2018-01-09 - MALSPAM PUSHING JAVA-BASED RAT

ASSOCIATED FILES:

  • 2018-01-09-Java-based-RAT-malspam-traffic.pcap   (534,031 bytes)
  • 2018-01-08-Java-based-RAT-malspam-UTC.txt   (7,736 bytes)
  • ImportantSign_PDF.jar   (712,446 bytes)
  • ImportantSign_PDF.zip   (696,956 bytes)
  • _0.247387460198232888134367552441532945.class   (247,088 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

 


Shown above:  Downloading the malicious zip archive and extracting its contents.

 

TRAFFIC


Shown above:  Infection traffic in Wireshark.

 

INFECTION TRAFFIC:

 

MALWARE

ZIP ARCHIVE FROM LINK IN THE EMAIL:

JAVA ARCHIVE (.JAR) FILE EXTRACTED FROM THE ZIP ARCHIVE:

ARTIFACT FROM THE INFECTED WINDOWS HOST:

WINDOWS REGISTRY ENTRY FOR PERSISTENCE:

 

IMAGES


Shown above:  Registry key and associated files on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.