2017-05-15 Adwind/JRAT RAT from MalSpam

Trolling through the email filters today I came across this nugget. From what I can tell this looks to be related to the Adwind/JRat family of malware. This particular RAT was found in an email that is in Turkish. Kaspersky has a quick write-up about this RAT which you can find here. As usual, you can find the artifacts from this investigation over in the Github repo here.

The Google translation of the email states the following:

Could you take a look at all your orders?

Body of email:
Could you take a look at all your orders? Hello, our orders are enclosed, please check.

Indicators of Compromise:
guvencingiller[.]com / 188[.]165.206[.]163 (DNS)
188[.]165.206[.]163 (TCP – 54264)

Filename: siparis.pub
File size: 169KB
MD5: 22f89a3c797d070bff3c5d89553d3e5e
Detection ratio: 19 / 56
First submission: 2017-05-14 01:03:08 UTC
Hybrid Analysis: https://www.hybrid-analysis.com/sample/1d205d034a5132b367e4fca0b3e67506c5c3952c7c3034c2a882e2b6be7b9d56?environmentId=100

Filename: 1.jar
File size: 63KB
File path: C:\Users\%username%\AppData\Local\Temp
MD5: fd0fdf29739daca8b186c9300507c035
Virustoal: NA
Malwr: NA
Hybrid Analysis: NA

Filename: Viw.jar
File size: 63KB
File path: C:\Users\Bill\AppData\Roaming\One
MD5: fd0fdf29739daca8b186c9300507c035
Virustoal: NA
Malwr: NA
Hybrid Analysis: NA

Analysis of Malware:
This is a pretty simple infection chain. Once the user downloads and runs the Microsoft Publisher file called “siparis.pub,” they are greeted with the following screen:

which translated means “File can not be opened.” In the back ground we can see that the Publisher file runs the macro which has the JAR file embedded in it, and proceeds, with the help of a CMD.exe process, to create the file called “1.jar” located in the “C:\Users\Bill\AppData\Local\Temp” directory. We then see CMD.exe calling the Java executable (javaw.exe) so it can launch the malicious JAR file that was just written above (the 1.jar file). From there we can see that a couple of other events occur from this javaw.exe/1.jar process (PID 2756):

– An attempt to add a new registry key pointing to a new file called “Viw.jar” which ends up being denied: reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Gbd /t REG_SZ /d “\”C:\Program Files\Java\jre6\bin\javaw.exe\” -jar \”C:\Users\Bill\AppData\Roaming\One\Viw.jar\”” /f
– Attrib.exe is used to modify attributes of some newly created files/directories:
— attrib +s +h +r “C:\Users\Bill\AppData\Roaming\One\*.*”
— attrib +s +h +r “C:\Users\Bill\AppData\Roaming\One”

***One thing to note here – since the java/1.jar process has modified the file attributes of the directory “C:\Users\Bill\AppData\Roaming\One\*.*” and made this a system folder, the icon that shows up is of the Recycle Bin which also does not show any other files outside of what is in the Recycle Bin.

Once the attributes are undone, the files in the “One” folder are visible and no longer the Recycle Bin.

We also see a new instance of javaw.exe/Viw.jar spin up as a child (PID 2804) to the above javaw.exe /1.jar process (PID 2756) and proceed to run the same kind of activity as mentioned above:

– Another attempt to add a registry key via reg.exe that gets denied: reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Gbd /t REG_SZ /d “\”C:\Program Files\Java\jre6\bin\javaw.exe\” -jar \”C:\Users\Bill\AppData\Roaming\One\Viw.jar\”” /f
– Last attempt to create persistence on the machine, this time using a different registry location which is successful: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Gbd /t REG_SZ /d “\”C:\Program Files\Java\jre6\bin\javaw.exe\” -jar \”C:\Users\Bill\AppData\Roaming\One\Viw.jar\”” /f
– Attrib.exe used to modify a folder that is also a hidden, system folder:
— attrib +H C:\Users\Bill\.Kvq

From the network perspective, once the system is infected, and the javaw.exe/Viw.jar process is up and running, the only malicious traffic that I was able to find is a DNS request to the domain guvencingiller[.]com, and then nothing but SYN/SYN-RST packets from various ports incrementing by 1 from the infected system to the (what guvencingiller[.]com resolves to) on port 54264 as seen below.

Considering that the connection to that IP/port pair was reset every time, I am thinking that this C2 has been killed off and this RAT is not fully functional at this time.

Leave a Reply

Your email address will not be published. Required fields are marked *