1. Sample Overview
This is a typical compressed package phishing Trojan. It uses a shortcut file to deceive the victim, luring them into clicking it. Once executed, the malicious code runs and eventually loads a Cobalt Strike beacon through reflective loading.
2. Sample Analysis
2.1 Basic Information
After extracting the compressed package, only one file is visible — a .docx file with a size of just 2KB. However, the archive itself is 29MB in size, which clearly indicates hidden content. By adjusting folder settings, we can confirm that there are actually two files inside. The .docx file is in fact a shortcut file.
3. Shortcut File Analysis
3.1 Execution Flow
The .docx shortcut points to the program ftp.exe, which in turn executes the file init\lib\libcurl.dat.
The file libcurl.dat is a text file containing commands that ftp.exe needs to execute. Notably, one command triggers a Java process to run the startup function from a JAR package located in the init\lib directory.
Further analysis shows that the startup function resides in the eaio.jar package. Inside this function, we find a call to string.Sign(), which decrypts a byte array named SignData. This data is then passed to the user.login function for loading.
In the Sign function, the system.WriteStart function is called. This function is used to set up persistence (auto-start). It first generates a random 5-character string %random5% under the C:\ProgramData\ directory, combines it with the string java, and creates a folder named java%random5%. The malicious program is then copied into this directory, a shortcut is created, and the shortcut is placed into the Windows Startup directory. The Java code is as follows:
Continuing the analysis of the login function, we can see that this function uses reflection to load the bytecode from sign, and ultimately calls the startup function within sign.
We wrote code to save (dump) the sign bytecode and then decompiled it; the resulting source code is as follows:
From the code shown above, we can see that in the reflectively loaded startup function, it first retrieves the key from C:\Users\root\IdeaProjects\untitled_init\lib\base.ejs, then obtains the encrypted shellcode from C:\Users\root\IdeaProjects\untitled\init_\lib\packman.ejs. It uses XOR to decrypt the final shellcode, and finally executes the decrypted shellcode via enqueue in sun.tools.attach.WindowsVirtualMachine.
By saving the final shellcode, we can determine that it is a Trojan generated by Cobalt Strike. Using Cobalt Strike tools, the final configuration information can be extracted (the details include too many IP addresses, so they are not shown here).
Conclusion
This analysis provides an in-depth look at a phishing Trojan, illustrating how a malicious shortcut file can eventually lead to the execution of a Cobalt Strike beacon. Through this breakdown, we gain a clearer understanding of the techniques used for evasion and persistence.