Static Analysis of njRAT v0.6.4
A static analysis of njRAT v0.6.4, a well-known Remote Access Trojan first observed in 2012 and linked to a developer known as njq8. The sample, obtained from the theZoo malware repository, was analyzed using DIE, strings, and dnSpy. Analysis reveals the main executable is a dropper that silently delivers two obfuscated payloads. The writeup covers dropper behavior, privilege escalation indicators, registry-based persistence, firewall modification, capability analysis including keylogging, credential theft, remote shell, and camera surveillance, as well as encryption indicators and attribution artifacts extracted from the binary. Several findings remain unconfirmed pending dynamic analysis.
# Introduction
The njRAT is a RAT which was seen for the first time in 2012 and has since been linked to a developer referred to as njq8. njRAT has been popularly used in targeted campaigns in the Middle East and North Africa region and stands out due to the wide variety of capabilities that it possesses, such as keylogging, credential theft, remote shells, and camera spying. In this paper, I perform a static analysis of njRAT version 0.6.4 which is hosted in the theZoo malware repository. The analysis involves the examination of sample ID, execution, persistence, capabilities, encryption techniques, and attribution.
# Sample Identification
The sample was obtained from the theZoo malware repository. https://github.com/ytisf/theZoo/blob/master/malware/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.zip.
The following metadata was extracted from the main exe file through strings on it.
| Project | njRat |
| Version | 0.6.4 |
| Coded By | njq8 |
| FireFox Stealer | DarkSel |
| Paltalk Stealer | pr0t0fag |
| Chrome Stealer | RockingWithTheBest |
| Opera Stealer | Black-Blood, KingCobra |
| Icon Changer | Miharbi |
| Thnx To | MaSad ,CoBrAxXx |
| https://twitter.com/njq8 |
The extracted zip file contains a few files and a folder. GeoIP.dat Mono.Cecil.dll NAudio.dll njRAT.exe Plugin\ stub.il

# Initial Triage
I started by collecting general information about the exe using DIE. It revealed the following;
- Eazfuscator is protector
- Obfuscation indicators
- VB.NET Language
- Library: .NET Framework

Looking at the exe in dnspy I gather that this file is just a dropper file. There are 2 files that are called, "njRat.exe" and "njq8.exe".
A dropper is a type of malware that is designed to deliver and install additional malicious payloads in to the target system.
Having said that, these 2 files seem to be heavily obfuscated and I would first need to deobfuscate them before looking at them in dnspy further. de4dot seems to have worked perfectly and now class and method names have actual names and not some unprintable unicode characters.
# Privilege and Execution Behavior
Looking at the manifest file, I could see that this exe should run asInvoker, meaning that it would run with the privileges that of the user account that ran it, additionally, uiAccess is set to false, which means that the program does not need to interact with or drive input to higher-privilege user interface elements.
Further analysis of the exe through strings reveals something interesting. There is another manifest, this manifest has higher permissions, requireAdminstrator. My theory is that the first manifest could be a decoy and the second one is used to escalate privileges.
| Decoy | Escalator |
|---|---|
![]() | ![]() |
The contradiction between the two manifests is actually interesting - A possible theory could be that this is a privilege escalation technique to run the malware with higher privileges.
# Persistence Mechanism
A malicious registry key hash was found "ecc7c8c51c0850c1ec247c7fd3602f20" so this almost confirms that this sample has a persistence capability and that is done through the windows registry. To further confirm this, the following strings are present in the exe. createSubKey, openSubKey, getRegistry and RegistryProxy. Finally, DeleteSubKeyTree which must be used for clean up.

So this RAT does not only have persistence capabilities but also clean up capabilities. Googling this shows that the targeted registry key hive is HKEY_CURRENT_USER, dynamic analysis could yield more information about this.
The RAT also makes changes to the firewall through commands like netsh firewall.
# Capability Analysis
So far, the list of capabilities I came up with are the following;
- Keylogger
- Password Stealer
- Remote Desktop
- Camera Spy
- Registry tool strip
- Remote shell
- Process manager
- C2 Connection
- Geographical capabilities
Presence of NAudio.dll and camera-related DLLs suggests audio and visual capture capability, unconfirmed without dynamic analysis.
Furthermore, there is a geoIP.dat file. A data file that the following string: " GEO-106FREE 20130402" which is an identifier for the MaxMind free GeoIP Country Edition database. This is most likely used for victim geolocation, either for filtering or targetting specific nations.
The numbers in the end of the identifier is the build date 02/April/2013.
Additionally, the string "tcpClient" is present, which tells me that this is how the malware is contacting the C2 server. There is this domain that is down, "zaaptoo.zapto.org". External reporting links this domain to njRAT infrastructure, and the domain is currently inactive.
# Encryption, Hashing and Obfuscation
There are strings that indicate that there are also encryption capabilities. "MD5CryptoServiceProvider", "TripleDES", "toBase64" and "fromBase64".
This means that network traffic capture alone is insufficient to expose C2 communications without knowledge of the encryption key.
TripleDES and base64 is probably used to encrypt C2 config and/or C2 traffic.

# Attribution Artifacts
| Artifact | Explanation |
|---|---|
| "C:\Users\algha_000\AppData\Local\Temporary Projects\EnKSaR.HaCKeR\obj\x86\Release\EnKSaR.HaCKeR.pdb" | PDB Path which says that the developer's user account is called algha_000, the project name and the build configuration |
| Strings like "EnKSaR HaCKeR" | The group associated with this malware, googling this confirms it |
| Author metadata | mentioned in Sample Identification |
| Many GUIDs | $45037699-51f9-4e37-b9b4-00d81aee540e $bc5d7fc9-797d-4a78-84f4-fb571511b49a |
I dont have a theory or a guess as to what these GUIDs are for or why they are there. But could be an IOC.
# Indicators of Compromise (IOC Table)
| Type | Value |
|---|---|
| MD5 hash associated with a known malicious registry key | ecc7c8c51c0850c1ec247c7fd3602f20 |
| PDB Path | C:\Users\algha_000\AppData... |
| Firewall string | netsh firewall add allowedprogram |
| Builder identity | EnKSaR.HaCKeR v0.6.4 |
| GUIDs | $45037699... / $bc5d7fc9... |
| Dropped files | njRAT.exe, njq8.exe |
| C2 Domain | zaaptoo.zapto.org |
# Conclusion
Static analysis of the sample shows that it is a dropper that silently drops two obfuscated payloads: njRAT.exe and njq8.exe. The dropper is crafted in such a way that it does not make its presence known to the user; this can be seen in the code through the Opacity=0.0 and ShowInTaskbar=false settings. The full list of capabilities determined via static analysis corresponds to a well-developed remote access trojan and infostealer: keylogging, credential stealing, remote shell, webcam functionality, registry persistence, firewalls alteration, and encrypted C2 communication via TCP with TripleDES. Several features are left unconfirmed by static analysis but require dynamic analysis confirmation – capturing audio and video through NAudio, the particular keys used for persistence in the registry, and the usage of two GUIDs within the code.

