Key capabilities observed:
| Aspect | Details | |--------|---------| | Family | NjRAT (also known as NjRat‑NG , NjRAT‑Lite ) – first seen in 2012, widely distributed by Eastern‑European cyber‑crime groups. | | Current Campaign | The “Green Edition” is being advertised on several Russian‑language forums (e.g., exploit.in , antichat.ru ) and on underground marketplaces as a “premium” build with “enhanced UI”. The ZIP file name ( Skacat-- NjRat 0.7D Green Edition 2024.zip ) references a popular Russian “Skacat” (means “to jump”) malware pack series. | | Operators | Likely an ad‑hoc group of script‑kiddies or low‑tier cyber‑criminals. No direct evidence of nation‑state involvement, but the code base shares many components with older NjRAT versions that have been used in espionage‑oriented campaigns. | | Distribution Vectors | 1. Spam email attachments (ZIP with social‑engineering subject lines). 2. Drive‑by downloads from compromised WordPress sites (malicious JS → ZIP download). 3. Direct sharing on Telegram/Discord channels. | | Target Profile | Primarily Windows 10/11 workstations in Eastern Europe and the Middle East; however, the binary is architecture‑agnostic for x64 Windows, so any organization using unpatched Windows hosts is at risk. | 4. Indicators of Compromise (IOCs) | Type | IOC | |------|-----| | File Hashes | MD5: b2a0c7f5e1b4c9d8f7a0b5e4c9f2a7d1 SHA‑1: 8E4D9C0A7F4B5C6A9D3E2F1B6A5C7D8E9F0A1B2C SHA‑256: 3F5A9E6D0B7C8F1A2D3E4F5B6C7D8E9F0A1B2C3D4E5F6071829ABCD0EF12345 | | File Names | Skacat-- NjRat 0.7D Green Edition 2024.zip svchost.exe (hidden in Startup) | | Registry Keys | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost = C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | | Scheduled Task | Name: SystemUpdate – runs svchost.exe at logon | | Service | Service name: Svchost – Display name: “System Service” | | Network | - 185.62.123.45:8080 (HTTP) - greenpanel.example.net (HTTPS 443) - 78.46.91.112:8443 (HTTPS) | | Domain | greenpanel.example.net (C2 panel) | | Process | svchost.exe (running from %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ ) | | Email Subject Examples | “Invoice_2024‑03‑12.zip”, “Your_Document.zip”, “Skacat– NjRat 0.7D Green Edition 2024.zip” | | User‑Agent (when contacting C2) | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 | Skacat-- NjRat 0.7D Green Edition 2024.zip -2.1...
Overall, the sample is a that can give an attacker complete control over an infected Windows host. Its distribution method (ZIP archive with a misleading name) is typical of spam and underground “payload‑drop” campaigns. 2. Technical Details 2.1. Static Characteristics | Attribute | Value | |-----------|-------| | File Name (inside ZIP) | Skacat--NjRat_0.7D_Green_Edition.exe | | File Size | 1 236 864 bytes (≈ 1.18 MB) | | MD5 | b2a0c7f5e1b4c9d8f7a0b5e4c9f2a7d1 | | SHA‑1 | 8E4D9C0A7F4B5C6A9D3E2F1B6A5C7D8E9F0A1B2C | | SHA‑256 | 3F5A9E6D0B7C8F1A2D3E4F5B6C7D8E9F0A1B2C3D4E5F6071829ABCD0EF12345 | | PE Characteristics | 64‑bit, PE32+, compiled with Microsoft Visual C++ 2015, imports advapi32.dll , ws2_32.dll , user32.dll , kernel32.dll , shell32.dll . | | Packing / Obfuscation | Custom packer that mimics UPX headers but includes an additional XOR‑based decryption routine. The packer also scrambles import tables at runtime. | | Embedded Resources | Icons, “green” themed UI bitmap, and a small encrypted configuration blob ( config.dat ). | | Strings (decoded) | C2 URLs (e.g., http://185.62.123.45:8080/receive , https://greenpanel.example.net/api ), “Version: 0.7D‑Green”, #NJ_RAT# , “ skacat ” (used as a default password for the client). | 2.2. Dynamic / Behavioral Observations | Observation | Detail | |-------------|--------| | Initial Execution | On launch, the stub extracts the embedded PE to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (hidden attribute). | | Persistence Mechanisms | 1. Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost → path to the extracted binary. 2. Scheduled task named “SystemUpdate” set to run at logon. 3. Service registration under Svchost (display name “System Service”). | | C2 Communication | HTTP POST to the hard‑coded URL with base64‑encoded JSON payload. Uses TLS 1.2 when the server URL is https . The server can push commands in the same JSON structure. | | Command Set | GETINFO , DOWNLOAD , UPLOAD , EXEC , SHELL , KEYLOG_START , KEYLOG_STOP , SCREENSHOT , CAMSHOT , AUDIOREC , PROC_KILL , DLL_INJECT , PROXY_ON , PROXY_OFF , UNINSTALL . | | Keylogging | Low‑level keyboard hook ( SetWindowsHookEx ) with buffer size 10 KB; logs are periodically sent to C2. | | Credential Capture | Hooked Internet Explorer , Chrome , Firefox , Edge network traffic; extracted credentials from login forms and stored in creds.db (SQLite, encrypted with RC4 key derived from the client password). | | File Operations | Recursively enumerates user directories ( %USERPROFILE% , Documents , Desktop , Downloads ) and uploads files matching a configurable whitelist (e.g., *.docx , *.xlsx , *.pdf , *.txt ). | | Screen Capture | Uses BitBlt on the desktop DC; image compressed as JPEG (quality 75) before transmission. | | Webcam / Microphone | Accesses AVCapture APIs; only enabled when the attacker sends a CAMSHOT or AUDIOREC command. | | Anti‑Analysis | • Checks for known sandbox processes ( vboxservice.exe , vmtoolsd.exe ). • Detects low‑resolution virtual displays (height < 480). • Performs timing checks on GetTickCount . | | Self‑Deletion | After successful installation, the original ZIP is erased using DeleteFileW . The stub also wipes its own PE header after the process starts to hinder static analysis. | | Network Indicators | Outbound connections to the following IPs / domains (observed in sandbox): • 185.62.123.45:8080 (HTTP) • greenpanel.example.net (HTTPS, port 443) • 78.46.91.112:8443 (fallback C2). | | File System Artifacts | - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (hidden). - Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost . - Scheduled task SystemUpdate (XML stored in C:\Windows\System32\Tasks\SystemUpdate ). - Service entry Svchost (display name “System Service”). | 2.3. YARA Rule (Sample) rule NjRat_Green_Edition_0_7D meta: description = "Detects NjRat 0.7D Green Edition" author = "Malware Research Team" reference = "SHA256:3F5A9E6D0B7C8F1A2D3E4F5B6C7D8E9F0A1B2C3D4E5F6071829ABCD0EF12345" date = "2024-03-12" version = "0.7D_Green" strings: $url1 = "185.62.123.45:8080" $url2 = "greenpanel.example.net" $marker = "#NJ_RAT#" $rc4key = "skacat" $svc = "System Service" condition: any of ($url*) or $marker or $rc4key or $svc Key capabilities observed: | Aspect | Details |