{ "id": "bce3ff10-32e8-4990-a49f-9826d25480bf", "created_at": "2026-04-06T00:08:48.894275Z", "updated_at": "2026-04-10T03:35:38.077546Z", "deleted_at": null, "sha1_hash": "d4e5bfaf0f8dc77d358ecf35d7eb8f383aae434b", "title": "Just another analysis of the njRAT malware – A step-by-step approach – CYBER GEEKS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4333598, "plain_text": "Just another analysis of the njRAT malware – A step-by-step\r\napproach – CYBER GEEKS\r\nPublished: 2021-11-30 · Archived: 2026-04-05 15:38:06 UTC\r\nSummary\r\nnjRAT (Bladabindi) is a .NET RAT (Remote Access Trojan) that allows attackers to take control of an infected\r\nmachine. This malware has been used by APT actors in targeted attacks in Colombia\r\n(https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/), by SideCopy\r\n(https://blog.talosintelligence.com/2021/07/sidecopy.html) and has been distributed via phishing emails\r\n(https://labs.k7computing.com/index.php/malspam-campaigns-download-njrat-from-paste-sites/). The version\r\nnumber in our analysis is 0.6.4 and the campaign ID is “splitgateukrayna”. The following commands have been\r\nimplemented: “proc”, “rss”, “rs”, “rsc”, “kl”, “inf”, “prof”, “rn”, “inv”, “ret”, “CAP”, “P”, “un”, “up”, “RG”.\r\nnjRAT can also act as a keylogger because it records the pressed keys in a file which can be exfiltrated using the\r\n“kl” command. The rest of the commands will be explained in great detail in the Technical analysis section.\r\nAnalyst: @GeeksCyber\r\nTechnical analysis\r\nDisclaimer: We’re aware that there are some njRAT builders available that can be used to generate executables\r\nhowever, we’re not interested in these tools, and we’ve performed the analysis with zero knowledge from those.\r\nSHA256: 833f86074592648c0a758098e34ab605a2b922d94dbab7141e2ce87acec03c35\r\nThe analysis has been performed using dnSpy.\r\nThe malware tries to open a mutex called “49e91d08e684b1770e0cefa60401157a” using the OpenExisting\r\nmethod. If the mutex already exists, the process exits:\r\nFigure 1\r\nA new mutex named “49e91d08e684b1770e0cefa60401157a” is created by calling the Mutex constructor:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 1 of 28\n\nFigure 2\r\nThe path for the executable file that started the application is compared with “%AppData%\\services64.exe”. The\r\nmalware authors implemented a function called “CompDir”, which compares the name of the files and the name\r\nof the directories:\r\nFigure 3\r\nFigure 4\r\nIf the above file exists (“services64.exe”), it’s deleted using the Delete function:\r\nFigure 5\r\nThe initial executable file is copied to “%AppData%\\services64.exe”. The new file is executed using the Start\r\nmethod, and the current process exits:\r\nFigure 6\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 2 of 28\n\nThe binary sets the environment variable “SEE_MASK_NOZONECHECKS” to 1, which removes the open file\r\nsecurity warnings:\r\nFigure 7\r\nA new program-based exception is added to Windows Firewall using netsh (the program being the newly created\r\nexecutable):\r\nFigure 8\r\nA new entry called “49e91d08e684b1770e0cefa60401157a” is added to the Run registry key. This represents a\r\npersistence mechanism, and the malware will run whenever the current user logs on:\r\nFigure 9\r\nFigure 10\r\nThere is a 2nd persistence mechanism that is not enabled in the malware. It would copy the executable to the\r\nStartup folder, as shown below:\r\nFigure 11\r\nThe RAT initializes a new instance of the Thread class by specifying the ThreadStart method:\r\nFigure 12\r\nA new TcpClient object is created by the executable. The malware establishes a connection to the C2 server\r\n44gang44.duckdns[.]org (dynamic DNS service) on port 2222:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 3 of 28\n\nFigure 13\r\nThe volume serial number for the C drive is extracted using the GetVolumeInformation API:\r\nFigure 14\r\nThe file retrieves the computer name and user name using the GetComputerName and GetUserName functions:\r\nFigure 15\r\nFigure 16\r\nThe last write time of the executable is obtained from the LastWriteTime property, as highlighted in figure 17:\r\nFigure 17\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 4 of 28\n\nThe full operating system name is retrieved from the OSFullName property:\r\nFigure 18\r\nnjRAT determines the architecture of the system by checking the existence of the “Program Files (x86)” directory\r\n(it only exists on 64-bit systems):\r\nFigure 19\r\nThe capGetDriverDescriptionA API is utilized to check for the existence of a Webcam:\r\nFigure 20\r\nGetForegroundWindow is used to get a handle to the foreground window (the window with which the user is\r\ncurrently working). The GetWindowText function copies the text of the foreground window’s title bar into a\r\nbuffer. GetWindowThreadProcessId is used to retrieve the thread’s identifier that created the foreground window,\r\nalong with the process’ identifier that created the window. The result of the function is represented by the\r\nMainWindowTitle property of the process extracted before, which is Base64 encoded:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 5 of 28\n\nFigure 21\r\nThe malware creates the “HKEY_CURRENT_USER\\Software\\49e91d08e684b1770e0cefa60401157a” registry\r\nkey:\r\nFigure 22\r\nThe buffer that contains the following information is sent to the C2 server:\r\nBase64 of Campaign ID + volume serial number\r\nComputer name\r\nUser name\r\nLast write time of the malicious file\r\nOperating system name + system’s architecture\r\nWhether a Webcam is detected\r\nnjRAT Version\r\nBase64 of the main window title of the process\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 6 of 28\n\nFigure 23\r\nThe C2 response is copied into a buffer using the Receive method:\r\nFigure 24\r\nThe C2 server was emulated using FakeNet. The binary expects a response that contains instructions separated by\r\nthe “|’|’|” separator. Multiple commands are implemented by njRAT, as we’ll describe later on:\r\nFigure 25\r\nKeylogger functionalities\r\nEvery pressed key is compared with multiple function/special keys:\r\nFigure 26\r\nIf the keys aren’t function/special keys, they’re mapped from virtual-key code into a scan code or character value\r\nby calling the MapVirtualKey function. GetKeyboardLayout is utilized to retrieve the active input locale identifier.\r\nThe ToUnicodeEx API is utilized to translate the virtual-key code and keyboard state to the corresponding\r\nUnicode character:\r\nFigure 27\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 7 of 28\n\nThe GetAsyncKeyState API is utilized to determine whether a key is up or down:\r\nFigure 28\r\nThe window title of the process where the input is detected is also included in the logs file:\r\nFigure 29\r\nThe binary creates a file called “services64.exe.tmp” in the same directory, where the keylogger data is stored. The\r\nWriteAllText method is utilized to populate the file:\r\nFigure 30\r\nAn example of a log file is displayed in figure 31:\r\nFigure 31\r\nNow we describe the commands implemented by njRAT.\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 8 of 28\n\n“proc” command\r\nCase 1 – “proc|’|’|~” (OK.Y == |’|’|) – retrieve information about the current process and the other running\r\nprocesses\r\nThe current process ID is retrieved and sent to the C2 server by calling the GetCurrentProcess function. The\r\nnumber of processes running on the host is also transmitted to the C2 server:\r\nFigure 32\r\nThe malware extracts the description of the files using the FileVersionInfo.FileDescription property, and then\r\nencodes it using the Base64 algorithm. For each process, a string that contains the process ID, the full path to the\r\nprocess, and the encoded file description (if available), is constructed:\r\nFigure 33\r\nIn the case of Windows processes, the execution flow is different however, the scope is the same:\r\nFigure 34\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 9 of 28\n\nThe buffer that contains the concatenation of the strings computed above is exfiltrated to the C2 server:\r\nFigure 35\r\nCase 2 – “proc|’|’|k|’|’|\u003cProcess ID\u003e” – kill a process\r\nThe process that corresponds to the process ID transmitted by the C2 server is stopped by calling the Kill method.\r\nIf successful, the malware sends a custom message to the server, otherwise it sends an exception message:\r\nFigure 36\r\nCase 3 – “proc|’|’|kd|’|’|\u003cProcess ID\u003e” – kill a list of processes and delete the module files\r\nFirstly, the binary repeats the same procedure from above. It also extracts the full path to the process:\r\nFigure 37\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 10 of 28\n\nThe RAT tries to delete the file that corresponds to the above process. If successful, it sends a confirmation\r\nmessage to the C2 server:\r\nFigure 38\r\nCase 4 – “proc|’|’|re|’|’|\u003cProcess ID\u003e” – restart a process\r\nThe binary repeats the same procedure from above. It also extracts the full path to the process:\r\nFigure 39\r\nnjRAT executes the file extracted above. If successful, it sends a confirmation message to the C2 server:\r\nFigure 40\r\n“rss” command – start a hidden command prompt and redirect the StandardOutput and StandardError to the C2\r\nserver\r\nThe malware creates a “cmd.exe” process object and sets to true multiple values that indicate the following: the\r\nerror output should be written to StandardError, the input should be read from StandardInput, and the output\r\nshould be written to StandardOutput. The method that will handle the OutputDataReceived and\r\nErrorDataReceived events of the newly created process is set to a function called “RS”. The method that will\r\nhandle the Process.Exited events is set to a function called “ex”. The new process is started, and it begins read\r\noperations on the redirected StandardOutput and StandardError streams of the application:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 11 of 28\n\nFigure 41\r\nThe RAT retrieves a late-bound value called “Data”, which represents the StandardError/StandardOutput of the\r\ncmd.exe process that is Base64 encoded and sent to the C2 server:\r\nFigure 42\r\nThe output of the cmd.exe process can be seen in the network traffic:\r\nFigure 43\r\nFigure 44 displays the cmd.exe process as the child of the initial process (Process Hacker tool):\r\nFigure 44\r\nIn the case of a Process.Exited event, the “ex” function just sends the string “rsc” to the C2:\r\nFigure 45\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 12 of 28\n\n“rs|’|’|\u003cBase64 command\u003e” command – send a command to be executed by the hidden command prompt\r\nThe C2 server can specify a command that is decoded using the Base64 algorithm, which is given as input to the\r\ncmd.exe process created earlier:\r\nFigure 46\r\nIt’s important to mention that the malware performs sanity checks and sends an exception message to the C2 if\r\nany error occurs in any case:\r\nFigure 47\r\n“rsc” command – kill the hidden command prompt created earlier\r\nThe command prompt process created earlier is killed by the RAT:\r\nFigure 48\r\n“kl” command – exfiltrate the keylogger’s log file\r\nThe content of the Logs variable, which is the output of the keylogger described above, is Base64 encoded and\r\nexfiltrated to the C2 server:\r\nFigure 49\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 13 of 28\n\n“inf” command – retrieve information about the volume serial number and malware configuration (C2 server,\r\nprocess name, etc.)\r\nThe file checks the “HKCU\\Software\\49e91d08e684b1770e0cefa60401157a\\vn” registry value, which doesn’t\r\nexist at this time. The binary extracts again the volume serial number for the C drive and combines it with the\r\nfollowing information: C2 server, C2 port number, the AppData folder, the name of the executable, and the\r\nprocess name. The resulting string is transmitted to the C2:\r\nFigure 50\r\n“prof” command\r\nCase 1 – “prof|’|’|~|’|’|\u003cRegistryValue\u003e|’|’|\u003cData\u003e” – create a registry value in a specific registry key\r\nThe malware creates a value under “HKEY_CURRENT_USER\\Software\\49e91d08e684b1770e0cefa60401157a”\r\nand writes some data to it:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 14 of 28\n\nFigure 51\r\nCase 2 – “prof|’|’|!|’|’|\u003cRegistryValue\u003e|’|’|\u003cData\u003e”- create a registry value in a specific registry key and retrieve\r\nthe “!” registry value\r\nThe binary repeats the same operation from above:\r\nFigure 52\r\nThe RAT is looking to extract a value called “!” from the same registry key. The value’s content is sent to the C2\r\nserver:\r\nFigure 53\r\nFigure 54\r\nCase 3 – “prof|’|’|@|’|’|\u003cRegistryValue\u003e” – delete a registry value from a specific registry key\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 15 of 28\n\nnjRAT deletes the specified value from the same registry key, as highlighted in figure 55:\r\nFigure 55\r\n“rn” command\r\nCase 1 – “rn|’|’|\u003cExtension\u003e|’|’|\u003cURL\u003e” – download and run a file from the URL\r\nThe executable downloads the resource specified by the URL and stores the result as a Byte array by calling the\r\nDownloadData method:\r\nFigure 56\r\nThe array computed above will be stored in a file that is created in the TEMP directory. The file name is randomly\r\ngenerated and consists of 10 lowercase letters:\r\nFigure 57\r\nFigure 58\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 16 of 28\n\nThe new file is executed by calling the Start function, and a confirmation message is transmitted to the C2:\r\nFigure 59\r\nCase 2 – “rn|’|’|\u003cExtension\u003e|’|’|\u003cBase64 (Gzip compressed executable)\u003e” – decode, decompress, and execute the\r\nexecutable\r\nThe file decodes the Base64 encoded content and then decompresses it using the ZIP function (depending on the\r\nflag, this function could also be used to Gzip compress content):\r\nFigure 60\r\nFigure 61\r\nAs in the first case, the content will be written to a file in the TEMP directory, and a confirmation message is sent\r\nto the C2 server.\r\n“inv|’|’|\u003cRegistryValue\u003e|’|’|\u003cString1\u003e|’|’|\u003cString2\u003e” command – njRAT has plugins that can be downloaded,\r\nsaved in registry keys, and then executed\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 17 of 28\n\nThe RAT checks the existence of the RegistryValue value under\r\n“HKCU\\Software\\49e91d08e684b1770e0cefa60401157a”:\r\nFigure 62\r\nWhether the above value doesn’t exist and array[3] has a length of 1, the malware sends a message to the C2 and\r\nfinishes the command:\r\nFigure 63\r\nWhether the above value exists, its content is decoded using Base64, and a different message is forwarded to the\r\nC2 server:\r\nFigure 64\r\nFrom our analysis, this file is supposed to be a plugin of njRAT. The assembly is loaded via a function call to\r\nAssembly.Load and all the modules that are part of it are extracted using the GetModules method. The binary\r\nextracts the types defined in each module and expects some of them to have a name that ends with “.A” (a class\r\ncalled “A” should be defined). For each of these types found, the process creates an instance of it using the system\r\nactivator:\r\nFigure 65\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 18 of 28\n\nFigure 66\r\nThe binary calls the LateSet method multiple times in order to execute multiple late-bound field write calls.\r\nBasically, variables such as “h”, “p”, “osk”, “off” are set to OK.H (C2 domain), OK.P (C2 port number), array[2]\r\n(this is provided by the C2) and “true”. The malware calls the plugin’s function called “start”:\r\nFigure 67\r\nWhether the registry value mentioned above doesn’t exist and array[3] has a length greater than 1, array[3] is\r\nBase64 decoded, and then Gzip decompressed:\r\nFigure 68\r\nThe RegistryValue value is created under\r\n“HKEY_CURRENT_USER\\Software\\49e91d08e684b1770e0cefa60401157a”. The content from above that was\r\ndecompressed is encoded using Base64 and stored in this value:\r\nFigure 69\r\nThe same steps starting with loading the assembly (above figure 65) are executed one more time.\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 19 of 28\n\n“ret|’|’|\u003cRegistryValue\u003e|’|’|\u003cString\u003e” command – similar to the “inv” command, this command can be used to\r\nexecute a malicious assembly found in a registry key or transmitted by the C2 server\r\nThe process checks the existence of the RegistryValue value under\r\n“HKCU\\Software\\49e91d08e684b1770e0cefa60401157a”:\r\nFigure 70\r\nWhether the above value doesn’t exist and array[2] has a length of 1, the malware sends a message to the C2 and\r\nfinishes the command:\r\nFigure 71\r\nWhether the above value exists, its content is decoded using Base64, and a different message is forwarded to the\r\nC2 server:\r\nFigure 72\r\nThe same execution flow as above figure 65 is followed (starting with Assembly.Load etc.). A variable called\r\n“GT” is retrieved by calling the LateGet method; it is encoded using the Base64 algorithm and exfiltrated to the\r\nC2 server:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 20 of 28\n\nFigure 73\r\nWhether the registry value mentioned above doesn’t exist and array[2] has a length greater than 1, array[2] is\r\nBase64 decoded, and then Gzip decompressed:\r\nFigure 74\r\nThe RegistryValue value is created under\r\n“HKEY_CURRENT_USER\\Software\\49e91d08e684b1770e0cefa60401157a”. The content from above that was\r\ndecompressed is encoded using Base64 and stored in this value:\r\nFigure 75\r\nThe same steps starting with loading the assembly (above figure 65) are executed again.\r\n“CAP|’|’|\u003cWidth\u003e|’|’|\u003cHeight\u003e” command – take screenshots\r\nThe RAT creates a new Bitmap object used to create a new Graphics object by calling the Graphics.FromImage\r\nfunction. The CopyFromScreen method is utilized to perform a bit-block transfer of color data from the screen to\r\nthe Graphics object:\r\nFigure 76\r\nThe binary initializes a new instance of the Rectangle class with a specific position and size and then draws the\r\ncursor on the Graphics object within the bounds:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 21 of 28\n\nFigure 77\r\nThis command is used to take screenshots. GetThumbnailImage is utilized to obtain a thumbnail for the bitmap\r\nimage, which is saved in the jpeg format using the Image.Save function. The malware computes the MD5 hash of\r\nthe image:\r\nFigure 78\r\nFigure 79\r\nThe JFIF file is exfiltrated to the C2 server byte-by-byte:\r\nFigure 80\r\n“P” command – “Ping”\r\nThe process just sends the “P” letter to the C2:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 22 of 28\n\nFigure 81\r\n“un” command\r\nCase 1 – “un|’|’|~” – completely uninstall the RAT\r\nThe NtSetInformationProcess API is used to set the process as “normal” (it can be killed without crashing the OS\r\nand resulting in a BSOD, 0x1d = 29 = BreakOnTermination). The binary deletes the value created for\r\npersistence at “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\49e91d08e684b1770e0cefa60401157a”:\r\nFigure 82\r\nFigure 83\r\nnjRAT deletes the configured program exception from Windows Firewall. The\r\n“HKCU\\Software\\49e91d08e684b1770e0cefa60401157a” registry key is deleted, and the initial executable file is\r\ndeleted as well:\r\nFigure 84\r\nCase 2 – “un|’|’|!” – kill the current process\r\nThe malicious process repeats the NtSetInformationProcess API call from above and exits:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 23 of 28\n\nFigure 85\r\nCase 3 – “un|’|’|@” – restart the current process\r\nThe binary repeats the NtSetInformationProcess API call from above and spawns the initial executable:\r\nFigure 86\r\n“up” command\r\nCase 1 – “up|’|’|\u003cURL\u003e” – similar to the “rn” command, it’s used to update the RAT\r\nDownloadData is utilized to download an executable from a URL specified by the C2 server:\r\nFigure 87\r\nThe malicious process creates a registry value at “HKCU\\di” and saves the downloaded content in a randomly\r\ngenerated file name located in the TEMP directory:\r\nFigure 88\r\nThe malware sends a message to the C2 server regarding the update confirmation. The newly created executable is\r\nrun with the “UP:” parameter that contains the current process ID. When the “HKCU\\di” value is equal to “!”,\r\nthen the malware executes the uninstall operation:\r\nFigure 89\r\nCase 2 – “up|’|’|\u003cBase64 (Gzip compressed executable)\u003e” – similar to the “rn” command, it’s used to update the\r\nRAT\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 24 of 28\n\nThe RAT decodes the Base64 encoded content and then decompresses it using the ZIP function:\r\nFigure 90\r\nThe execution flow that starts with creating the “HKCU\\di” key is followed one more time.\r\n“RG” command\r\nCase 1 – “RG|’|’|~|’|’|\u003cRegistryKey\u003e” – enumerate the registry key\r\nThe process opens the specified registry key using the GetKey function:\r\nFigure 91\r\nFigure 92\r\nThe executable constructs a string based on the registry key from above, which will be exfiltrated later on:\r\nFigure 93\r\nThe GetSubKeyNames and GetValueNames methods are used to retrieve an array of strings that contains the\r\nsubkey names and the value names associated with the key. The concatenation of the arrays is transmitted to the\r\nC2:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 25 of 28\n\nFigure 94\r\nCase 2 – “RG|’|’|!|’|’|\u003cRegistryKey\u003e|’|’|\u003cRegistryValue\u003e|’|’|\u003cData\u003e|’|’|\u003cType\u003e” – create and set a registry value\r\nThe SetValue function is utilized to create a value under the specified registry key, which contains data provided\r\nabove:\r\nFigure 95\r\nCase 3 – “RG|’|’|@|’|’|\u003cRegistryKey\u003e|’|’|\u003cRegistryValue\u003e” – delete a registry value\r\nThe DeleteValue method is used to delete the specified value from the registry key:\r\nFigure 96\r\nCase 4 – “RG|’|’|#|’|’|\u003cRegistryKey\u003e|’|’|\u003cSubKey\u003e” – create a sub key\r\nCreateSubKey is used to create a new subkey, as shown in figure 97:\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 26 of 28\n\nFigure 97\r\nCase 5 – “RG|’|’|$|’|’|\u003cRegistryKey\u003e|’|’|\u003cSubKey\u003e” – delete a sub key and any child sub keys recursively\r\nDeleteSubKeyTree is utilized to delete the subkey and any child subkeys recursively:\r\nFigure 98\r\nReferences\r\nMSDN: https://docs.microsoft.com/en-us/dotnet/api/, https://docs.microsoft.com/en-us/windows/win32/api/\r\ndnSpy: https://github.com/dnSpy/dnSpy\r\nFakenet: https://github.com/fireeye/flare-fakenet-ng\r\nVirusTotal:\r\nhttps://www.virustotal.com/gui/file/833f86074592648c0a758098e34ab605a2b922d94dbab7141e2ce87acec03c35\r\nAny.run: https://app.any.run/tasks/78913e0b-1419-4571-8611-ac3372ffd578/\r\nESET: https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nTalos: https://blog.talosintelligence.com/2021/07/sidecopy.html\r\nK7Computing: https://labs.k7computing.com/index.php/malspam-campaigns-download-njrat-from-paste-sites/\r\nINDICATORS OF COMPROMISE\r\nC2 domain: 44gang44.duckdns[.]org:2222\r\nSHA256: 833f86074592648c0a758098e34ab605a2b922d94dbab7141e2ce87acec03c35\r\nRegistry keys and values:\r\nHKCU\\Software\\49e91d08e684b1770e0cefa60401157a\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 27 of 28\n\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\49e91d08e684b1770e0cefa60401157a\r\nHKCU\\di\r\nFiles:\r\nC:\\Users\\\u003cUser\u003e\\AppData\\Roaming\\services64.exe\r\nC:\\Users\\\u003cUser\u003e\\AppData\\Roaming\\services64.exe.tmp\r\nMutex: 49e91d08e684b1770e0cefa60401157a\r\nSource: https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nhttps://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/" ], "report_names": [ "just-another-analysis-of-the-njrat-malware-a-step-by-step-approach" ], "threat_actors": [ { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434128, "ts_updated_at": 1775792138, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d4e5bfaf0f8dc77d358ecf35d7eb8f383aae434b.pdf", "text": "https://archive.orkl.eu/d4e5bfaf0f8dc77d358ecf35d7eb8f383aae434b.txt", "img": "https://archive.orkl.eu/d4e5bfaf0f8dc77d358ecf35d7eb8f383aae434b.jpg" } }