{
	"id": "5cdf30fb-4f2a-42a8-b769-fe3fe56bfd27",
	"created_at": "2026-04-06T00:09:17.166822Z",
	"updated_at": "2026-04-10T13:12:13.326768Z",
	"deleted_at": null,
	"sha1_hash": "21d5fbcabfeab73f614e020d1432f18ae9c25078",
	"title": "njRAT Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 463768,
	"plain_text": "njRAT Malware Analysis\r\nPublished: 2020-06-20 · Archived: 2026-04-05 18:24:57 UTC\r\nHASH MD5: 88e085572a182ca102676676ec0ef802\r\nFile Type: Win32 executable\r\nSignature: Microsoft Visual C# v7.0 / Basic .NET\r\nLink to Download Sample: Any.Run\r\nType: Remote Access Trojan\r\nnjRAT is a remote access Trojan. It is one of the most widely accessible\r\nRATs. I came across this while going through\r\nAny.Run trends and thought to download sample for analysis.\r\nPE file information\r\nI have disassembled executable file using dnSpy.\r\nIt makes easy to analyse the code. Stub shows entry point where I can\r\nput breakpoint to start the debugging to analyse the behavior\r\n.net version v2.0.50727\r\nhttps://malwr-analysis.com/2020/06/21/njrat-malware-analysis/\r\nPage 1 of 7\n\nI start debugging and put break point at entry point.\r\nEntry Point\r\nKo() function first check the list predefined process running on victim’s\r\nmachine if they are, the malware executable\r\nwill stop execution. In this case, wireshark was running in background.\r\nIt stops calling assembly and execution process.\r\nTo avoid call to CsAntiProcess which look for the running process, I change the value of anti_CH bool variable\r\nvalue to\r\nfalse manually. (Value of variable can change from Locals windows)\r\nhttps://malwr-analysis.com/2020/06/21/njrat-malware-analysis/\r\nPage 2 of 7\n\nCsAntiProcess handler look for the process and if its there , it stops execution.\r\nClass CsAntiProcess\r\nThe list of process mentioned\r\nSN Process List Process Name\r\n1 procexp Process Explorer (Sys Internal Tool)\r\n2 SbieCtrl SbieCtrl.exe (Sandboxie)\r\n3 SpyTheSpy Spyware monitoring tool\r\n4 wireshak WireShark\r\n5 apateDNS ApteDNS tool\r\nhttps://malwr-analysis.com/2020/06/21/njrat-malware-analysis/\r\nPage 3 of 7\n\n6 IPBlocker IPBlocker\r\n7 Tiger-Firewall –\r\n8 smsniff –\r\n9 exeinfoPE Exeinfo PE Tool\r\n10 NetSnifferCS –\r\n11 SandBoxie Control –\r\n12 processhacker Process Hacker\r\n13 dnSpy .Net disassembler (I am using it for debugging here)\r\n14 CodeReflector –\r\n15 ILSpy .Net disassembler\r\n16 VGAuthService VMware Guest Authentication Service\r\n17 VBoxService Virtual Box Service\r\nThis table contains List of Process malware checks on the system on execution\r\nNOTE: To bypass process check, I also changed the names of process e.g. Wireshark.exe to wk.exe and\r\nprocexp.exe to prex.exe which helped to by pass process check when I executed malware without\r\ndebugging in dnSpy because process names are hard coded.\r\nOn proceed with the debugging, it drops an executable file svchost.exe on the system at location\r\nC:\\Users\\\u003cuser profile\u003e\\AppData\\Roaming\\svchost.exe\r\ncode that drops executable file.\r\nEXE is a string variable initialized as svchost.exe. It could be named svchost.exe (Windows Service Host) to\r\ncreate\r\nconfusion and it make difficult to differentiate its malicious without analyzing its location and properties.\r\nhttps://malwr-analysis.com/2020/06/21/njrat-malware-analysis/\r\nPage 4 of 7\n\nCaptured in process monitor, file is written at location\r\nIt also drops Tools.exe at location C:\\\r\nFile dropped at location C:\\\r\nFile also drop at location\r\nC:\\USers\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\e84128b2e0547d1dd1f8090d86c80c48\r\nand add to registry HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nName: e84128b2e0547d1dd1f8090d86c80c48\r\nValue data: “C:\\Users\\IEUser\\AppData\\Roaming\\svchost.exe” ..\r\nAdding this registry value, the executable will execute everytime when user logon to the system.\r\nhttps://malwr-analysis.com/2020/06/21/njrat-malware-analysis/\r\nPage 5 of 7\n\nDropping file in this case is copying itself to the three different location. As all three files have different\r\nnames but same hash and code.\r\nIn code, IP address along with the port 7777 and executable names are initialized.\r\nC2 Server IP Address details:\r\nVT Score: 1/79\r\nStatus: Malicious\r\nVirusTotal Score for C2 server IP address – Link\r\nhttps://malwr-analysis.com/2020/06/21/njrat-malware-analysis/\r\nPage 6 of 7\n\nsvchost.exe has sent TCP segment with SYN control bits to C2 server but there is no response from the server.\r\nThough\r\nthe IP address exists and IP location is Russia.\r\nI used netstat to check the tcp connection.\r\nNetstat command \u003e\u003e netstat -a\r\n1) Command \u003e\u003e netstat -a -b 2) Process name svchost.exe\r\n sent TCP segment\r\nSummary:\r\nOn execution, malicious executable file check running process on the system.\r\nIf any of the process running (listed in table above), malware stops execution.\r\nIt copies itself to three different locations:\r\nC:\\Tools.exe\r\nC:\\Users\\\u003cuser profile\u003e\\AppData\\Roaming\\svchost.exe\r\nC:\\USers\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\e84128b2e0547d1dd1f8090d86c80c48.exe\r\nCreates registry entry so e84128b2e0547d1dd1f8090d86c80c48.exe will execute every time user logon to\r\nthe system.\r\nCommand and Control server IP address is 85.26. 235.163 port 7777\r\nsvchost.exe tried to connect to C2 server, server didn’t respond.\r\nAccessing C2 server IP address on port 7777 in browser, gets 200 OK response with empty response\r\nheader.\r\nThank you.\r\nComments and suggestions are welcome.\r\nSource: https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/\r\nhttps://malwr-analysis.com/2020/06/21/njrat-malware-analysis/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/"
	],
	"report_names": [
		"njrat-malware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434157,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21d5fbcabfeab73f614e020d1432f18ae9c25078.pdf",
		"text": "https://archive.orkl.eu/21d5fbcabfeab73f614e020d1432f18ae9c25078.txt",
		"img": "https://archive.orkl.eu/21d5fbcabfeab73f614e020d1432f18ae9c25078.jpg"
	}
}