik on Thursday, 03 October 2024 09:10:00 (UTC/GMT)

Tags: #NetworkMiner Professional​ #Video​ #Tutorial​

Files tab in NetworkMiner Professional

The PCAP file analyzed in this video is pwned-se_150312_outgoing.pcap, which is a snippet of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides).

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Wednesday, 02 October 2024 07:10:00 (UTC/GMT)

Tags: #NetworkMiner Professional​ #Video​ #Tutorial​

Hosts tab in NetworkMiner Professional

The PCAP file analyzed in this video is MD_2015-07-22_112601.pcap, which is a snippet of the training data used in our network forensics classes from 2015 to 2019.

Techniques, tools and databases mentioned in the tutorial:

• CIDR notation
• Satori
• p0f
• mac-ages

Check out our Passive OS Fingerprinting blog post for more details on how to identify operating systems using TCP/IP headers and browser user-agents.

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Tuesday, 01 October 2024 08:25:00 (UTC/GMT)

Tags: #NetworkMiner Professional​ #Video​ #Tutorial​

Opening capture files with NetworkMiner Professional

This video tutorial demonstrates how to open capture files with NetworkMiner Professional

The analyzed pcap-ng file is github.pcapng from CloudShark. More info about this capture file can be found in our blog post Forensics of Chinese MITM on GitHub.

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Monday, 30 September 2024 12:50:00 (UTC/GMT)

Tags: #NetworkMiner Professional​ #Video​ #Tutorial​

Video Tutorial: Installing NetworkMiner Professional

This video tutorial covers how to install NetworkMiner Professional.

Use the official 7-zip tool to extract the password protected 7zip archive.

Recommended locations for NetworkMiner:

• Desktop
• My Documents
• C:\Users\{user}\AppData\Local\Programs\
• USB flash drive

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Monday, 30 September 2024 08:45:00 (UTC/GMT)

Tags: #NetworkMiner Professional​ #Video​ #Tutorial​