{
	"id": "00ebea83-39ba-4791-bd86-6d927e4c392c",
	"created_at": "2026-04-06T00:11:21.306861Z",
	"updated_at": "2026-04-10T03:20:56.749813Z",
	"deleted_at": null,
	"sha1_hash": "ccceaff5c9a9b8a48a8d310ae6e965542361f77b",
	"title": "Decoding njRAT traffic with NetworkMiner",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 104656,
	"plain_text": "Decoding njRAT traffic with NetworkMiner\r\nBy Erik Hjelmvik\r\nPublished: 2025-04-28 · Archived: 2026-04-05 14:38:05 UTC\r\n, \r\nMonday, 28 April 2025 06:00:00 (UTC/GMT)\r\nI investigate network traffic from a Triage sandbox execution of njRAT in this video. The analysis is performed using\r\nNetworkMiner in Linux (REMnux to be specific).\r\nAbout njRAT / Bladabindi\r\nnjRAT is a Remote Access Trojan (RAT) that can be used to remotely control a hacked computer. It has been around since\r\n2013, but despite being over 10 years old it still remains one of the most popular backdoors used by malicious actors. Anti\r\nvirus vendors usually refer to njRAT as Bladabindi.\r\nnjRAT Artefacts Extracted by NetworkMiner\r\nNetworkMiner has a built-in parser for the njRAT Command-and-Control (C2) protocol. This njRAT parser kicks in\r\nwhenever there is traffic to a well-known njRAT port, such as TCP 1177 or 5552, plus a few extra ports (like TCP 14817 that\r\nwas used by the analysed sample). You’ll need NetworkMiner Professional to decode njRAT traffic to other ports, since it\r\ncomes with a port-independent-protocol-identification (PIPI) feature that automatically detects the protocol regardless which\r\nport the server runs on.\r\nAs demonstrated in the video, NetworkMiner can extract the following types of artefacts from njRAT network traffic:\r\nScreenshots of victim computer\r\nTransferred files\r\nCommands from C2 server\r\nReplies from bot\r\nStolen credentials/passwords\r\nKeylog data\r\n0:00 / 13:47\r\nhttps://netresec.com/?b=2541a39\r\nPage 1 of 2\n\nCovered njRAT Commands and Plugins\r\nThese njRAT commands and plugins are mentioned in the video:\r\nCAP = Screen Capture\r\nret = Get Passwords\r\ninv = Invoke Plugin\r\nPLG = Plugin Delivery\r\nkl = Key Logger\r\nEx = Execute Plugin\r\nEx proc = Process List\r\nEx fm = File Manager\r\nIOC List\r\nSample (a.exe): cca1e0b65d759f4c58ce760f94039a0a\r\nC2 server: 5.tcp.eu.ngrok[.]io:14817\r\nnjRAT inv (dll): 2d65bc3bff4a5d31b59f5bdf6e6311d7\r\nnjRAT PLG (dll): c179e212316f26ce9325a8d80d936666\r\nnjRAT ret (dll): ac43720c43dcf90b2d57d746464ad574\r\nSplitter: Y262SUCZ4UJJ\r\nPosted by Erik Hjelmvik on Monday, 28 April 2025 06:00:00 (UTC/GMT)\r\nTags: #njRAT#NetworkMiner#REMnux#Video#videotutorial\r\nShort URL: https://netresec.com/?b=2541a39\r\nSource: https://netresec.com/?b=2541a39\r\nhttps://netresec.com/?b=2541a39\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://netresec.com/?b=2541a39"
	],
	"report_names": [
		"?b=2541a39"
	],
	"threat_actors": [],
	"ts_created_at": 1775434281,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ccceaff5c9a9b8a48a8d310ae6e965542361f77b.pdf",
		"text": "https://archive.orkl.eu/ccceaff5c9a9b8a48a8d310ae6e965542361f77b.txt",
		"img": "https://archive.orkl.eu/ccceaff5c9a9b8a48a8d310ae6e965542361f77b.jpg"
	}
}