Malspam activity was noted on September 23rd 2017 delivering a Jacksbot variant to infected machines. Jacksbot is a backdoor family that can run on any platform that supports Java Runtime Environment [1]. In this blog post we will discuss the delivery mechanism and the behavior on the infected machine.
Submitting the delivery document to RSA pre-release What's This File service shows the maximum threat score.
The VBA code writes data to a local VBS file (J4n.vbs). Here is the activity in NetWitness Endpoint:
Next wscript.exe is called to execute the newly created J4n.vbs. A JAR file is downloaded and saved to a temp directory as HELP202.JAR. After a timeout, javaw.exe is called to execute the JAR:
Here is the download session in NetWitness Packets:
The following meta values were registered for the download session including watchlist file extension, tld not com net org, http not good mozilla, http no referer, http long user-agent and http get no post. For more information about those meta values, please check the hunting guide [2]:
According to VirusTotal scan results, the payload is a Jacksbot variant. However, it looks like it failed to run on a victim machine:
The delivery domain a[.]pomf[.]cat has been active delivering all kinds of payloads to infected machines not only over HTTP but also over SSL:
Here is another look at the process tree:
Delivery document (SHA256):
- 1459ec6788f4ecd1dd8d2b55dd931c245304c3fd0cae410d2c0df93170c13ee8
Jacksbot variant (SHA256):
- 090c02c428cc42b55772055e8c26232e2fd8f51c9c28e6041d503abcd82cb695
References: