Dosya Kimligi
| SHA256 | 39cbd2d2299ebbc1eba6bb1ffab7d87f0016715fb237d0a1a253262b4b9cea13 |
|---|---|
| Boyut | 95.232 byte |
| Platform | .NET 2.0 (v2.0.50727) |
| String Sayisi | 998 |
Aile Tespit Imzalari
avicap32.dll -- Webcam API kutuphanesi (NjRAT cam ozelliginin imzasi) capGetDriverDescriptionA -- Webcam surucu listeleme (NjRAT'a ozgu) CsAntiProcess -- NjRAT'in anti-AV/process killing modulu TcpClient -- TCP baglanti objesi GZipStream -- Veri sikistirma (exfiltration oncesi) Socket / Connect -- Agdan ag iletisimi Screen / get_PrimaryScreen / CopyFromScreen -- Ekran yakalama ClipboardProxy / Clipboard -- Pano erisimi GetActiveTcpConnections -- Aktif TCP baglanti listesi timx_run / timy_run -- Timer tabanli geri arama
NjRAT Yetenekleri
| Ozellik | Detay |
|---|---|
| Webcam | avicap32.dll ile canli goruntuleme |
| Keylogger | GetAsyncKeyState tabanli tus kaydi |
| Screenshot | CopyFromScreen ile ekran goruntusu |
| Clipboard | Pano iceriklerini oku/degistir |
| Dosya Yonetimi | Upload/download, silme, olusturma |
| Komut Satiri | Uzaktan cmd/PowerShell |
| Anti-AV | CsAntiProcess ile AV proseslerini kapat |
| Sikistirma | GZip ile veri sikistirma (bant genisligi) |
NjRAT Hakkinda
NjRAT (Bladabindi olarak da bilinir), 2013 yilinda nj/njq8 takma adiyla bilinen bir gelistirici tarafindan Orta Dogu'daki kullanicilari hedefleyerek yazilmistir. VB.NET tabanlidir ve acik kaynak kodundan turetilen onlarca varyanti mevcuttur. Orta Dogu, Kuzey Afrika ve Asya'da yaygin; hukumet ve ordu kurumlarini hedef alan APT gruplarinca da kullanilmaktadir.
IOC
| SHA256 | 39cbd2d2299ebbc1eba6bb1ffab7d87f0016715fb237d0a1a253262b4b9cea13 |
|---|---|
| Imzalar | avicap32.dll, capGetDriverDescriptionA, CsAntiProcess |
| Platform | .NET v2.0.50727 |
| C2 | Runtime (TcpClient hardcoded config) |
NjRAT — Malware Profile
njRAT Bladabindi. Spanish cotizacion lure. get_Panel1 C2 panel. MENA + Latin America targeting.
Technical Details
TCP port 1177 (varsayilan), XOR tabanlı iletisim sifreleme, .NET Framework 2.0+, Mutex: {GUID}, Registry Run key persistence, Keylogger (GetAsyncKeyState), clipboard monitor, screenshot, remote shell, remote camera
Attribution / Threat Actor
Arap dilli siber suc topluluklari, en cok MENA (Orta Dogu ve Kuzey Afrika) bolgesindeki gruplar. Yasama savasi donemi Suriyeli gruplar tarafindan da kullanilmistir.
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
39cbd2d2299ebbc1eba6bb1ffab7d87f0016715fb237d0a1a253262b4b9cea13
| Type | Value | Note |
|---|---|---|
| sha256 | 39cbd2d2299ebbc1eba6bb1ffab7d87f0016715fb237d0a1a253262b4b9cea13 |
C2 Servers (8 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| system.io | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.