Home
//
projects
//
static-analysis-of-njrat-v0-6-4
ProjectJune 29, 2026

Static Analysis of njRAT v0.6.4

A static analysis of njRAT v0.6.4, a well-known Remote Access Trojan first observed in 2012 and linked to a developer known as njq8. The sample, obtained from the theZoo malware repository, was analyzed using DIE, strings, and dnSpy. Analysis reveals the main executable is a dropper that silently delivers two obfuscated payloads. The writeup covers dropper behavior, privilege escalation indicators, registry-based persistence, firewall modification, capability analysis including keylogging, credential theft, remote shell, and camera surveillance, as well as encryption indicators and attribution artifacts extracted from the binary. Several findings remain unconfirmed pending dynamic analysis.

malware-analysisstatic-analysisnjRAT RAT reverse-engineeringdotnet windows infosec

# Introduction

The njRAT is a RAT which was seen for the first time in 2012 and has since been linked to a developer referred to as njq8. njRAT has been popularly used in targeted campaigns in the Middle East and North Africa region and stands out due to the wide variety of capabilities that it possesses, such as keylogging, credential theft, remote shells, and camera spying. In this paper, I perform a static analysis of njRAT version 0.6.4 which is hosted in the theZoo malware repository. The analysis involves the examination of sample ID, execution, persistence, capabilities, encryption techniques, and attribution.

# Sample Identification

The sample was obtained from the theZoo malware repository. https://github.com/ytisf/theZoo/blob/master/malware/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.zip.

The following metadata was extracted from the main exe file through strings on it.

ProjectnjRat
Version0.6.4
Coded Bynjq8
FireFox StealerDarkSel
Paltalk Stealerpr0t0fag
Chrome StealerRockingWithTheBest
Opera StealerBlack-Blood, KingCobra
Icon ChangerMiharbi
Thnx ToMaSad ,CoBrAxXx
twitterhttps://twitter.com/njq8

The extracted zip file contains a few files and a folder. GeoIP.dat Mono.Cecil.dll NAudio.dll njRAT.exe Plugin\ stub.il

Pasted image 20260629133316

# Initial Triage

I started by collecting general information about the exe using DIE. It revealed the following;

  1. Eazfuscator is protector
  2. Obfuscation indicators
  3. VB.NET Language
  4. Library: .NET Framework

Pasted image 20260627135347

Looking at the exe in dnspy I gather that this file is just a dropper file. There are 2 files that are called, "njRat.exe" and "njq8.exe".

A dropper is a type of malware that is designed to deliver and install additional malicious payloads in to the target system.

Having said that, these 2 files seem to be heavily obfuscated and I would first need to deobfuscate them before looking at them in dnspy further. de4dot seems to have worked perfectly and now class and method names have actual names and not some unprintable unicode characters.

# Privilege and Execution Behavior

Looking at the manifest file, I could see that this exe should run asInvoker, meaning that it would run with the privileges that of the user account that ran it, additionally, uiAccess is set to false, which means that the program does not need to interact with or drive input to higher-privilege user interface elements.

Further analysis of the exe through strings reveals something interesting. There is another manifest, this manifest has higher permissions, requireAdminstrator. My theory is that the first manifest could be a decoy and the second one is used to escalate privileges.

DecoyEscalator
Pasted image 20260629122411Pasted image 20260629122533

The contradiction between the two manifests is actually interesting - A possible theory could be that this is a privilege escalation technique to run the malware with higher privileges.

# Persistence Mechanism

A malicious registry key hash was found "ecc7c8c51c0850c1ec247c7fd3602f20" so this almost confirms that this sample has a persistence capability and that is done through the windows registry. To further confirm this, the following strings are present in the exe. createSubKey, openSubKey, getRegistry and RegistryProxy. Finally, DeleteSubKeyTree which must be used for clean up.

Pasted image 20260629133455

So this RAT does not only have persistence capabilities but also clean up capabilities. Googling this shows that the targeted registry key hive is HKEY_CURRENT_USER, dynamic analysis could yield more information about this.

The RAT also makes changes to the firewall through commands like netsh firewall.

# Capability Analysis

So far, the list of capabilities I came up with are the following;

  1. Keylogger
  2. Password Stealer
  3. Remote Desktop
  4. Camera Spy
  5. Registry tool strip
  6. Remote shell
  7. Process manager
  8. C2 Connection
  9. Geographical capabilities

Presence of NAudio.dll and camera-related DLLs suggests audio and visual capture capability, unconfirmed without dynamic analysis.

Furthermore, there is a geoIP.dat file. A data file that the following string: " GEO-106FREE 20130402" which is an identifier for the MaxMind free GeoIP Country Edition database. This is most likely used for victim geolocation, either for filtering or targetting specific nations.

The numbers in the end of the identifier is the build date 02/April/2013.

Additionally, the string "tcpClient" is present, which tells me that this is how the malware is contacting the C2 server. There is this domain that is down, "zaaptoo.zapto.org". External reporting links this domain to njRAT infrastructure, and the domain is currently inactive.

# Encryption, Hashing and Obfuscation

There are strings that indicate that there are also encryption capabilities. "MD5CryptoServiceProvider", "TripleDES", "toBase64" and "fromBase64".

This means that network traffic capture alone is insufficient to expose C2 communications without knowledge of the encryption key.

TripleDES and base64 is probably used to encrypt C2 config and/or C2 traffic.

Pasted image 20260629133640

# Attribution Artifacts

ArtifactExplanation
"C:\Users\algha_000\AppData\Local\Temporary Projects\EnKSaR.HaCKeR\obj\x86\Release\EnKSaR.HaCKeR.pdb"PDB Path which says that the developer's user account is called algha_000, the project name and the build configuration
Strings like "EnKSaR HaCKeR"The group associated with this malware, googling this confirms it
Author metadatamentioned in Sample Identification
Many GUIDs$45037699-51f9-4e37-b9b4-00d81aee540e $bc5d7fc9-797d-4a78-84f4-fb571511b49a

I dont have a theory or a guess as to what these GUIDs are for or why they are there. But could be an IOC.

# Indicators of Compromise (IOC Table)

TypeValue
MD5 hash associated with a known malicious registry keyecc7c8c51c0850c1ec247c7fd3602f20
PDB PathC:\Users\algha_000\AppData...
Firewall stringnetsh firewall add allowedprogram
Builder identityEnKSaR.HaCKeR v0.6.4
GUIDs$45037699... / $bc5d7fc9...
Dropped filesnjRAT.exe, njq8.exe
C2 Domainzaaptoo.zapto.org

# Conclusion

Static analysis of the sample shows that it is a dropper that silently drops two obfuscated payloads: njRAT.exe and njq8.exe. The dropper is crafted in such a way that it does not make its presence known to the user; this can be seen in the code through the Opacity=0.0 and ShowInTaskbar=false settings. The full list of capabilities determined via static analysis corresponds to a well-developed remote access trojan and infostealer: keylogging, credential stealing, remote shell, webcam functionality, registry persistence, firewalls alteration, and encrypted C2 communication via TCP with TripleDES. Several features are left unconfirmed by static analysis but require dynamic analysis confirmation – capturing audio and video through NAudio, the particular keys used for persistence in the registry, and the usage of two GUIDs within the code.