How to Create Malware For Ethical Hacking?

RAT or a Remote Access Trojan helps hackers to gain complete control over a target system, allowing them to access the files, private conversations, etc. remotely. In this lab, let’s understand how HTTP Trojans work so that you can protect your network against this type of malware.

1. Go to the Module 07 Malware Threats\Trojans Types\HTTP HTTPS Trojans\HTTP RAT TROJAN. Double-click on httprat.exe to open HTTP RAT.

2. When the HTTP RAT window comes, uncheck the send notification with IP address to mail option. Next, enter server port 84 and click on Create for the creation of an httpserver.exe file. 

3. A server will get created in the default location where you can find the HTTP RAT files. Minimize all the open windows. 

4. Go to Windows 8.

5. To run httpserver.exe navigate to Module 07 Malware Threats\Trojans Types\HTTP HTTPS Trojans\HTTP RAT TROJAN and double-click httpserver.exe.

When the Open File -Security Warning error comes, click on Run.

6. The httpserver.exe file will continue to run in the background. Open the Task Manager for the confirmation of status. You can see in the Processes tab that the Httpserver (32 bit) is running. Keep the Windows 8 machine running.

7. Open Windows Server 2016. 

8. Open a web browser like Google Chrome. 

9. In the URL bar, write the IP address of the target machine and press Enter. In this lab, the target machine is Windows 8 with IP address 10.10.10.8.

10. It will show the z0mbie’s HTTP_RAT page. Click on Running Processes to see the list of processes active on Windows 8. 

11. It will show the list of Running Processes on the target machine. You can close any process from your end.

12. Click on Browse to view the directories and files on the target machine. You can further check the content on the drives. 

13. If you click on the Computer info, it will show you the details about the computer, hardware, and users.

14. Close all the open windows when the lab is completed.

njRAT is a powerful RAT tool to steal data. It allows hackers to log keystrokes, access the camera of the target system, access credentials stored in browsers, upload and download files, manipulate files, and see the desktop.

Hackers can further use it to take control over the computers in a network, create malware and spread it in the network. 

As an ethical hacker or security admin, it is important for you to find the vulnerable machines that can be attacked by Trojans, malware, which can lead to data breach and identity theft. 

In this lab, let’s understand how to create a server using njRAT and gain remote access to the target machine.

1. Open the Control Panel on your desktop.

2. When the All Control Panel Items window comes, click on Windows Defender Firewall. Further, click on Use Recommended Settings. Close the open windows and let the Windows 10 system in running mode.

3. Go to E:\CEHv10 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\njRAT and double-click on njRAT v0.7d.exe to open the njRAT tool.

4. When the njRAT GUI comes, enter the port number and click on Start. Here, let’s proceed with the default port number 5552.

5. In the next interface, click on Builder in the lower-left side.

6. When the Builder dialog box comes, enter the IP of Windows Server 2016 (attacker machine). Check mark the Copy to Startup and Registry Startup options and click on Build.

7. When the Save As dialog box comes, specify the location for storing the server, add a name, and then click on Save.

8. Here, the file has been named to Test.exe and the destination location is E:\CEHv10 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\njRAT.

9. When the server is created successfully, there will be DONE! popup. Click on OK.

10. Hackers transmit a crafted server file to the target machine in real time. When this file is executed, the hackers can see and access the information on the target machine.

Here, let’s use the Test.exe file on the Shared Network drive. It can be accessed by the other machines.

11. Open Windows 10 and go to Z:\CEHv10 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\njRAT.

Copy-paste the Test.exe file on Desktop. Minimize the currently open windows. 

12. Open the Test.exe file from Desktop.

13. Open Windows Server 2016 as soon as the file is opened. The njRAT client running on Windows Server 2016 will form a connection with the target machine.

The control over the target machine remains with the hacker unless he disconnects it. 

In the GUI, you can see the basic details about the target machine, including IP address, username, operating system, etc. 

14. Right-click on the victim name and then click on Manager.

15. In the Manager window, the File Manager is selected by default. To see the related files of a directory, double-click on the directory.

16. Click on Process manager. From the processes shown, right click on a process to perform actions like Kill, Delete, and Restart. 

17. Click on Connection, choose a particular connection, and right click on it. Then click on Kill Connection. It will close the connection between two machines interacting via a specific port. 

18. Click on Remote Shell to open a remote command prompt of the target machine. Write ipconfig/all and press Enter.

19. It will show the interfaces associated with the target machine. Similarly, you can write other commands and view more information from the target machine.

Similarly, you can click on Services to see the services running on the target machine. It will allow you to start, pause, or stop a service.

20. Right-click on the target machine name and then click on Run File. Select an option from the dropdown. Hackers use these options to write and execute scripts and find remote access to the machine.

21. Now, right-click on the target machine name and choose Remote Desktop. It will open a remote desktop connection. The victim will not become aware of it.

22. When the Remote Desktop window comes, navigate to the top-center part. A down arrow will show. Click on it.

23. When the remote desktop control panel comes, check mark the Mouse option. It will allow you to communicate with the target machine remotely using your mouse.

Once the task is completed, close the Remote Desktop window.

24. Similarly, you can spy on the target machine and keep a track of voice conversations by right-clicking on the target machine name and choosing Remote Cam and Microphone.

25. Open Windows 10 and do some activities on it like a legitimate user. The activities can include opening websites in a browser, writing text in a document, etc. 

26. Open Windows Server 2016 and right-click on the target machine name. Then, click on Keylogger. 

27. When the Keylogger window comes, it will show all the keystrokes performed by the user on the target Windows 10 machine.Close the window after seeing it.

28. Right-click on the target machine name and then click on Open Chat.

29. When the Chat pop-up comes, enter a nickname and click on OK.

30. When the chat box shows, write a message and click on Send.

31. Open Windows 10 as soon as you send the message from the Windows Server 2016 machine. It will show you a pop-up.

When a victim sees such pop-ups or alerts, he tries to close it. However, no matter wherever they click, the chat box will remain open as long as it is being used by the attacker.

In case the victim tries to restart the system, it will disconnect the communication between njRAT and Windows 10. 

32. Now, restart Windows 10.

33. Open Windows Server 2016 and check whether the connection is lost with the target machine.

34. Click Windows 10 and login to it. Keep the machine running.

35. Open Windows Server 2016 and check whether the connection is formed after restarting. 

Close all the windows once the lab is completed.

The role of analyzing a virus is to know about the specific virus samples and understand the trends from a large sample of virus samples without executing them. Most of the malware types are compatible with Windows binary executable. 

As an ethical hacker, you must know how to perform malware analysis to have an idea about their working and the damage that can be caused by them.

1. Go to Module 07 Malware Threats\Malware Analysis Tools\Static Malware Analysis Tools\Disassembling and Debugging Tools\IDA and double-click on idademo73_windows.exe.

2. When the IDA installation wizard comes, click on Next.

3. Once installation is done, click on Finish.

4. After installation, open the app. When the IDA License window comes, click on I Agree.

5. Click on New when the IDA: Quick Start pop-up shows up.

6. When the Select File to disassemble window comes, go to Module 07 Malware Threats\Viruses\Klez Virus Live!, select face.exe and click on Open.

7. When the Load a new file window comes, keep the default settings and click on OK.

In case you see a Warning pop-up, click on OK. If there is a Please confirm dialog box, click on Yes.

8. Once the analysis is complete, it will display the IDA Pro Analysis window. Navigate to View > Graphs, and click on Flow Chart from the menu bar.

9. It will open a Graph window with the flow. You can zoom it to see it properly.

10. Close the Graph window. Navigate to View > Graphs. Click on Function Calls from the menu bar.

11. When a window displaying call flow comes, zoom it to see clearly. Do the analysis and then close the WinGraph32 Call flow window. 

12. Click on Windows from the menu bar and choose Hex View-1.

13. It will show you the Hex Value of the virus.

14. To see the virus structure, go to Windows > Structures.

15. It will show the structures. To see details, click on Ctrl and +. The same way, you can check and analyze the other options of IDA Pro.

16. Once the lab is complete, close the windows.