![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture1.png\")
Here is an initial infection vector which is a spam email. As it looks legitimate, the user is tempted to download and open the attachment.<\/p>\n Below is a list of attachment names observed in these spam emails:<\/p>\n After extracting the parent JAR file, it shows some java packages containing some long random filenames which contain raw data and class files. We have observed that malware actors are evolving malicious JARs with numerous obfuscations patterns. Some of the patterns are as follows:<\/p>\n Well-known decompilers failed to decompile the parent JAR file. Due to variation in obfuscation and encryption, (RSA, AES) makes static analysis more complex. Let\u2019s see how malware behaves when it gets executed.<\/p>\n Execution of the parent JAR file drops two \u201c.vbs\u201d, two \u201c.Class\u201d, one \u201c.Reg\u201d and one \u201c.dll\u201d file at \u201c%TEMP%\u201d location. Every dropped file has a unique role in the infection cycle. Also, the parent JAR checks for a virtual machine using GlobalMemoryStatusEx<\/a>() api which checks for the total physical and virtual memory available.<\/p>\n The parent JAR drops VBS files at %Temp% location with some random names. Also, it drops a JAR file with extension \u2018.class\u2019 at %Temp%. The parent JAR executes dropped the JAR file. The dropped JAR file is a jRAT malware.<\/p>\n Below images shows dropped vbs files:<\/p>\n <\/p>\n Then jRAT malware executes VBS files using cscript.exe. <\/strong><\/p>\n One of the VBS files enumerates a list of different firewall installed using WMI <\/a>(Windows Management Instrumentation) functionality and the other one enumerates a list of third-party antivirus products using the same functionality upon execution.<\/p>\n The parent JAR also drops the \u201c.Reg File\u201d at %Temp% location and executes it using \u2018reg.exe\u2019. It creates registry entries of frequently used analysis tools such as \u2018Procexp.exe\u2019 ,\u2019wireshark.exe\u2019, \u2018dumppcap.exe\u2019 and some security products processes under \u201cImage File Execution\u201d<\/strong>. So, if any process gets started and if it has an entry under that key then the process gets killed.<\/p>\n Some registry entries are shown below:<\/p>\n The parent JAR executes actual jRat JAR file using java.exe. This jRat file is capable of communicating with a C&C server and can download executable payload.<\/p>\n To achieve persistence, it makes an entry into an auto-run registry so that it can launch itself when the system reboots.<\/p>\n jRat connects with CnC IP \u201c213.183.58[.]42<\/a> \u201d. The below image shows the TLS-encrypted SSL traffic after infection. After decoding the TCP stream on port 3012, we found the blacklisted certificate which is associated with jRAT JAR.<\/p>\n![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture2.png\")
\n
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Fig_3.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture4.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture5.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture6.1.png\")
<\/p>\n![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture6-1.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture7.1.png\")
<\/p>\n![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture7.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture8.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture9.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture10.png\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Picture11-650x384.png\")