Backdoor.NJRat

detection icon

What is NJRat?

Backdoor.NJRat is a Remote Access Trojan (RAT) application that may run in the background and silently collect information about the system, connected users, and network activity. Backdoor.NJRat may attempt to steal stored credentials, usernames and passwords and other personal and confidential information. This information may be transmitted to a destination specified by the author. Backdoor.NJRat may allow an attacker to install additional software to the infected machine, or may direct the infected machine to participate in a malicious botnet for the purposes of sending spam or other malicious activities.

How to remove Backdoor.NJRat Trojans

Backdoor.NJRat may run silently in the background and may not provide any indication of infection to the user. Backdoor.NJRat may also disable Antivirus programs and other Microsoft Windows security features.

Backdoor.NJRat Remote Access Trojan Types

Backdoor.NJRat may be distributed using various methods. This software may be packaged with free online software, or could be disguised as a harmless program and distributed by email. Alternatively, this software may be installed by websites using software vulnerabilities. Infections that occur in this manner are usually silent and happen without user knowledge or consent.

How to protect against Backdoor.NJRat Remote Access Trojans

Malwarebytes protects users from the installation of Backdoor.NJRat Malwarebytes detects and removes Backdoor.NJRat

How to detect and remove Backdoor.NJRat infections

Malwarebytes can detect and remove many Backdoor.NJRat infections without further user interaction.

  1. Please download Malwarebytesto your desktop.
  2. Double-click MBSetup.exeand follow the prompts to install the program.
  3. When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantineto remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:

Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 3/22/18
Scan Time: 11:09 PM
Log File: 586ae303-2e58-11e8-9116-00ffc8517b86.json
Administrator: Yes
-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4454
License: Premium
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: DE-WIN7\Fwiplayer
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 297736
Threats Detected: 12
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 2 min, 46 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 2
Trojan.Agent.E.Generic, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\SERVER.EXE, No Action By User, [1031], [372422],1.0.4454
Backdoor.NJRat, C:\USERS\FWIPLAYER\DESKTOP\NJRAT V0.7D\NJRAT V0.7D.EXE, No Action By User, [51], [298876],1.0.4454
Module: 3
Trojan.Agent.E.Generic, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\SERVER.EXE, No Action By User, [1031], [372422],1.0.4454
Backdoor.NJRat, C:\USERS\FWIPLAYER\DESKTOP\NJRAT V0.7D\NJRAT V0.7D.EXE, No Action By User, [51], [298876],1.0.4454
Backdoor.Bladabindi, C:\USERS\FWIPLAYER\DESKTOP\NJRAT V0.7D\WINMM.NET.DLL, No Action By User, [75], [151857],1.0.4454
Registry Key: 0
(No malicious items detected)
Registry Value: 2
Trojan.Agent.E.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|279f6960ed84a752570aca7fb2dc1552, No Action By User, [1031], [372422],1.0.4454
Trojan.Agent.E.Generic, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|279f6960ed84a752570aca7fb2dc1552, No Action By User, [1031], [372422],1.0.4454
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 1
Backdoor.Agent, C:\WINDOWS\SYSWOW64\SPYNET, No Action By User, [85], [181094],1.0.4454
File: 4
Backdoor.Agent, C:\WINDOWS\SYSWOW64\SPYNET\SERVER.EXE, No Action By User, [85], [251509],1.0.4454
Trojan.Agent.E.Generic, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\SERVER.EXE, No Action By User, [1031], [372422],1.0.4454
Backdoor.NJRat, C:\USERS\FWIPLAYER\DESKTOP\NJRAT V0.7D\NJRAT V0.7D.EXE, No Action By User, [51], [298876],1.0.4454
Backdoor.Bladabindi, C:\USERS\FWIPLAYER\DESKTOP\NJRAT V0.7D\WINMM.NET.DLL, No Action By User, [75], [151857],1.0.4454
Physical Sector: 0
(No malicious items detected)

(end)

Traces/IOCs

You may see these entries in FRST logs:

2018-03-22 22:58 – 2018-03-22 22:58 – 000024064 _____ ()\AppData\Local\Temp\server.exe
HKLM-x32\…\Run: [279f6960ed84a752570aca7fb2dc1552]=> \AppData\Local\Temp\server.exe .. [24064 2018-03-22] () <====ATTENTION
HKU\S-1-5-21-2165681608-3755637219-621560601-1000\…\Run: [279f6960ed84a752570aca7fb2dc1552]=> \AppData\Local\Temp\server.exe .. [24064 2018-03-22] () <====ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:8927A071 [219]

  

Associated files:

njRat.exe, server.exe

detection icon

Related blog content

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams