Statik Analiz — NjRAT | YÜKSEK | CVSS: 7.5
Dosya
| SHA256 | b54ee709bc4da31ddaf192d2441806014cb528a9239e7864ba965999b2b50987 |
|---|---|
| MD5 | a20db9a62dee9cec05208b5acaa8cbb4 |
| Dosya | b54ee709bc4da31ddaf192d2441806014cb528a9239e7864ba965999b2b50987.exe |
| Boyut | 34,826,752 byte |
| Tür | PE32+ executable for MS Windows 6.01 (GUI), x86-64, 9 sections |
| Stringler | 195,750 |
PDB:
D:\a\_work\1\s\binaries\Win32\Release\pdmui.pdbBölümler
| Ad | Entropi |
|---|---|
.text | 6.24 |
.rdata | 6.3 |
.data | 4.36 |
.pdata | 5.06 |
.xdata | 1.6 |
.idata | 4.08 |
.reloc | 5.4 |
.symtab | 5.09 |
.rsrc | 5.75 |
Import Tablosu
kernel32.dll
IOC
| SHA256 | b54ee709bc4da31ddaf192d2441806014cb528a9239e7864ba965999b2b50987 |
|---|---|
| MD5 | a20db9a62dee9cec05208b5acaa8cbb4 |
| IP | 2.5.29.17, 4.0.0.0, 1.0.0.0, 4.69.1.0, 2.2.0.0, 6.3.0.0, 1.3.6.1, 6.0.0.0 |
| Domain | stem.net, toupperioft.com, comodoca.com, resultpanel.ru, entrust.net, regsql.ru, openxmlformats.org, resourcestrings.ru |
| BTC | 1ActiveDirectoryTransportType |
| Mutex | LpAcquireInstallationMutex, runtime.mutex, get_FileMutex, QAE_NPAVQMutex, QEAA_NPEAVQMutex |
| PDB | D:\a\_work\1\s\binaries\Win32\Release\pdmui.pdb |
| C2 | stem.net, toupperioft.com, comodoca.com, resultpanel.ru, entrust.net |
NjRAT — Malware Profile
njRAT Bladabindi. Spanish cotizacion lure. get_Panel1 C2 panel. MENA + Latin America targeting.
Malware Type
RAT
Programming Language
VB.NET
C2 Protocol
TCP (varsayilan port 1177)
Target Systems
Windows
Also Known As (AKA)
Bladabindi, H-Worm, houdini
Technical Details
TCP port 1177 (varsayilan), XOR tabanlı iletisim sifreleme, .NET Framework 2.0+, Mutex: {GUID}, Registry Run key persistence, Keylogger (GetAsyncKeyState), clipboard monitor, screenshot, remote shell, remote camera
Attribution / Threat Actor
Arap dilli siber suc topluluklari, en cok MENA (Orta Dogu ve Kuzey Afrika) bolgesindeki gruplar. Yasama savasi donemi Suriyeli gruplar tarafindan da kullanilmistir.
Capabilities & Behavior
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
IOC List (31 indicators)
IOC — NjRAT
#
1ActiveDirectoryTransportType
# IP
2.5.29.17
# IP
4.0.0.0
# IP
1.0.0.0
# IP
4.69.1.0
# IP
2.2.0.0
# IP
6.3.0.0
# IP
1.3.6.1
# IP
6.0.0.0
# IP
2.5.29.7
# IP
2.5.4.3
# DOMAIN
stem.net
# DOMAIN
toupperioft.com
# DOMAIN
comodoca.com
# DOMAIN
resultpanel.ru
# DOMAIN
entrust.net
# DOMAIN
regsql.ru
# DOMAIN
openxmlformats.org
# DOMAIN
resourcestrings.ru
# DOMAIN
thawte.com
# DOMAIN
data.ru
# MUTEX
LpAcquireInstallationMutex
# MUTEX
runtime.mutex
# MUTEX
get_FileMutex
# MUTEX
QAE_NPAVQMutex
# MUTEX
QEAA_NPEAVQMutex
# FILEPATH
D:\a\_work\1\s\binaries\Win32\Release\pdmui.pdb
# FILEPATH
D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release\php_com_dotnet.pdb
# FILEPATH
C:\buildslave\unity\build\build\libcache\Library\Bee\artifacts\1900b0aE.dag\Unity.Searcher.Editor.pdb
# FILEPATH
C:\php-snap-build\php74\vc15\x64\obj\Release\php_phpdbg_webhelper.pdb
# FILEPATH
F:\ext\WKR\src\buildtrees\pthreads\x86-windows-webkit-rel\pthreadVC2.pdb
| Type | Value | Note |
|---|---|---|
| 1ActiveDirectoryTransportType | BTC | |
| ip | 2.5.29.17 | C2 aday |
| ip | 4.0.0.0 | C2 aday |
| ip | 1.0.0.0 | C2 aday |
| ip | 4.69.1.0 | C2 aday |
| ip | 2.2.0.0 | C2 aday |
| ip | 6.3.0.0 | C2 aday |
| ip | 1.3.6.1 | C2 aday |
| ip | 6.0.0.0 | C2 aday |
| ip | 2.5.29.7 | C2 aday |
| ip | 2.5.4.3 | C2 aday |
| domain | stem.net | C2 domain |
| domain | toupperioft.com | C2 domain |
| domain | comodoca.com | C2 domain |
| domain | resultpanel.ru | C2 domain |
| domain | entrust.net | C2 domain |
| domain | regsql.ru | C2 domain |
| domain | openxmlformats.org | C2 domain |
| domain | resourcestrings.ru | C2 domain |
| domain | thawte.com | C2 domain |
| domain | data.ru | C2 domain |
| mutex | LpAcquireInstallationMutex | Mutex |
| mutex | runtime.mutex | Mutex |
| mutex | get_FileMutex | Mutex |
| mutex | QAE_NPAVQMutex | Mutex |
| mutex | QEAA_NPEAVQMutex | Mutex |
| filepath | D:\a\_work\1\s\binaries\Win32\Release\pdmui.pdb | PDB |
| filepath | D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release\php_com_dotnet.pdb | PDB |
| filepath | C:\buildslave\unity\build\build\libcache\Library\Bee\artifacts\1900b0aE.dag\Unity.Searcher.Editor.pdb | PDB |
| filepath | C:\php-snap-build\php74\vc15\x64\obj\Release\php_phpdbg_webhelper.pdb | PDB |
| filepath | F:\ext\WKR\src\buildtrees\pthreads\x86-windows-webkit-rel\pthreadVC2.pdb | PDB |
C2 Servers (8 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| system.io | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.