Java/CVE202144228.B!tr.dldr

Analysis

Java/CVE202144228.B!tr.dldr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Java/CVE202144228.B!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is related to the log4j outbreak. The malware will attempt to download files to the victim machine. Based on our current observations, the most common utilized method was 'wget' and 'curl'.


• This malware has been associated with the following third party article/advisory.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

The correlation has been established due to a database near/exact match on one of the sample/IOC/file hash indicated in the mentioned resource.


• Below is an illustration of the payload implementation within a java class:
  

  Figure 1: utilizing curl.

  
  

  Figure 2: utilizing wget.

  
  
• Below are some sites to which some of the observed samples tried to connect to:
  
  • http://62.18[removed]56
  • http://por[removed]49d1f5d9c4
  • http://167.7[removed].106
  • http://18.2[removed]09


• Following are some of the exact IOCs/file hashes associated with this detection:
  
  • Md5: 08401964c81c6d923d3d2c852a88b4ba
    Sha256: 1573157dde718e12db347d919e3d289f18607b03fe21b49ea910230fc7478b4c
  • Md5: 39fc2cee0a2bea3ee9a065f6955ffd43
    Sha256: 82444084da0460b71a625154ca0bc815d7920137bbdb3463ee174b8efb234637
  • Md5: 416e951adf3ac5d24c7967afe134cf98
    Sha256: c319e30e4158f138d2f787720b88354a2f9a7faff686f1f6e9a8fd73b2371a66

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.