{
	"id": "072abb26-4d00-4be2-8174-6019b9ccd0f6",
	"created_at": "2026-04-10T03:21:46.189486Z",
	"updated_at": "2026-04-10T03:22:18.940059Z",
	"deleted_at": null,
	"sha1_hash": "4aae586f805eadc005befccff33c83b025c72eaa",
	"title": "https://breachnova.com/blog.php?id=27",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3971452,
	"plain_text": "https://breachnova.com/blog.php?id=27\r\nBy Osama Ellahi\r\nArchived: 2026-04-10 03:17:42 UTC\r\nExecutive Summary\r\nThis version {0.7NC} of NJRat was first seen on 17 August 2023 with the name utah-Robert-magazine- speaker.\r\nIt was delivered by email using phishing. Red Packet Security defines NJRat as a type of remote access trojan\r\n(RAT). This malicious software can do a range of things, like recording keystrokes, accessing the victim’s camera,\r\nstealing saved login information from web browsers, creating a way for attackers to control the victim’s computer\r\nfrom a remote location, transferring files to and from the victim’s computer, seeing what’s on the victim’s screen,\r\nmaking changes to files, processes, and the Windows registry, and even allowing the attacker to update, remove,\r\nrestart, close, disconnect, or change the name of their attack campaign.\r\nThis analysis comprises two samples labeled as NJ RAT 0.7NC and 0.6.4. The 0.7NC variant introduces a novel\r\nmethod for evading analysis, while 0.6.4 is responsible for managing all other malicious activities.\r\nHigh-Level Technical Summary\r\nNJRAT is a sophisticated malware that operates in two primary stages. The initial stage involves phishing and\r\nobfuscation tactics. In August 2023, security experts first encountered malware, which was distributed via email in\r\nthe form of a malicious and highly obfuscated VBS (Visual Basic Script) file embedded in documents.\r\nUpon execution, this VBS file performs deobfuscation and reveals a PowerShell script. Within this script lies a\r\nbase64-encoded DLL (Dynamic Link Library). Once the script successfully decodes the DLL, it proceeds to\r\ninvoke the “VAI” method within the DLL. This marks the beginning of malware’s further exploitation and\r\nmalicious activities.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 1 of 24\n\nInitial Stage\r\nThis stage consists of deobfuscation and decoding of real dll and invoking the binary.2\r\n    SHA256\r\n    vbs = 5f66c7336f8469a6ab349a3f0f3f7aca1b483f2f2a8b4ad71af79ff51a8aad6b\r\n    dll = 153c9ffe148909981900c59c2ccba8ef66f94688ce7ab5e01e3a541937a31294\r\n.VBS\r\nThe initial executable comprises a VBS file containing obfuscated PowerShell code. After modifying the VBS file\r\nand revealing the de-obfuscated PowerShell code, we can observe its initial command in the terminal. This\r\ncommand involves pinging localhost for a dynamic delay, followed by the self-copying of the executable to the\r\nstartup folder. This technique is employed to achieve persistence, ensuring that the executable runs every time the\r\ndevice starts up.\r\n    This is the command which copy the malicious file in startup folder for future purposes.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 2 of 24\n\ncmd.exe /c ping 127.0.0.1 -n 10 \u0026 powershell -command [System.IO.File]::Copy(‘’,’C:\\Users\\’ +\r\n    [Environment]::UserName + ‘\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.vbs’)\r\nAfter persistence VBS goes for de-obfuscating the malicious DLL. As you can see in the figure below, there is an\r\nobfuscated string, and the script is using the yWaUTuYIQuUWknat method to perform a straightforward task:\r\nlocating and replacing the string with the specified third parameter.\r\nAfter printing the shell code, I get the real DLL in terminal. So far, we don’t know what this code is and how to\r\ninvoke it or use it.\r\nBy looking at the string, it was base64 encoded. So, I decided to decode it with PowerShell and real binary came\r\nout from it.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 3 of 24\n\nBut let’s see how the exploit is using it.\r\nThe VBS has its third obfuscated command which was then de-obfuscated to execute this DLL.\r\nAfter patching and de-obfuscation, I rephrase the final command which looks like this following script.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 4 of 24\n\nIt was Invoking its VAI method after decoding the encoded string with base64.\r\nExploitation\r\nThis final exploit has so many malicious functionalities, we will divide them into persistence, keylogging and c2\r\ncommunication.\r\nInitial behavior\r\nThis DLL has all the malicious functions, its VAI starts with adding mutation in system. If mutation is already\r\nthere it will not execute. This technique keeps exploit safe for only one time run. It starts with copying itself to\r\nAppData and running that exe within process. It did not execute malicious function directly because this way it is\r\nmaking it hard for reverse engineers to go through dynamic debugging.\r\nPersistence\r\nIt starts Infinite loop and it have multiple cases. Let’s start from case 0.\r\nCase 0: Reading first obfuscated variable and reversing it and de-obfuscating it. It gets command from the server\r\nand process it.\r\nCase 1\r\nReverse the string only.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 5 of 24\n\nCase 2\r\nIt creates a new guid id and gives this name to the VBS. After that it searches inside AppData if any VBS present\r\nin the AppData, if there is no VBS in AppData then it runs command in hidden windows style and copy VBS files\r\nfrom current directory to AppData.\r\nCase 3\r\nAfter copying the file to AppData it sets persistence registry\r\nSOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run. By adding this, at every startup it executes this file.\r\nCase 11\r\nCase 11 is focused on persistence but this time it is happening through creating a LNK file on run time in startup\r\nfolder.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 6 of 24\n\nThis LNK file performs specific action in minimized window using PowerShell.\r\n1. Sleep for 5 sec\r\n2. Start VBS which is inside AppData/roaming.\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle Hidden\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle Hidden Start-Sleep 5; Start-Process C:\\Users\\burgo\\AppData\\Roaming\\4df328c8–4a5e-4b9b-8385–1495d13b45dd.vbs\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 7 of 24\n\nINS () function is totally persistence based which controls the foothold of exploit inside system for future\r\npurposes.\r\nIt is setting Environment variable See_MASK_NOZONECHECK to 1 which allows it to download the files and\r\nexecute the files without zone identifier.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 8 of 24\n\nThis code includes a step to add itself to the list of allowed programs in the Windows Firewall. By executing this\r\ncommand, you are essentially instructing the Windows Firewall to allow network traffic for a specific program or\r\napplication. This action ensures that the program can freely communicate over the network without being hindered\r\nby the firewall’s restrictions.\r\nIt also checks if Isu flag is true which is pre-default true then it sets some registries.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 9 of 24\n\nIt copies a file from one location to another (possibly into the Startup folder), and then it initializes a File Stream\r\nobject to open and read the copied file in the Startup folder. And if server commands to remove, server sends\r\ncommand with “un” and “~” to remove all footprints. At first it removes registries, removes from firewalls\r\nallowed program, deletes file from startup folder and at the end it pings 127.0.0.1 and deletes itself.\r\nKeylogging\r\nThe keylogger in njrat is doing following steps.\r\n1. It initializes various properties and objects, including a keyboard listener (this.keyboard), a log file path\r\n(this.LogsPath), and other variables.\r\n2. The keylogger continuously monitors keyboard input using a for loop. Inside the loop, it checks the state of\r\neach key using the GetAsyncKeyState function, allowing it to capture key presses and releases\r\nasynchronously.\r\n3. When a key is pressed, the Fix method is called to convert the key code into a standardized representation.\r\nIt considers the Shift and Caps Lock keys, maps function keys and special keys to specific strings (e.g.,\r\n“[F1]”, “[ENTER]”), handles whitespace and Enter key presses, and converts other keys to their\r\ncorresponding Unicode characters.\r\n4. The keylogger appends the converted key representation to a log (this.Logs), which accumulates the logged\r\nkeystrokes over time. It also includes special entries for Enter and Tab key presses to format the log\r\nproperly. {AppData\\services64.exe.tmp}\r\n5. To prevent the log from growing indefinitely, the keylogger periodically truncates the log to a certain\r\nlength and updates the log file on disk (File.WriteAllText).\r\n6. The keylogger continues to monitor and log keyboard input indefinitely within the for loop while sleeping\r\nbriefly between iterations to control the rate of input capture.\r\nThere is constructor call of kl () initialize some general variables and prepare all settings for keylogging like clock\r\nand path. This keylogger monitors all the key logs and process information.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 10 of 24\n\nThe constructor is named kl, and it initializes various properties and objects when an instance of the class is\r\ncreated.\r\nThe WRK method appears to continuously monitor keyboard input, log the pressed keys along with additional\r\ninformation, and update the log file.\r\nGetAsyncKeyState is used to monitor and capture keyboard input events asynchronously, allowing the code to\r\ntrack and log key presses as they occur in real-time within the for loop. This is typically used for purposes such as\r\nkeylogging or tracking user input in certain types of applications.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 11 of 24\n\nThe Fix method in this code handles keyboard input by mapping different keys to specific representations for\r\nlogging purposes. It considers the state of the Shift and Caps Lock keys, encloses function keys and special keys\r\nin square brackets, maps certain keys to empty strings, and converts others using a custom method while\r\nmaintaining uppercase or lowercase based on the Shift key state. It ultimately returns the resulting string\r\nrepresenting the converted keyboard key.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 12 of 24\n\nVKCodeToUnicode() this method attempts to convert a virtual key code to its corresponding Unicode character.\r\nIt uses the GetKeyboardState, MapVirtualKey, and ToUnicodeEx functions from user32.dll to perform the\r\nconversion.\r\nThis is where all logs are stored, you can see the following figure.\r\nKl () class is only responsible for monitoring and storing all the logs in the file. It is not sending the logs back to\r\nserver.\r\nTo conclude this keylogger these were steps performed by this keylogger.\r\n1. The GetAsyncKeyState function is called in a loop to check the state of keyboard keys with virtual key\r\ncodes ranging from 0 to 255. It checks each key one by one. If GetAsyncKeyState returns -32767 for a\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 13 of 24\n\nspecific key code, it indicates that the key with that virtual key code is currently pressed down. In other\r\nwords, it’s in the “pressed” state at the time of the function call.\r\n2. When a pressed key is detected, it is converted to a Keys Enum value (k) to represent the specific key.\r\n3. The Fix(k) method is called to process the key and convert it into a suitable string representation,\r\nconsidering factors like special keys, shift, caps lock, etc.\r\n4. The processed key information is then logged into the Logs field, which stores the captured keyboard\r\ninput.\r\n5. Finally, the Laskey field is updated to keep track of the last key that was pressed.\r\nC2 communication\r\nIn the main, it is creating a thread which is executing the RC method of OK class. This rat uses its own\r\ncommunication language, we will show you every single detail of which flag means what.\r\nExecution according to Flags\r\nThere is an infinite loop which gets command from server, and it calls Ind (byte []) which then handles all the\r\ncommands and controls.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 14 of 24\n\nProc\r\nIn Ind () first it checks for “proc” if it exists in the array which is converted to string. Ok.Y = “|’|’|”;\r\n~\r\nIf the flag is “~” then it gets current process id using GetCurrentProcess() and sends it to the server.\r\nOk.Y = “|’|’|”;\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 15 of 24\n\nAfter this it gets the length of processes using GetProcesses()\r\nOk.Y = “|’|’|”;\r\nThen, it gets file descriptions of all files and processes which are running. File name, file description, processID\r\nusing GetProcesses().\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 16 of 24\n\nk\r\nAfter completing “~” it checks for “k” flag in string, this flag is implemented to kill the process from process id.\r\nIf it could not kill it will send exception to server. Ok.Y = “|’|’|”;\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 17 of 24\n\nkd\r\nAnd then it goes for kd flag which not only kill the process it also deletes the file. Before deleting the file and after\r\nkilling the process it sends “proc |’|’| RM |’|’| process-id”.\r\nAfter deleting file from system, it sends “proc |’|’| ER |’|’| Deleted process-id”. If any error occur it will send\r\n“proc |’|’| ER |’|’| error-exepction”\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 18 of 24\n\nre\r\nThen, it checks for “re” flag, if it is true it sends “proc |’|’| RM |’|’| process-id”. It kills this running process. And\r\nsends “proc |’|’| ER|’|’| process-file-path” to server.\r\nIn case of error, it sends “proc |’|’| ER|’|’| error-exception.”\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 19 of 24\n\nrss\r\nThe “rss command” handles all the commands running which come from the server. It sends to server “rss”.\r\nThis code sets up a Process object to run the Windows Command Prompt (cmd.exe) with various\r\nconfigurations, allows interaction with its standard input, output, and error streams, and attaches event handlers to\r\nprocess the output and errors produced by the command prompt. It then sends a “rss” command to the command\r\nprompt and starts the process, enabling asynchronous reading of its output and error streams.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 20 of 24\n\nRs and rsc\r\nThe “rs” flag shows if the command needed to be executed hidden and “rsc” will kill these processes.\r\nkl\r\nThe “kl” flag reads the keylogging logs from AppData and sends them to server. We have intercept the traffic, it\r\nlooks like this.\r\nact|’|’|IA==[endof]act|’|’|UHJvY2VzcyBNb25pdG9yIC0gU3lzaW50ZXJuYWxzOiB3d3cuc3lzaW50ZXJuYW\r\nxzLmNvbQ==[endof]act|’|’|RmlsZSBFeHBsb3Jlcg==[endof]\r\n    act|’|’|[endof]\r\n    act|’|’|UHJvY2VzcyBNb25pdG9yIC0gU3lzaW50ZXJuYWxzOiB3d3cuc3lzaW50ZXJuYWxzLmNvbQ==\r\n[endof\r\n    ]\r\n    act|’|’|[endof]\r\n    act|’|’|ZG5TcHkgdjYuMS44ICgzMi1iaXQsIC5ORVQp[endof]\r\nThis is decoded base64 and it shows every new running process.\r\n    Process Monitor — Sysinternals: www.sysinternals.com File Explorer\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 21 of 24\n\ndnSpy v6.1.8 (32-bit, .NET)\r\ninf\r\nThe inf flag gets the system drive number and returns with “encoded bas64, 44gang44.duckdns.org,2222, |’|’|”.\r\nThe server 44gang44.duckdns.org is used for c2 and port 2222 is used with content encoded base64 of system\r\ndrive number. The value in the result variable will be a hexadecimal representation of the volume serial number of\r\nthe system drive. Depending on the specific system and drive, this value will vary and typically be a combination\r\nof letters and numbers.\r\ncap\r\nCAP flag does the following main tasks: capturing the screen, handling the cursor, checking for changes in the\r\ncaptured image, and preparing the data for sending using encoding and then sending the data. It sends the data\r\nwith CAP flag to the server which indicates that this is screenshot of victim screen.\r\np\r\nThe P flag is just to acknowledge the response is coming.\r\nun\r\nThe un fag is coded to uninstall the malware but if there is @ it start itself again.\r\nIf there is ~ with un, it starts removing the footprints from the system.\r\n1. It is deleting the registry of persistence from current user and from local machine.\r\n2. It is deleting this application malware from the allowed program of firewall.\r\n3. It is deleting itself from the startup folder.\r\n4. It is removing the software mutation registry.\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 22 of 24\n\n5. It deletes itself from the system after pinging localhost. This pinging on localhost creates a little delay and\r\nafter this delay it deletes itself.\r\nRG\r\nIt also checks for Registry modifications if RG flag is present like registry get values, checking its permissions,\r\nadding new registries, and removing registries.\r\nrn\r\nFlag “rn” handles the new zip file downloads. It downloads the zip file from specified URL and it place it in the\r\ndevice for further execution, it uses http web client to download this file.\r\nNetwork Indicators\r\nCallback URLs\r\n    njnjnjs.duckdns.org :35888\r\n    44gang44.duckdns.org : 2222\r\nReferences\r\n1. dnSpy: https://github.com/dnSpy/dnSpy\r\n2. https://www.virustotal.com/gui/file/5f66c7336f8469a6ab349a3f0f3f7aca1b483f2f2a8b4ad71af\r\n79ff51a8aad6b\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 23 of 24\n\n3. https://www.joesandbox.com/analysis/1292688/0/html\r\n4. https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nSource: https://breachnova.com/blog.php?id=27\r\nhttps://breachnova.com/blog.php?id=27\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://breachnova.com/blog.php?id=27"
	],
	"report_names": [
		"blog.php?id=27"
	],
	"threat_actors": [],
	"ts_created_at": 1775791306,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4aae586f805eadc005befccff33c83b025c72eaa.pdf",
		"text": "https://archive.orkl.eu/4aae586f805eadc005befccff33c83b025c72eaa.txt",
		"img": "https://archive.orkl.eu/4aae586f805eadc005befccff33c83b025c72eaa.jpg"
	}
}