The reason for placing the file here is that it is a hidden directory and not normally visible to the user.
Firstly, the file fedex912.exe drops a new file called gennt.exe, which is basically just a copy of itself, into the directory C:\ProgramData\9ea94915b24a4616f72c\.
I ran the executable in my analysis environment with process monitor and regshot and there were a few things of note. However, there is a sample on Virus Total that we can download.
COBALT STRIKE BEACON PORT FORWARD DOWNLOAD
Unfortunately, at the time of writing, the domain hosting the fedex912.exe is no longer active meaning we cannot download the file from here. The JAR file will also load the legitimate FedEx tracking website which is most likely to try and reassure the user that the file they have downloaded is a legitimate one. The executable will be placed into the Windows temp directory, where it will then be executed.
COBALT STRIKE BEACON PORT FORWARD CODE
(I copied the code into Atom after opening with JD-GUI as I like the syntax highlighting there.) FedEx_Delivery_invoice.jarĪs the code snippet above shows, the FedEx_Delivery_invoice.jarfile is going to attempt to download the file fedex912.exe from the domain hxxp://fedex-trackingpress. JD-GUI is a simple tool that allows you to decompile and view the code of JAR files. Once we have the file, we will analyse it with JD-GUI. The domain hxxp://fedex-tracking.fun is still up, so we can download the FedEx_Delivery_invoice.jar file from here. As shown in the XML code below, we can see that this JNLP file will be used to load and execute the JAR file FedEx_Delivery_invoice.jar from the domain hxxp://fedex-tracking.funĪs we know the name and location of the 2nd stage payload, we can try and download it. You can easily view the content of a JNLP file by changing the extension to XML and loading the file in a text editor like notepad++. They are generally quite simple and are not difficult to analyse.
It is worth noting that to be susceptible to phishing via a JNLP the user will have to have java installed on their machine. JNLP files can be used to allow for applications hosted on a remote server to be launched locally. Javaws.exe is an application that is part of the Java Runtime Environment and is used to give internet functionality to java applications. A JNLP file is a java web file, which when clicked, the application javaws.exe will attempt to load and execute the file.
0 kommentar(er)
