{
	"id": "a7daecb6-b12e-496a-bbb9-ba19d3b237e0",
	"created_at": "2026-04-06T00:13:53.560316Z",
	"updated_at": "2026-04-10T13:12:25.14531Z",
	"deleted_at": null,
	"sha1_hash": "9bf3403619f510dda21eaa7772597599bbf683d1",
	"title": "Unfolding NJ RAT 0.7NC \u0026 0.6.4",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 566838,
	"plain_text": "Unfolding NJ RAT 0.7NC \u0026 0.6.4\r\nBy Osama Ellahi\r\nPublished: 2024-08-09 · Archived: 2026-04-05 18:02:34 UTC\r\n| NJRAT Malware analysis\r\nhttps://infosecwriteups.com/unfolding-nj-rat-07nc-and-064d14b875c7cd8-d14b875c7cd8\r\nPage 1 of 5\n\nExecutive Summary\r\nThis version {0.7NC} of NJRat was first seen on 17 August 2023 with the name utah-Robert-magazine- speaker.\r\nIt was delivered by email using phishing. Red Packet Security defines NJRat as a type of remote access trojan\r\n(RAT). This malicious software can do a range of things, like recording keystrokes, accessing the victim’s\r\ncamera, stealing saved login information from web browsers, creating a way for attackers to control the\r\nvictim’s computer from a remote location, transferring files to and from the victim’s computer, seeing what’s on\r\nthe victim’s screen, making changes to files, processes, and the Windows registry, and even allowing the\r\nattacker to update, remove, restart, close, disconnect, or change the name of their attack campaign.\r\nhttps://infosecwriteups.com/unfolding-nj-rat-07nc-and-064d14b875c7cd8-d14b875c7cd8\r\nPage 2 of 5\n\nThis analysis comprises two samples labeled as NJ RAT 0.7NC and 0.6.4. The 0.7NC variant introduces a novel\r\nmethod for evading analysis, while 0.6.4 is responsible for managing all other malicious activities.\r\nHigh-Level Technical Summary\r\nNJRAT is a sophisticated malware that operates in two primary stages. The initial stage involves phishing and\r\nobfuscation tactics. In August 2023, security experts first encountered malware, which was distributed via email\r\nin the form of a malicious and highly obfuscated VBS (Visual Basic Script) file embedded in documents.\r\nGet Osama Ellahi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nUpon execution, this VBS file performs deobfuscation and reveals a PowerShell script. Within this script lies a\r\nbase64-encoded DLL (Dynamic Link Library). Once the script successfully decodes the DLL, it proceeds to\r\ninvoke the “VAI” method within the DLL. This marks the beginning of malware’s further exploitation and\r\nmalicious activities.\r\nInitial Stage\r\nhttps://infosecwriteups.com/unfolding-nj-rat-07nc-and-064d14b875c7cd8-d14b875c7cd8\r\nPage 3 of 5\n\nThis stage consists of deobfuscation and decoding of real dll and invoking the binary.2\r\nSHA256\r\nvbs = 5f66c7336f8469a6ab349a3f0f3f7aca1b483f2f2a8b4ad71af79ff51a8aad6b\r\ndll = 153c9ffe148909981900c59c2ccba8ef66f94688ce7ab5e01e3a541937a31294\r\n.VBS\r\nThe initial executable comprises a VBS file containing obfuscated PowerShell code. After modifying the VBS file\r\nand revealing the de-obfuscated PowerShell code, we can observe its initial command in the terminal. This\r\ncommand involves pinging localhost for a dynamic delay, followed by the self-copying of the executable to the\r\nstartup folder. This technique is employed to achieve persistence, ensuring that the executable runs every time\r\nthe device starts up.\r\nFigure 1 First Command of PowerShell which is responsible for persistence.\r\nThis is the command which copy the malicious file in startup folder for future purposes.\r\ncmd.exe /c ping 127.0.0.1 -n 10 \u0026 powershell -command [System.IO.File]::Copy(‘’,’C:\\Users\\’ +\r\n[Environment]::UserName + ‘\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\.vbs’)\r\nTo See how it gains persistence and how it have its own language when it communicate with the C2 visit\r\nfollowing link. I have moved this blog to my personal website.\r\nhttps://breachnova.com/blog.php?id=27\r\nhttps://infosecwriteups.com/unfolding-nj-rat-07nc-and-064d14b875c7cd8-d14b875c7cd8\r\nPage 4 of 5\n\nSource: https://infosecwriteups.com/unfolding-nj-rat-07nc-and-064d14b875c7cd8-d14b875c7cd8\r\nhttps://infosecwriteups.com/unfolding-nj-rat-07nc-and-064d14b875c7cd8-d14b875c7cd8\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://infosecwriteups.com/unfolding-nj-rat-07nc-and-064d14b875c7cd8-d14b875c7cd8"
	],
	"report_names": [
		"unfolding-nj-rat-07nc-and-064d14b875c7cd8-d14b875c7cd8"
	],
	"threat_actors": [],
	"ts_created_at": 1775434433,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9bf3403619f510dda21eaa7772597599bbf683d1.pdf",
		"text": "https://archive.orkl.eu/9bf3403619f510dda21eaa7772597599bbf683d1.txt",
		"img": "https://archive.orkl.eu/9bf3403619f510dda21eaa7772597599bbf683d1.jpg"
	}
}