NETRESEC Network Security Blog - Tag : Video

rss

Decoding njRAT traffic with NetworkMiner

I investigate network traffic from a Triage sandbox execution of njRAT in this video. The analysis is performed using NetworkMiner in Linux (REMnux to be specific).

About njRAT / Bladabindi

njRAT is a Remote Access Trojan (RAT) that can be used to remotely control a hacked computer. It has been around since 2013, but despite being over 10 years old it still remains one of the most popular backdoors used by malicious actors. Anti virus vendors usually refer to njRAT as Bladabindi.

njRAT Artefacts Extracted by NetworkMiner

NetworkMiner has a built-in parser for the njRAT Command-and-Control (C2) protocol. This njRAT parser kicks in whenever there is traffic to a well-known njRAT port, such as TCP 1177 or 5552, plus a few extra ports (like TCP 14817 that was used by the analysed sample). You’ll need NetworkMiner Professional to decode njRAT traffic to other ports, since it comes with a port-independent-protocol-identification (PIPI) feature that automatically detects the protocol regardless which port the server runs on.

As demonstrated in the video, NetworkMiner can extract the following types of artefacts from njRAT network traffic:

  • Screenshots of victim computer
  • Transferred files
  • Commands from C2 server
  • Replies from bot
  • Stolen credentials/passwords
  • Keylog data

Covered njRAT Commands and Plugins

These njRAT commands and plugins are mentioned in the video:

  • CAP = Screen Capture
  • ret = Get Passwords
  • inv = Invoke Plugin
  • PLG = Plugin Delivery
  • kl = Key Logger
  • Ex = Execute Plugin
  • Ex proc = Process List
  • Ex fm = File Manager

IOC List

  • Sample (a.exe): cca1e0b65d759f4c58ce760f94039a0a
  • C2 server: 5.tcp.eu.ngrok[.]io:14817
  • njRAT inv (dll): 2d65bc3bff4a5d31b59f5bdf6e6311d7
  • njRAT PLG (dll): c179e212316f26ce9325a8d80d936666
  • njRAT ret (dll): ac43720c43dcf90b2d57d746464ad574
  • Splitter: Y262SUCZ4UJJ

Posted by Erik Hjelmvik on Monday, 28 April 2025 06:00:00 (UTC/GMT)

Tags: #njRAT#NetworkMiner#REMnux#Video#videotutorial​

Short URL: https://netresec.com/?b=2541a39

Short URL: https://netresec.com/?b=24A65d3


Browsers tab in NetworkMiner Professional

The Browsers tab is a unique feature only available in NetworkMiner Professional. The PCAP files analyzed in this video are pwned-se_150312_outgoing.pcap and pwned-se_150312_incoming.pcap, which are snippets of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides).

More information about NetworkMiner Professional's Browsers tab can be found in our blog post Analyzing Web Browsing Activity.

See our NetworkMiner Professional tutorial videos for additional tips and hints.

Posted by Erik Hjelmvik on Thursday, 03 October 2024 09:10:00 (UTC/GMT)

Tags: #NetworkMiner Professional#Video#Tutorial

Short URL: https://netresec.com/?b=24Abf1c

Short URL: https://netresec.com/?b=24Ad5ad


Hosts tab in NetworkMiner Professional

The PCAP file analyzed in this video is MD_2015-07-22_112601.pcap, which is a snippet of the training data used in our network forensics classes from 2015 to 2019.

Techniques, tools and databases mentioned in the tutorial:

Check out our Passive OS Fingerprinting blog post for more details on how to identify operating systems using TCP/IP headers and browser user-agents.

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Tuesday, 01 October 2024 08:25:00 (UTC/GMT)

Tags: #NetworkMiner Professional#Video#Tutorial

Short URL: https://netresec.com/?b=24A71a9


Opening capture files with NetworkMiner Professional

This video tutorial demonstrates how to open capture files with NetworkMiner Professional

The analyzed pcap-ng file is github.pcapng from CloudShark. More info about this capture file can be found in our blog post Forensics of Chinese MITM on GitHub.

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Monday, 30 September 2024 12:50:00 (UTC/GMT)

Tags: #NetworkMiner Professional#Video#Tutorial

Short URL: https://netresec.com/?b=249b790


Video Tutorial: Installing NetworkMiner Professional

This video tutorial covers how to install NetworkMiner Professional.

Use the official 7-zip tool to extract the password protected 7zip archive.

Recommended locations for NetworkMiner:

  • Desktop
  • My Documents
  • C:\Users\{user}\AppData\Local\Programs\
  • USB flash drive

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Monday, 30 September 2024 08:45:00 (UTC/GMT)

Tags: #NetworkMiner Professional#Video#Tutorial

Short URL: https://netresec.com/?b=24904d2


Kubernetes Cryptojacking

In this video I take a look at a cryptojacking attack against a Kubernetes honeypot. The attackers were surprisingly quick to discover this unsecured Kubernetes deployment and use it to mine Monero for them.

The analyzed capture files can be downloaded from
https://share.netresec.com/s/S5ZG2cDKB9AbqwS?path=%2Fk3s-443

This PCAP dataset was created by Noah Spahn, Nils Hanke, Thorsten Holz, Chris Kruegel, and Giovanni Vigna as part of their research for their Container Orchestration Honeypot: Observing Attacks in the Wild paper.

The capture files named "proxy-", such as the analyzed proxy-220404-162837.pcap, were generated by PolarProxy and contain the decrypted Kubernetes API traffic to the master node. This traffic was actually TLS encrypted, but since PolarProxy was used as a TLS interception proxy we can see the Kubernetes API traffic in decrypted form.

IOC List

  • attacker IP: 102.165.16.27 (PIA VPN)
  • kind: DeamonSet
  • name: api-proxy
  • namespace: kube-system
  • image: dorjik/xmrig
  • mining pool: gulf.moneroocean.stream:1012
  • annotation: kubectl.kubernetes.io/last-applied-configuration
  • Monero wallet address: 41pdpXWNMe6NvuDASWXn6ZMdPk4N6amucCHHstNcw2y8caJNdgN4kNeW3QFfc3amCiJ9x6dh8pLboR6minjYZpgk1szkeGg

Posted by Erik Hjelmvik on Tuesday, 07 May 2024 07:50:00 (UTC/GMT)

Tags: #video#CapLoader#PolarProxy

Short URL: https://netresec.com/?b=245f018

2024 January

Hunting for Cobalt Strike in PCAP

2023 March

QakBot C2 Traffic

2023 February

How to Identify IcedID Network Traffic

CapLoader 1.9.5 Alerts on Malicious Traffic

2022 September

Hunting for C2 Traffic

2022 May

Emotet C2 and Spam Traffic Video

2021 October

How the SolarWinds Hack (almost) went Undetected

2021 September

Start Menu Search Video

2021 July

Walkthrough of DFIR Madness PCAP

2021 May

Detecting Cobalt Strike and Hancitor traffic in PCAP

2020 January

Sharing a PCAP with Decrypted HTTPS

2019 January

Video: TrickBot and ETERNALCHAMPION

2018 July

Detecting the Pony Trojan with RegEx using CapLoader

2018 February

Examining Malware Redirects with NetworkMiner Professional

Analyzing Kelihos SPAM in CapLoader and NetworkMiner

Antivirus Scanning of a PCAP File

Zyklon Malware Network Forensics Video Tutorial