Detailed Features
NjRAT Red Version Error 404, as a derivative of the NjRAT family, is expected to include the following features, which are consistent across most variants, with potential customizations or enhancements specific to this version:
1. Remote Access and Control
- Functionality: Allows attackers to gain full remote control over an infected Windows machine, providing a graphical user interface (GUI) for managing the target system.
- Details: Once executed, the RAT establishes a persistent connection with the attacker's C&C server, displaying system details such as IP address, OS version, username, and computer name. Attackers can manage the system remotely, manipulate files, and execute commands without the victim's awareness.
- Persistence: Ensures continuous access by automatically reconnecting after system reboots, maintaining control unless manually disconnected by the attacker.
2. Keylogging
- Functionality: Captures every keystroke on the infected system, compromising sensitive data such as passwords, emails, and messages.
- Details: The keylogger uses a keyboard listener and the GetAsyncKeyState function to monitor key presses and releases asynchronously. It converts key codes into standardized representations, accounting for Shift and Caps Lock states, and maps special keys (e.g., [ENTER], [F1]) to specific strings. Keystrokes are appended to a log file for later exfiltration.
3. File Management
- Functionality: Enables attackers to upload, download, delete, or manipulate files on the victim's system.
- Details: Through the NjRAT GUI, attackers can navigate directories, modify files, or transfer sensitive data to the C&C server. This feature supports espionage and data theft, allowing attackers to exfiltrate critical documents or deploy additional malicious payloads.
4. System Surveillance
- Functionality: Captures screenshots, records audio/video, and accesses the victim's webcam for real-time monitoring.
- Details: The malware can take periodic screenshots, record audio via the microphone (potentially requiring NAudio.dll, as noted in some variants), and activate the webcam to spy on the victim's environment. These capabilities make NjRAT a powerful tool for espionage.
5. Remote Shell and Command Execution
- Functionality: Provides a remote shell to execute commands on the infected system.
- Details: Attackers can run shell commands, kill processes, restart the system, or manipulate system settings. This feature allows for extensive control, including the ability to download and execute additional malware payloads from platforms like Pastebin.
6. Registry and Process Manipulation
- Functionality: Modifies system registry keys and manages running processes.
- Details: NjRAT can read, write, or delete registry entries to ensure persistence or disable security features. It can also terminate antivirus processes or disguise itself as a critical system process to avoid detection. The Process Manager in the NjRAT GUI allows attackers to kill, delete, or restart processes.
7. Evasion Techniques
- Functionality: Employs multiple methods to avoid detection by antivirus software and security researchers.
- Details: Uses .NET obfuscators to obscure its code, disguises itself as a critical process, and deactivates antivirus-related processes. It can detect virtual machines or sandboxes, enabling attackers to implement countermeasures against analysis. Additionally, it leverages Pastebin for downloading components, avoiding direct scrutiny.
