![]() ![]() ![]() If Java Runtime Environment (JRE) is not pre installed on to the victim’s machine, the malware downloads and installs the JRE from the web. The malware executes the STRRAT using java application executor: The malware contains a code to make the persistence entry which is commented in this variant. The malware retrieves the Java installation directory using registry entry, to prepare the path for java application executor (javaw.exe). The malware now decodes and drops the STRRAT into %APPDATA% directory with. The dropped script is executed which only makes a comment “ // Coded by v_B01 | Sliemerez -> Twitter : Sliemerez“: The malware contains a base64 encoded string which is decoded and dropped in to %APPDATA% folder. The second layer JavaScript is responsible for preparing environment and executing STRRAT on the victim’s machine. The first layer JavaScript contains a pretty simple code which performs base64 decoding after replacing some characters in a string to get the second layer JavaScript: The SonicWall Capture Labs Threat Research team has observed a JavaScript file inside an archive that is being delivered to the victim’s machine as an email attachment which further downloads Java based Remote Access Trojan (RAT) known as “STRRAT” to the victim’s machine. Java based malware has an advantage of low detection rate than usual file type like Portable Executable (PE). Java based malware are not seen often, as they need Java Runtime Environment (JRE) to execute on a victim’s machine. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |