Njrat 0.7d Green Edition 2024.zip -2.1... | Skacat--

| Capability | Description | |------------|-------------| | | HTTP/HTTPS POST‑based protocol, configurable server address, supports dynamic URL rotation. | | Persistence | Registry Run key, scheduled task, and a hidden service installation. | | Credential Theft | Keylogging, form‑grabbing (web browsers, FTP clients), and password dumping via LSASS injection. | | Data Exfiltration | File search & upload, screenshots, webcam capture, audio recording. | | System Manipulation | Process enumeration/termination, DLL injection, remote shell, port forwarding, proxy functionality. | | Evasion | Anti‑VM/ sandbox checks, packed with custom UPX‑like stub, runtime code obfuscation, and self‑deletion of the original ZIP. | | Additional Modules | “Green” UI for the victim‑side client, optional “key‑exchange” encryption using RC4, and a built‑in “cryptominer” stub (inactive by default). |

Sample Name: Skacat-- NjRat 0.7D Green Edition 2024.zip -2.1… File Type: ZIP archive (contains a Windows PE executable) Date of Collection: 2024‑03‑12 (approx.) Analyst: [Redacted] – Malware Research Team Classification: Remote Access Trojan (RAT) – NjRat family, “Green Edition” (v0.7D) 1. Executive Summary The examined archive is a distribution of NjRat 0.7D “Green Edition” , a variant of the long‑standing NjRAT/NjRAT‑NG remote‑access trojan family. The “Green Edition” branding is used by underground distributors to suggest a “clean” or “updated” version, but the core functionality remains identical to earlier NjRAT releases with a few added modules (e.g., improved persistence, anti‑VM checks, and a custom “green‑theme” UI for the C2 panel). Skacat-- NjRat 0.7D Green Edition 2024.zip -2.1...

| Aspect | Details | |--------|---------| | Family | NjRAT (also known as NjRat‑NG , NjRAT‑Lite ) – first seen in 2012, widely distributed by Eastern‑European cyber‑crime groups. | | Current Campaign | The “Green Edition” is being advertised on several Russian‑language forums (e.g., exploit.in , antichat.ru ) and on underground marketplaces as a “premium” build with “enhanced UI”. The ZIP file name ( Skacat-- NjRat 0.7D Green Edition 2024.zip ) references a popular Russian “Skacat” (means “to jump”) malware pack series. | | Operators | Likely an ad‑hoc group of script‑kiddies or low‑tier cyber‑criminals. No direct evidence of nation‑state involvement, but the code base shares many components with older NjRAT versions that have been used in espionage‑oriented campaigns. | | Distribution Vectors | 1. Spam email attachments (ZIP with social‑engineering subject lines). 2. Drive‑by downloads from compromised WordPress sites (malicious JS → ZIP download). 3. Direct sharing on Telegram/Discord channels. | | Target Profile | Primarily Windows 10/11 workstations in Eastern Europe and the Middle East; however, the binary is architecture‑agnostic for x64 Windows, so any organization using unpatched Windows hosts is at risk. | 4. Indicators of Compromise (IOCs) | Type | IOC | |------|-----| | File Hashes | MD5: b2a0c7f5e1b4c9d8f7a0b5e4c9f2a7d1 SHA‑1: 8E4D9C0A7F4B5C6A9D3E2F1B6A5C7D8E9F0A1B2C SHA‑256: 3F5A9E6D0B7C8F1A2D3E4F5B6C7D8E9F0A1B2C3D4E5F6071829ABCD0EF12345 | | File Names | Skacat-- NjRat 0.7D Green Edition 2024.zip svchost.exe (hidden in Startup) | | Registry Keys | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost = C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | | Scheduled Task | Name: SystemUpdate – runs svchost.exe at logon | | Service | Service name: Svchost – Display name: “System Service” | | Network | - 185.62.123.45:8080 (HTTP) - greenpanel.example.net (HTTPS 443) - 78.46.91.112:8443 (HTTPS) | | Domain | greenpanel.example.net (C2 panel) | | Process | svchost.exe (running from %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ ) | | Email Subject Examples | “Invoice_2024‑03‑12.zip”, “Your_Document.zip”, “Skacat– NjRat 0.7D Green Edition 2024.zip” | | User‑Agent (when contacting C2) | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 | | | Data Exfiltration | File search &

Key capabilities observed:

Overall, the sample is a that can give an attacker complete control over an infected Windows host. Its distribution method (ZIP archive with a misleading name) is typical of spam and underground “payload‑drop” campaigns. 2. Technical Details 2.1. Static Characteristics | Attribute | Value | |-----------|-------| | File Name (inside ZIP) | Skacat--NjRat_0.7D_Green_Edition.exe | | File Size | 1 236 864 bytes (≈ 1.18 MB) | | MD5 | b2a0c7f5e1b4c9d8f7a0b5e4c9f2a7d1 | | SHA‑1 | 8E4D9C0A7F4B5C6A9D3E2F1B6A5C7D8E9F0A1B2C | | SHA‑256 | 3F5A9E6D0B7C8F1A2D3E4F5B6C7D8E9F0A1B2C3D4E5F6071829ABCD0EF12345 | | PE Characteristics | 64‑bit, PE32+, compiled with Microsoft Visual C++ 2015, imports advapi32.dll , ws2_32.dll , user32.dll , kernel32.dll , shell32.dll . | | Packing / Obfuscation | Custom packer that mimics UPX headers but includes an additional XOR‑based decryption routine. The packer also scrambles import tables at runtime. | | Embedded Resources | Icons, “green” themed UI bitmap, and a small encrypted configuration blob ( config.dat ). | | Strings (decoded) | C2 URLs (e.g., http://185.62.123.45:8080/receive , https://greenpanel.example.net/api ), “Version: 0.7D‑Green”, #NJ_RAT# , “ skacat ” (used as a default password for the client). | 2.2. Dynamic / Behavioral Observations | Observation | Detail | |-------------|--------| | Initial Execution | On launch, the stub extracts the embedded PE to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (hidden attribute). | | Persistence Mechanisms | 1. Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost → path to the extracted binary. 2. Scheduled task named “SystemUpdate” set to run at logon. 3. Service registration under Svchost (display name “System Service”). | | C2 Communication | HTTP POST to the hard‑coded URL with base64‑encoded JSON payload. Uses TLS 1.2 when the server URL is https . The server can push commands in the same JSON structure. | | Command Set | GETINFO , DOWNLOAD , UPLOAD , EXEC , SHELL , KEYLOG_START , KEYLOG_STOP , SCREENSHOT , CAMSHOT , AUDIOREC , PROC_KILL , DLL_INJECT , PROXY_ON , PROXY_OFF , UNINSTALL . | | Keylogging | Low‑level keyboard hook ( SetWindowsHookEx ) with buffer size 10 KB; logs are periodically sent to C2. | | Credential Capture | Hooked Internet Explorer , Chrome , Firefox , Edge network traffic; extracted credentials from login forms and stored in creds.db (SQLite, encrypted with RC4 key derived from the client password). | | File Operations | Recursively enumerates user directories ( %USERPROFILE% , Documents , Desktop , Downloads ) and uploads files matching a configurable whitelist (e.g., *.docx , *.xlsx , *.pdf , *.txt ). | | Screen Capture | Uses BitBlt on the desktop DC; image compressed as JPEG (quality 75) before transmission. | | Webcam / Microphone | Accesses AVCapture APIs; only enabled when the attacker sends a CAMSHOT or AUDIOREC command. | | Anti‑Analysis | • Checks for known sandbox processes ( vboxservice.exe , vmtoolsd.exe ). • Detects low‑resolution virtual displays (height < 480). • Performs timing checks on GetTickCount . | | Self‑Deletion | After successful installation, the original ZIP is erased using DeleteFileW . The stub also wipes its own PE header after the process starts to hinder static analysis. | | Network Indicators | Outbound connections to the following IPs / domains (observed in sandbox): • 185.62.123.45:8080 (HTTP) • greenpanel.example.net (HTTPS, port 443) • 78.46.91.112:8443 (fallback C2). | | File System Artifacts | - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (hidden). - Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost . - Scheduled task SystemUpdate (XML stored in C:\Windows\System32\Tasks\SystemUpdate ). - Service entry Svchost (display name “System Service”). | 2.3. YARA Rule (Sample) rule NjRat_Green_Edition_0_7D meta: description = "Detects NjRat 0.7D Green Edition" author = "Malware Research Team" reference = "SHA256:3F5A9E6D0B7C8F1A2D3E4F5B6C7D8E9F0A1B2C3D4E5F6071829ABCD0EF12345" date = "2024-03-12" version = "0.7D_Green" strings: $url1 = "185.62.123.45:8080" $url2 = "greenpanel.example.net" $marker = "#NJ_RAT#" $rc4key = "skacat" $svc = "System Service" condition: any of ($url*) or $marker or $rc4key or $svc | | Additional Modules | “Green” UI for