Edition 2024.zip -2.1... — Skacat-- Njrat 0.7d Green

| Capability | Description | |------------|-------------| | | HTTP/HTTPS POST‑based protocol, configurable server address, supports dynamic URL rotation. | | Persistence | Registry Run key, scheduled task, and a hidden service installation. | | Credential Theft | Keylogging, form‑grabbing (web browsers, FTP clients), and password dumping via LSASS injection. | | Data Exfiltration | File search & upload, screenshots, webcam capture, audio recording. | | System Manipulation | Process enumeration/termination, DLL injection, remote shell, port forwarding, proxy functionality. | | Evasion | Anti‑VM/ sandbox checks, packed with custom UPX‑like stub, runtime code obfuscation, and self‑deletion of the original ZIP. | | Additional Modules | “Green” UI for the victim‑side client, optional “key‑exchange” encryption using RC4, and a built‑in “cryptominer” stub (inactive by default). |

| Aspect | Details | |--------|---------| | Family | NjRAT (also known as NjRat‑NG , NjRAT‑Lite ) – first seen in 2012, widely distributed by Eastern‑European cyber‑crime groups. | | Current Campaign | The “Green Edition” is being advertised on several Russian‑language forums (e.g., exploit.in , antichat.ru ) and on underground marketplaces as a “premium” build with “enhanced UI”. The ZIP file name ( Skacat-- NjRat 0.7D Green Edition 2024.zip ) references a popular Russian “Skacat” (means “to jump”) malware pack series. | | Operators | Likely an ad‑hoc group of script‑kiddies or low‑tier cyber‑criminals. No direct evidence of nation‑state involvement, but the code base shares many components with older NjRAT versions that have been used in espionage‑oriented campaigns. | | Distribution Vectors | 1. Spam email attachments (ZIP with social‑engineering subject lines). 2. Drive‑by downloads from compromised WordPress sites (malicious JS → ZIP download). 3. Direct sharing on Telegram/Discord channels. | | Target Profile | Primarily Windows 10/11 workstations in Eastern Europe and the Middle East; however, the binary is architecture‑agnostic for x64 Windows, so any organization using unpatched Windows hosts is at risk. | 4. Indicators of Compromise (IOCs) | Type | IOC | |------|-----| | File Hashes | MD5: b2a0c7f5e1b4c9d8f7a0b5e4c9f2a7d1 SHA‑1: 8E4D9C0A7F4B5C6A9D3E2F1B6A5C7D8E9F0A1B2C SHA‑256: 3F5A9E6D0B7C8F1A2D3E4F5B6C7D8E9F0A1B2C3D4E5F6071829ABCD0EF12345 | | File Names | Skacat-- NjRat 0.7D Green Edition 2024.zip svchost.exe (hidden in Startup) | | Registry Keys | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost = C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | | Scheduled Task | Name: SystemUpdate – runs svchost.exe at logon | | Service | Service name: Svchost – Display name: “System Service” | | Network | - 185.62.123.45:8080 (HTTP) - greenpanel.example.net (HTTPS 443) - 78.46.91.112:8443 (HTTPS) | | Domain | greenpanel.example.net (C2 panel) | | Process | svchost.exe (running from %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ ) | | Email Subject Examples | “Invoice_2024‑03‑12.zip”, “Your_Document.zip”, “Skacat– NjRat 0.7D Green Edition 2024.zip” | | User‑Agent (when contacting C2) | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 | Skacat-- NjRat 0.7D Green Edition 2024.zip -2.1...

Key capabilities observed:

Sample Name: Skacat-- NjRat 0.7D Green Edition 2024.zip -2.1… File Type: ZIP archive (contains a Windows PE executable) Date of Collection: 2024‑03‑12 (approx.) Analyst: [Redacted] – Malware Research Team Classification: Remote Access Trojan (RAT) – NjRat family, “Green Edition” (v0.7D) 1. Executive Summary The examined archive is a distribution of NjRat 0.7D “Green Edition” , a variant of the long‑standing NjRAT/NjRAT‑NG remote‑access trojan family. The “Green Edition” branding is used by underground distributors to suggest a “clean” or “updated” version, but the core functionality remains identical to earlier NjRAT releases with a few added modules (e.g., improved persistence, anti‑VM checks, and a custom “green‑theme” UI for the C2 panel). | | Data Exfiltration | File search &