{"id":1219,"date":"2023-05-22T15:00:00","date_gmt":"2023-05-22T19:00:00","guid":{"rendered":"https:\/\/drkeithjones.com\/?p=1219"},"modified":"2023-05-23T13:26:07","modified_gmt":"2023-05-23T17:26:07","slug":"njrat-bladabindi-zeek-detector-update-zeek-roulette-1-part-2","status":"publish","type":"post","link":"https:\/\/drkeithjones.com\/index.php\/2023\/05\/22\/njrat-bladabindi-zeek-detector-update-zeek-roulette-1-part-2\/","title":{"rendered":"njRAT\/Bladabindi Zeek Detector Update &#8211; Zeek Roulette #1 Part 2"},"content":{"rendered":"\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"njRAT\/Bladabindi Zeek Detector Update - Zeek Roulette #1 Part 2\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/r03uQw-uOgo?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>This is an update to:<\/p>\n\n\n\n<p><a href=\"https:\/\/drkeithjones.com\/index.php\/2023\/04\/20\/detecting-njrat-bladabindi-malware-with-zeek-zeek-roulette-1\/\" title=\"Detecting njRAT\/Bladabindi Malware With Zeek \u2013 Zeek Roulette #1\">Detecting njRAT\/Bladabindi Malware With Zeek \u2013 Zeek Roulette #1<\/a><\/p>\n\n\n\n<p>I have been running this detector on a live network for a while and I&#8217;ve seen 2 (rare) categories of false positives we can easily eliminate by improving on the code just a little bit.<\/p>\n\n\n\n<p>The first false positive occurs when the message length is zero.  We can eliminate this false positive by adding a requirement in our Spicy code on the njRATMessage unit:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>public type njRATMessage = unit {\n    len: \/&#91;0-9]+\/ &amp;convert=bytes2uint($$);\n    : \/\\x00\/;\n    payload: bytes &amp;size=self.len;\n} &amp;requires=(self.len &gt; 0);<\/code><\/pre>\n\n\n\n<p>The second false positive occurs when there is traffic that looks like njRAT, but doesn&#8217;t use a valid, known, njRAT commands.  I did some research here:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cybergeeks.tech\/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach\/\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/cybergeeks.tech\/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/hidocohen.medium.com\/njrat-malware-analysis-198188d6339a\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/hidocohen.medium.com\/njrat-malware-analysis-198188d6339a<\/a><\/li>\n<\/ul>\n\n\n\n<p>I found that the sources above say we should expect the following commands from njRAT:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ll<\/li>\n\n\n\n<li>proc<\/li>\n\n\n\n<li>rss<\/li>\n\n\n\n<li>rs<\/li>\n\n\n\n<li>rsc<\/li>\n\n\n\n<li>kl<\/li>\n\n\n\n<li>inf<\/li>\n\n\n\n<li>prof<\/li>\n\n\n\n<li>rn<\/li>\n\n\n\n<li>inv<\/li>\n\n\n\n<li>ret<\/li>\n\n\n\n<li>CAP<\/li>\n\n\n\n<li>P<\/li>\n\n\n\n<li>un<\/li>\n\n\n\n<li>up<\/li>\n\n\n\n<li>RG<\/li>\n\n\n\n<li>nwpr<\/li>\n\n\n\n<li>site<\/li>\n\n\n\n<li>fun<\/li>\n\n\n\n<li>IEhome<\/li>\n\n\n\n<li>shutdowncomputer<\/li>\n\n\n\n<li>restartcomputer<\/li>\n\n\n\n<li>logoff<\/li>\n\n\n\n<li>ErrorMsg<\/li>\n\n\n\n<li>peech<\/li>\n\n\n\n<li>BepX<\/li>\n\n\n\n<li>piano<\/li>\n\n\n\n<li>OpenCD<\/li>\n\n\n\n<li>CloseCD<\/li>\n\n\n\n<li>EnableKM<\/li>\n\n\n\n<li>DisableKM<\/li>\n\n\n\n<li>TurnOnMonitor<\/li>\n\n\n\n<li>TurnOffMonitor<\/li>\n\n\n\n<li>NormalMouse<\/li>\n\n\n\n<li>ReverseMouse<\/li>\n\n\n\n<li>EnableCMD<\/li>\n\n\n\n<li>DisableCMD<\/li>\n\n\n\n<li>EnableRegistry<\/li>\n\n\n\n<li>DisableRegistry<\/li>\n\n\n\n<li>EnableRestore<\/li>\n\n\n\n<li>DisableRestore<\/li>\n\n\n\n<li>CursorShow<\/li>\n\n\n\n<li>CursorHide<\/li>\n\n\n\n<li>sendmusicplay<\/li>\n\n\n\n<li>OpenSite<\/li>\n\n\n\n<li>dos<\/li>\n\n\n\n<li>udp<\/li>\n\n\n\n<li>udpstp<\/li>\n\n\n\n<li>pingstop<\/li>\n\n\n\n<li>pas<\/li>\n<\/ul>\n\n\n\n<p>So now all we need to do is put this list of valid commands into our DPD signature to cut down on false positives:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>signature dpd_njrat {\n    ip-proto == tcp\n    payload \/^&#91;0-9]+\\x00(ll|proc|rss|rs|rsc|kl|inf|prof|rn|inv|ret|CAP|P|un|up|RG|nwpr|site|fun|IEhome|shutdowncomputer|restartcomputer|logoff|ErrorMsg|peech|BepX|piano|OpenCD|CloseCD|EnableKM|DisableKM|TurnOnMonitor|TurnOffMonitor|NormalMouse|ReverseMouse|EnableCMD|DisableCMD|EnableRegistry|DisableRegistry|EnableRestore|DisableRestore|CursorShow|CursorHide|sendmusicplay|OpenSite|dos|udp|udpstp|pingstop|pas)\\|\/\n    enable \"spicy_NJRAT\"\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>This is an update to: Detecting njRAT\/Bladabindi Malware With Zeek \u2013 Zeek Roulette #1 I have been running this detector on a live network for a while and I&#8217;ve seen 2 (rare) categories of false positives we can easily eliminate by improving on the code just a little bit. The first false positive occurs when [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[144,140,91,4,145],"tags":[199,142,198,27],"class_list":["post-1219","post","type-post","status-publish","format-standard","hentry","category-detection","category-malware","category-open-source","category-zeek","category-zeek-roulette","tag-bladabindi","tag-njrat","tag-roulette","tag-zeek"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/1219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/comments?post=1219"}],"version-history":[{"count":0,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/1219\/revisions"}],"wp:attachment":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/media?parent=1219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/categories?post=1219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/tags?post=1219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}