Ahmed Sonbol

Malspam delivers Jacksbot 9-23-2017

Blog Post created by Ahmed Sonbol Employee on Sep 26, 2017

Malspam activity was noted on September 23rd 2017 delivering a Jacksbot variant to infected machines. Jacksbot is a backdoor family that can run on any platform that supports Java Runtime Environment [1]. In this blog post we will discuss the delivery mechanism and the behavior on the infected machine.

 

Submitting the delivery document to RSA pre-release What's This File service shows the maximum threat score.

 

 

 

The VBA code writes data to a local VBS file (J4n.vbs). Here is the activity in NetWitness Endpoint:

 

 

Next wscript.exe is called to execute the newly created J4n.vbs. A JAR file is downloaded and saved to a temp directory as HELP202.JAR. After a timeout, javaw.exe is called to execute the JAR:

 

 

Here is the download session in NetWitness Packets:

 

 

 

The following meta values were registered for the download session including watchlist file extension, tld not com net org, http not good mozilla, http no referer, http long user-agent and http get no post. For more information about those meta values, please check the hunting guide [2]:

 

 

According to VirusTotal scan results, the payload is a Jacksbot variant. However, it looks like it failed to run on a victim machine:

 

 

The delivery domain a[.]pomf[.]cat has been active delivering all kinds of payloads to infected machines not only over HTTP but also over SSL:

 

 

 

Here is another look at the process tree:

 

 

Delivery document (SHA256):

  • 1459ec6788f4ecd1dd8d2b55dd931c245304c3fd0cae410d2c0df93170c13ee8

Jacksbot variant (SHA256):

  • 090c02c428cc42b55772055e8c26232e2fd8f51c9c28e6041d503abcd82cb695

 

References:

  1. TrendLabs Security Intelligence BlogJACKSBOT Has Some Dirty Tricks up Its Sleeves - TrendLabs Security Intelligence Blog 
  2. RSA NetWitness Hunting Guide 

Outcomes