Key capabilities observed:
Overall, the sample is a that can give an attacker complete control over an infected Windows host. Its distribution method (ZIP archive with a misleading name) is typical of spam and underground “payload‑drop” campaigns. 2. Technical Details 2.1. Static Characteristics | Attribute | Value | |-----------|-------| | File Name (inside ZIP) | Skacat--NjRat_0.7D_Green_Edition.exe | | File Size | 1 236 864 bytes (≈ 1.18 MB) | | MD5 | b2a0c7f5e1b4c9d8f7a0b5e4c9f2a7d1 | | SHA‑1 | 8E4D9C0A7F4B5C6A9D3E2F1B6A5C7D8E9F0A1B2C | | SHA‑256 | 3F5A9E6D0B7C8F1A2D3E4F5B6C7D8E9F0A1B2C3D4E5F6071829ABCD0EF12345 | | PE Characteristics | 64‑bit, PE32+, compiled with Microsoft Visual C++ 2015, imports advapi32.dll , ws2_32.dll , user32.dll , kernel32.dll , shell32.dll . | | Packing / Obfuscation | Custom packer that mimics UPX headers but includes an additional XOR‑based decryption routine. The packer also scrambles import tables at runtime. | | Embedded Resources | Icons, “green” themed UI bitmap, and a small encrypted configuration blob ( config.dat ). | | Strings (decoded) | C2 URLs (e.g., http://185.62.123.45:8080/receive , https://greenpanel.example.net/api ), “Version: 0.7D‑Green”, #NJ_RAT# , “ skacat ” (used as a default password for the client). | 2.2. Dynamic / Behavioral Observations | Observation | Detail | |-------------|--------| | Initial Execution | On launch, the stub extracts the embedded PE to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (hidden attribute). | | Persistence Mechanisms | 1. Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost → path to the extracted binary. 2. Scheduled task named “SystemUpdate” set to run at logon. 3. Service registration under Svchost (display name “System Service”). | | C2 Communication | HTTP POST to the hard‑coded URL with base64‑encoded JSON payload. Uses TLS 1.2 when the server URL is https . The server can push commands in the same JSON structure. | | Command Set | GETINFO , DOWNLOAD , UPLOAD , EXEC , SHELL , KEYLOG_START , KEYLOG_STOP , SCREENSHOT , CAMSHOT , AUDIOREC , PROC_KILL , DLL_INJECT , PROXY_ON , PROXY_OFF , UNINSTALL . | | Keylogging | Low‑level keyboard hook ( SetWindowsHookEx ) with buffer size 10 KB; logs are periodically sent to C2. | | Credential Capture | Hooked Internet Explorer , Chrome , Firefox , Edge network traffic; extracted credentials from login forms and stored in creds.db (SQLite, encrypted with RC4 key derived from the client password). | | File Operations | Recursively enumerates user directories ( %USERPROFILE% , Documents , Desktop , Downloads ) and uploads files matching a configurable whitelist (e.g., *.docx , *.xlsx , *.pdf , *.txt ). | | Screen Capture | Uses BitBlt on the desktop DC; image compressed as JPEG (quality 75) before transmission. | | Webcam / Microphone | Accesses AVCapture APIs; only enabled when the attacker sends a CAMSHOT or AUDIOREC command. | | Anti‑Analysis | • Checks for known sandbox processes ( vboxservice.exe , vmtoolsd.exe ). • Detects low‑resolution virtual displays (height < 480). • Performs timing checks on GetTickCount . | | Self‑Deletion | After successful installation, the original ZIP is erased using DeleteFileW . The stub also wipes its own PE header after the process starts to hinder static analysis. | | Network Indicators | Outbound connections to the following IPs / domains (observed in sandbox): • 185.62.123.45:8080 (HTTP) • greenpanel.example.net (HTTPS, port 443) • 78.46.91.112:8443 (fallback C2). | | File System Artifacts | - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (hidden). - Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost . - Scheduled task SystemUpdate (XML stored in C:\Windows\System32\Tasks\SystemUpdate ). - Service entry Svchost (display name “System Service”). | 2.3. YARA Rule (Sample) rule NjRat_Green_Edition_0_7D meta: description = "Detects NjRat 0.7D Green Edition" author = "Malware Research Team" reference = "SHA256:3F5A9E6D0B7C8F1A2D3E4F5B6C7D8E9F0A1B2C3D4E5F6071829ABCD0EF12345" date = "2024-03-12" version = "0.7D_Green" strings: $url1 = "185.62.123.45:8080" $url2 = "greenpanel.example.net" $marker = "#NJ_RAT#" $rc4key = "skacat" $svc = "System Service" condition: any of ($url*) or $marker or $rc4key or $svc Skacat-- NjRat 0.7D Green Edition 2024.zip -2.1...
| Capability | Description | |------------|-------------| | | HTTP/HTTPS POST‑based protocol, configurable server address, supports dynamic URL rotation. | | Persistence | Registry Run key, scheduled task, and a hidden service installation. | | Credential Theft | Keylogging, form‑grabbing (web browsers, FTP clients), and password dumping via LSASS injection. | | Data Exfiltration | File search & upload, screenshots, webcam capture, audio recording. | | System Manipulation | Process enumeration/termination, DLL injection, remote shell, port forwarding, proxy functionality. | | Evasion | Anti‑VM/ sandbox checks, packed with custom UPX‑like stub, runtime code obfuscation, and self‑deletion of the original ZIP. | | Additional Modules | “Green” UI for the victim‑side client, optional “key‑exchange” encryption using RC4, and a built‑in “cryptominer” stub (inactive by default). | Key capabilities observed: Overall, the sample is a