You can download the code samples at the bottom of this post.There are a few cool techniques that this campaign uses that were going to look at.I happened to come across the initial first stage phishing attachment while browsing for samples on VirusTotal and found it interesting as you do not commonly see JNLP attachments used for phishing.JNLP files can be used to allow for applications hosted on a remote server to be launched locally.
Cobalt Strike Beacon Code Samples AtIt is worth noting that to be susceptible to phishing via a JNLP the user will have to have java installed on their machine. You can easily view the content of a JNLP file by changing the extension to XML and loading the file in a text editor like notepad. As shown in the XML code below, we can see that this JNLP file will be used to load and execute the JAR file FedExDeliveryinvoice.jar from the domain hxxp:fedex-tracking.fun. The domain hxxp:fedex-tracking.fun is still up, so we can download the FedExDeliveryinvoice.jar file from here. Once we have the file, we will analyse it with JD-GUI. JD-GUI is a simple tool that allows you to decompile and view the code of JAR files. I copied the code into Atom after opening with JD-GUI as I like the syntax highlighting there.). The JAR file will also load the legitimate FedEx tracking website which is most likely to try and reassure the user that the file they have downloaded is a legitimate one. However, there is a sample on Virus Total that we can download. I ran the executable in my analysis environment with process monitor and regshot and there were a few things of note. Firstly, the file fedex912.exe drops a new file called gennt.exe, which is basically just a copy of itself, into the directory C:ProgramData9ea94915b24a4616f72c. The reason for placing the file here is that it is a hidden directory and not normally visible to the user. Adding the gennt.exe executable to the registry key here ensures that the malware is started every time Windows is restarted. However, that did not occur on my test machine when running the executable. There could be a few reasons for this, one could be that the malware has anti-analysis capabilities and knows when it is being run in a standard VM. As my lab is not currently set up to counter VM aware malware, we are going to cheat slightly and use data from a sample that was run on AnyRun. ![]() So we essentially have three parts to the PowerShell script, theres the first chunk with a couple of functions. The middle section with a Base64 Encoded block and a for statement. And then theres the final section with some defined variables and an if statement. Well tackle the Base64 Encoded block first and look at the rest of the PowerShell script a little later. Id much rather just post the raw code, rather than screenshots, but that would result in my site being flagged for hosting malware.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |