New Pyrogenic JAR-Based Malware Campaign - Indicators of Compromise

A new JAR-based phishing campaign has been seen delivered to Australian companies with the intent of credential stealing Office 365 account passwords as well as passwords stored in the browser. This campaign appears to have first occurred late September 2019 - November 2019.

Initial Infection
This campaign is delivered via a phishing email to corporate account users with an image of a PDF file which contains an embedded hyperlink

If a user clicks on the image of the PDF they are taken to the first C2 domain - in this instance it was to which resulted in a download of the malicious JAR file 'BankPaymAdviceVend_LLCRep.jar' to the downloads folder:

User interaction is then required in order to execute the malware. Once execution occurs, the following process chain occurs where javaw.exe is spawned.

The javaw.exe process is stopped in memory and two DLLs are dropped into the AppData/Local/TEMP folder, loaded and then deleted.

  • sqlite-
  • jna--1104490048\jna8218245902737124972.dll
The first network call out is to to find the public facing IP address of the infected host. The subsequent network connections are direct communications to the C2 relaying the credentials found in registry keys and browser:

Network Indicators:

  • Communications to C2 domains appear to be done through javaw.exe process via port 80 
  • The first network callout aside from the C2 domain which 'drops' the JAR file, is to

Persistence Techniques:
  • 2 files dropped to AppData\Local\Temp:
    • sqlite-
    • jna--1104490048\jna8218245902737124972.dllThese DLL files are used in a dll side-loading attack for java.exe and are then deleted from /TEMP folder.
  • Browser Extension modifications to Chrome and Firefox

File Deletion:
  • 2 main files are dropped & deleted upon being loaded into the java process. 
    • sqlite-
    • jna--1104490048\jna8218245902737124972.dll
Data Exfiltrated:
  • Mailbox Login Credentials from:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
    • This is sent immediately within seconds of infection
  • Browser Passwords
    • C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\key4.db
    • C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\signons.sqlite
    • C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    • C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Initial Infection Process Chain
  • javaw.exe > cmd.exe /c chcp 1252 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command
Lateral Movement Across Network
  • This does not occur 


SHA-256 .


Popular posts from this blog

Forensic Analysis of AnyDesk Logs

Successful 4624 Anonymous Logons to Windows Server from External IPs?

How to Reverse Engineer and Patch an iOS Application for Beginners: Part I