Malware Analysis Report (AR22-270B)

MAR-10400779-2.v1 – Zimbra 2

Click to Tweet.
Click to send to Facebook.
Click to Share.

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

CISA received a Java Server Pages (JSP) webshell file for analysis. The JSP file allows an attacker to execute shell commands and read the output of the commands.

Download the STIX version of this report: MAR-10400779.r2.v1.WHITE_stix, 1.3 MB

Submitted Files (1)

ffb0f637776bc4cfcf5a24406ebf48fc21b9dcec68587a010f21b88250bda195 (formatter_8252022_909am.jsp)

Findings

ffb0f637776bc4cfcf5a24406ebf48fc21b9dcec68587a010f21b88250bda195

Tags

trojanwebshell

Details
Name formatter_8252022_909am.jsp
Size 817 bytes
Type exported SGML document, ASCII text
MD5 7153cfe57d2df499175aced7e92bcf65
SHA1 515451cea6e3550df74f54eb4d6f1706de100a3f
SHA256 ffb0f637776bc4cfcf5a24406ebf48fc21b9dcec68587a010f21b88250bda195
SHA512 34b7c071255327a1147c6843048bdac16745482afcef04194230d4b8e11b04d020cd59c1b2516c7aa67ea86f8507cfe72a5867774c1138160007d5cf4fc1f493
ssdeep 12:e8dGyP2gx/zv3Cy2WARWTNEhRTCKp9n/UXRTq7NeqTq/v2aW+YDQ3q0:1GyPHx/LFKWTmHTPfcTqnTqH1YDf0
Entropy 5.057882
Antivirus
AhnLab WebShell/JSP.Small.S1403
ESET Java/Webshell.K trojan
Sophos Troj/WebShel-BB
YARA Rules
  • rule CISA_10400779_08 : trojan webshell
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10400779"
           Date = "2022-08-29"
           Last_Modified = "20220908_1400"
           Actor = "n/a"
           Category = "Trojan Webshell"
           Family = "n/a"
           Description = "Detects JSP Webshell command execution samples"
           MD5 = "7153cfe57d2df499175aced7e92bcf65"
           SHA256 = "ffb0f637776bc4cfcf5a24406ebf48fc21b9dcec68587a010f21b88250bda195"
       strings:
           $s0 = { 67 65 74 50 61 72 61 6D 65 74 65 72 28 22 63 6D 64 22 29 }
           $s1 = { 6F 75 74 2E 70 72 69 6E 74 6C 6E 28 22 43 6F 6D 6D 61 6E 64 }
           $s2 = { 22 3C 42 52 3E 22 }
           $s3 = { 67 65 74 50 72 6F 70 65 72 74 79 }
           $s4 = { 22 6F 73 2E 6E 61 6D 65 22 }
           $s5 = { 22 77 69 6E 64 6F 77 73 22 }
           $s6 = { 63 6D 64 2E 65 78 65 20 2F 43 }
           $s7 = { 4F 75 74 70 75 74 53 74 72 65 61 6D }
           $s8 = { 6F 75 74 2E 70 72 69 6E 74 6C 6E 28 64 69 73 72 29 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

Description

This file is a JSP webshell that allows an attacker to execute shell commands and read the output of the commands. When executed, it prompts the attacker to enter the shell command to be executed. It checks whether the command supplied by the attacker through the "cmd" parameters contain null values (blank). If it contains null values, the command input stream will be displayed in a JSP page in the format below:

--Begin format--
""Command: " + request.getParameter("cmd") + "<BR>""
--End format--

If the system platform is Windows, it executes the user-provided commands via "cmd.exe /c <commands>". Otherwise, it will execute the user-provided commands in the shell. The command output will be displayed in a JSP page.

Screenshots
Figure 1 - The contents of the JSP file. It contains a form with input fields that prompts the attacker to enter the command in the input box to execute.

Figure 1 - The contents of the JSP file. It contains a form with input fields that prompts the attacker to enter the command in the input box to execute.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

Revisions

Initial Version: September 27, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.