2017-07-04 - MALSPAM WITH JAVA-BASED RAT

ASSOCIATED FILES:

  • 2017-07-04-malspam-0433-UTC.eml   (946,555 bytes)
  • INVOICE LIST.jar   (578,829 bytes)
  • _0.325390945828089142947081810060995233.class   (247,088 bytes)

 

EMAIL

SCREENSHOT:


Shown above:  Screenshot of the email.

 

EMAIL HEADER INFO:

  • Return-Path: <sales@foodtech.ae>
  • X-Originating-Ip: [162.144.89.147]
  • Authentication-Results: [removed]; iprev=pass policy.iprev="162.144.89.147"; spf=softfail smtp.mailfrom="sales@foodtech.ae" smtp.helo="server.joshmachines.com"; dkim=none (message not signed) header.d=none; dmarc=none (p=nil; dis=none) header.from=foodtech.ae
  • Received: from [162.144.89.147] ([162.144.89.147:36560] helo=server.joshmachines.com)
            by [removed] (envelope-from <sales@foodtech.ae>)
            [removed]; Tue, 04 Jul 2017 01:42:30 -0400
  • Received: from [127.0.0.1] (port=45926 helo=harshangzaveri.com)
            by server.joshmachines.com with esmtpa (Exim 4.89)
            (envelope-from <sales@foodtech.ae>)
  •         id 1dSFWO-0008CV-Tu; Tue, 04 Jul 2017 04:33:09 +0000
  • MIME-Version: 1.0
  • Date: Tue, 04 Jul 2017 04:33:08 +0000
  • From: Sales <sales@foodtech.ae>
  • To: undisclosed-recipients:;
  • Subject: Unpaid Invoice List
  • Reply-To: sales@foodtech.ae
  • Mail-Reply-To: sales@foodtech.ae
  • Message-ID: <a01dfe55b97e7efd3c75d28a9286ec40@foodtech.ae>
  • X-Sender: sales@foodtech.ae
  • User-Agent: Roundcube Webmail/1.2.4
  • Attachment: INVOICE LIST.jar

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

POST-INFECTION TRAFFIC:

 

FILE HASHES

EMAIL ATTACHMENT:

ARTIFACT FOUND IN USER'S APPDATA\LOCAL\TEMP DIRECTORY:

 

IMAGES


Shown above:  Contents of the email attachment.

 


Shown above:  Windows registry change to make the malware persistent after a reboot.

 


Shown above:  Two .class files with the same file hash found in the user's AppData\Local\Temp directory after this infection.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.