I Noticed a very strange GET request in one of my webserver logs and decided to investigate. The request asked for the following endpoint:
"145.ll|'|'|SGFjS2VkX0Q0OTkwNjI3|'|'|WIN-JNAPIER0859|'|'|JNapier|'|'|19-02-01|'|'||'|'|Win 7 Professional SP1 x64|'|'|No|'|'|0.7d|'|'|..|'|'|AA==|'|'|112.inf|'|'|SGFjS2VkDQoxOTIuMTY4LjkyLjIyMjo1NTUyDQpEZXNrdG9wDQpjbGllbnRhLmV4ZQ0KRmFsc2UNCkZhbHNlDQpUcnVlDQpGYWxzZQ==12.act|'|'|AA==" 400 157 "-" "-" "-"It appears to be a table row separated by the bar (|) character. Some of the rows have empty values, and others seem to have Base64-encoded strings. The first string decodes to:HacKed_D4990627,
and the second decodes to:
HacKed
192.168.92.222:5552
Desktop
clienta.exe
False
False
True
FalseI also noticed that the IP address is an internal IP address
| Class | Start Address | End Address | Range |
|---|---|---|---|
| A | 10.0.0.0 | 10.255.255.255 | 10/8 |
| B | 172.16.0.0 | 172.31.255.255 | 172.16/2 |
| C | 192.168.0.0 | 192.168.255.255 | 192.168/16 |
I Googled the name JNapier to see if I could find some more information. It seemed like this log string was showing up accidentally in posts about other subjects were people dumped their logs onto an online forum for questions.
I found the same string in a StackOverflow post from 6 years ago.
It appeared in a tutorial for PCAP analysis with Zeek.
A post about random requests from someone’s webserver logs
Another post (in Chinese) about random requests to a webserver from 2020.
Somebodies nginx webserver log that they posted on GitHub in 2024.
Finally I found another Chinese blog post that says that this is an njRat Trojan communication request that helps give us some context. This is another clue on the origin of the suspicious traffic.
This post confirms that it is a series of parameters separated by `|`. It says that the first parameter is the command word. The first Base64-encoded parameter is the control terminal name. The hostname is WIN-JNAPIER0859 and the system version is Win 7 Professional SP1. They also say that the 19-02-01 is the initial time, the ‘No’ represents the camera condition, and the njRat version is 0.7d.
Now that a possible njRat communication has been identified I needed to try to find other sources that showed this same communication pattern. You should try to not use a single source if at all possible. I then found a well-written post on Medium analyzing the njRat malware.
This post confirmed that the njRat’s victim name is Base64-encoded when the njRat is created. Cleartext information includes the machine name, victim name, date, and victim OS. They also said that the IP address, Port number, executable file location, executable file name, and njRat options are then sent in the second Base64-encoded packet. This matches the format that I saw in the server logs at the top of this page.
Conclusion
This was a quick little exercise on identifying a suspicious request in a logfile. Fun fact: I saw this line in the server log when it first showed up, decoded some of the Base64, thought “This seems iteresting, I’ll get back to it later”. Then I forgot about it for a while and then struggled to go back and track it down when i did remember it.
Pro tip: Treat everything during a threat hunt as if you will never be able to get back to it if you don’t record it at that moment. If any of your research ends up in an investigation, the notes that you made may be the only remaining record of activity as logs only persist so long, and threat actors can clean up their infrastructure very quickly.