{
	"id": "9ce97972-fbd6-45b6-a4b0-998cf15a5b19",
	"created_at": "2026-04-06T00:18:27.134341Z",
	"updated_at": "2026-04-10T03:20:01.054327Z",
	"deleted_at": null,
	"sha1_hash": "b117ca28f926374fc3348056f7c5f57285c595f9",
	"title": "Unmasking NJRat: A Deep Dive into a Notorious Remote Access Trojan Part1",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2555630,
	"plain_text": "Unmasking NJRat: A Deep Dive into a Notorious Remote Access\r\nTrojan Part1\r\nBy JustAnother-Engineer\r\nPublished: 2023-12-04 · Archived: 2026-04-05 15:33:15 UTC\r\nPress enter or click to view image in full size\r\nNjRAT is a type of malware that allows a remote actor to gain control of an infected computer system. It is one of\r\nthe most widely used types of malware on the Internet due to its easy accessibility, free tutorials available on clear\r\nweb, and wide range of functionalities to evade detection tools.\r\nhttps://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nPage 1 of 10\n\nNote : the sample analyzed in this blog was first seen in the month of October of 2023. As of now the file is found\r\nto be malicious by multiple AV/EDR tools.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nVirustotal result + PE headers of the file being analyzed.\r\nBy analyzing headers we see that this version of malware was compiled on Sep 2 2023. As its based on .Net we\r\ncan statically reverse engineer and review the code of the binary/executable.\r\nInitial review of string output of the binary we see few interesting stuff like a registry path , domain , few\r\ncommands , executable names and network rules.\r\nPress enter or click to view image in full size\r\nhttps://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nPage 2 of 10\n\nPress enter or click to view image in full size\r\nhttps://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nPage 3 of 10\n\nFloss output of the binary\r\nInitialization :\r\nThe malware first create a registry key value pair “{di:!}” under current user and we see implement a mutual\r\nexclusion object to hinder concurrent infections on a single device.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nPage 4 of 10\n\nRegistry Key , Mutex initialization\r\nUpon reviwing statically defined variables we see few interesting things as highlighted below , we see a port (\r\n18801 ) where connection is initiated , registry name ( RG variable ) , Registry path (sf variable ) , VR version\r\nnumber , string in variable VN contains base64 encoded value of “HacKed”. The variable “Y” stores random\r\ncharacter which is being used as separator while sending back the data to C\u0026C server.\r\nInteresting static variables\r\nReviewing the OK.RC function which was being passed to mutex which in turn calls a function OK.INS() which\r\ninitialized persistence mechanisms.\r\nhttps://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nPage 5 of 10\n\nPersistence Initialization function\r\nPersistence :\r\nReviewing the INS function , first we see the malware trying to find the file “C:\\\\Windows\\\\Microsoft system.exe”\r\nand copy the malware to this path and deleting the current instance of the malware and starting the new process of\r\nmalware as “Microsoft system.exe”.\r\nPress enter or click to view image in full size\r\nFurther we see exclusion being added via netsh for the traffic from this malware file. Then we see file being added\r\nto both current user and local machine registries. We also see the malware is being copied to startup folder with\r\nname “118f5683ac8ec11fa5ebd063bb65cc3b.exe” for persistence. Any app / exe placed inside startup folder\r\nwould be launched upon booting the OS.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nPage 6 of 10\n\nRegistry and startup persistence\r\nFurther we see the malware killing a process “Exsample.exe” if its running. based on the research , it indicates that\r\nthis file is a old version of same malware. We also see that the file copied to windir is being hidden.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nKilling Exsample.exe and hiding the malware\r\nfurther we see persistence via autorun , As highlighted below we see that the malware is again copied into\r\nProgramFiles directory of each logical drives as “svchost.exe” and then creates a autorun.inf file to run them\r\nautomatically. Further malware hides the created autorun file.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\npersistence via autorun\r\nC\u0026C communication\r\nhttps://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nPage 7 of 10\n\nConnecting to the C\u0026C server : reviewing the connect function we see that the malware is connecting the\r\n“0.tcp.eu.ngrck.io” host , on sucessful connection its sends below information.\r\n- Environment variables\r\n- machine name\r\n- user name\r\n- machine date\r\n- Details OS information\r\n- processor type\r\n- camera status\r\n- string “HacKed”\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nConnect function.\r\nFurther receiving the data from the threat actor , then that data is handled by creating a new thread.\r\nThreat actor data handling.\r\nThere are multiple commands available in this RAT with in the OK.im however we will discuss only few in details\r\nwhich are interesting.\r\nGet JustAnother-Engineer’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nPage 8 of 10\n\nRemember me for faster sign in\r\nBelow are the list of few capabilities observed in this RAT :\r\n1. Can spawn new process.\r\n2. Can modifies the startup page setting for Internet Explorer using the Registry to start a page/link upon\r\nopening. this can be used for Downloading other malwares , redirecting to phishing links , Exploit\r\nvulnerablities , installing other backdoors or to lauch a DDOS attacks.\r\n3. Has capability to shutdown / restart / logoff the session\r\n4. Can spawn custom error messages.\r\n5. Can invoke the “speak” method on the speech synthesizer object to synthesize the specified text.\r\n6. Uses Kernel32 Beep method to create beeps of specified frequency. further we see a command named\r\n“Piano” which leverage this function to create a music.\r\n7. OpenCD / closeCD drive (this is the command which someone uses to troll their victims)\r\n8. Disabling / enabling keyboard and mouse inputs.\r\n9. Turning monitor on / off.\r\n10. Taking over mouse control\r\n11. Enabling / Disabling CMD.\r\n12. Disabling/enabling built in registry tools, sytem restore functions and Task manager.\r\n13. Taking over cursor.\r\n14. Control music playing.\r\nPress enter or click to view image in full size\r\nFew of the commands observed that attacker can use.\r\nAs this blog is already getting big we will discuss other functionalities, dynamic analysis and detection\r\nmechanisms for this malware strain in our next blog.\r\nThank you for your time!\r\nhttps://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nPage 9 of 10\n\nPart 2 : https://infosecwriteups.com/unmasking-njrat-a-deep-dive-into-a-notorious-remote-access-trojan-part2-\r\n7b41a3669d9a\r\nSource: https://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nhttps://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43"
	],
	"report_names": [
		"part1-static-code-analysis-of-the-rat-njrat-2f273408df43"
	],
	"threat_actors": [],
	"ts_created_at": 1775434707,
	"ts_updated_at": 1775791201,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b117ca28f926374fc3348056f7c5f57285c595f9.pdf",
		"text": "https://archive.orkl.eu/b117ca28f926374fc3348056f7c5f57285c595f9.txt",
		"img": "https://archive.orkl.eu/b117ca28f926374fc3348056f7c5f57285c595f9.jpg"
	}
}