Java/CVE202144228.A!exploit

Analysis

Java/CVE202144228.A!exploit is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Java/CVE202144228.A!exploit may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is related to the log4j outbreak. The exploit involves a compromised java class, either sent as a suspicious spam or through a compromised website. In order for the attack to be successful, a vulnerable version of the log4j library would need to be present on the current host.


• This malware has been associated with the following third party article/advisory.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

The correlation has been established due to a database near/exact match on one of the sample/IOC/file hash indicated in the mentioned resource.


• Below is an illustration of the exploit implementation within a java class:
  

  Figure 1: jndi implementation.

  
  

  Figure 2: jndi implementation.

  
  


• Below are some of the sites associated with the log4j exploit:
  
  • somesiteh[removed].com
  • 45.14[removed]160


• Following are some of exact IOCs/file hashes associated with this detection:
  
  • Md5: f8ed43117dfb995f4b9d88f566394ba4
    Sha256: 81f288645cf2afaf018a7ac6363fee28888a9bfbfbfa842b904ed5b6c74cb47f
  • Md5: 895defe3a4aaa3bcd4cb0cd6d56a6aa4
    Sha256: 8954ce69c14970e4354d321bce9abb13d829c1d34d8ae6d19144f371ebe350a9
  • Md5: c9f82cf44a5ff3b1d79ca4a44b1bcad5
    Sha256: 0c269d438b712d0d75ffcfc41d30df8d9a7b30659aadba7641f59b3b0db986cb

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.