General

  • Target

    https://cdn.discordapp.com/attachments/1000572518157009029/1254443119580282930/Polar-client-source-code-main.jar.rar?ex=66801a32&is=667ec8b2&hm=241959959026e68d2c28a449f864a234e0eb8e6ea739fd2a6d2661908f8a75c1&

  • Sample

    240628-tjsb1awdmh

Malware Config

Targets

    • Target

      https://cdn.discordapp.com/attachments/1000572518157009029/1254443119580282930/Polar-client-source-code-main.jar.rar?ex=66801a32&is=667ec8b2&hm=241959959026e68d2c28a449f864a234e0eb8e6ea739fd2a6d2661908f8a75c1&

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks