Malware Alert: Schneiken Double Dropper

** UPDATE **
I have now published a full analysis of this malware. As of now, (17 APR 2018) there is still no AV detecting it successfully and there is no name for it so I'm going with 'Schneiken'. 

There is a new malware actively being served through phishing campaigns at the time of this post.

This is the Schneiken dropper - which is an interesting malware, written in VBS and comes with multiple layers of code obfuscation. It drops TWO RATs on the victim's disk - the Duhini RAT and the RATTY JRAT. Both RATs are embedded into the vbs dropper.

I'll be posting a detailed analysis of this malware soon and will update this post with the link to that.

Here are the details in the meantime:

Flow:
Phish > HREF > PDF > HREF > ZIP > VBS > JRAT + Duhini RAT

MD5: 47f21544a7479cae3e20488731ba6aa6
SHA256: d5f56058608f8dabb9d19c432c751f99f994edd056b2846ac51915258494598a
Filename: TT COPY.vbs

JRAT that is being dropped by this malware:

RATTY.jar
MD5: 9b93c76d2dacf7adaacfc1e99dae8089

Deobfuscated/Decoded files: https://github.com/vithakur/schneiken
 

No comments:

Powered by Blogger.