Analysis by: Rika Joi Gregorio
 Modified by: Jennifer Gumban
ALIASES:

Hacktool.Jsprat(Symantec)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This malware allows remote Web-based file access and manipulation. It may perform certain actions on the affected system.

This hacking tool may be manually installed by a user.

  TECHNICAL DETAILS

File Size: 89,345 bytes
File Type: Java
Initial Samples Received Date: 16 Aug 2013

Arrival Details

This hacking tool may be manually installed by a user.

Download Routine

This hacking tool downloads a possibly malicious file from a certain URL. The URL where this malware downloads the said file depends on the parameter passed on to it by its components.

Information Theft

This hacking tool accepts the following parameters:

  • ip
  • port
  • timeout
  • banner
  • driver
  • url
  • uid
  • pwd
  • sql
  • selectDb
  • type
  • switch
  • catalog
  • table
  • pw
  • folder
  • outentry
  • src
  • to
  • filepath
  • charset
  • filecontent
  • file
  • year
  • month
  • date
  • hour
  • minute
  • second
  • command
  • program
  • path
  • savepath
  • name
  • files
  • savefilename
  • packedfile
  • config
  • extfilter
  • fileext
  • sizefilter
  • filesize
  • zipfile
  • targetIP
  • targetPort
  • yourIP
  • yourPort
  • localIP
  • remoteIP
  • remotePort
  • Class
  • outentry
  • exe
  • cmd
  • encode
  • jspc
  • value
  • o
  • login

Other Details

Based on analysis of the codes, it has the following capabilities:

  • File Manager
  • Database Manager
  • Execute Processes
  • Invoke Shell
  • Start Back Connect
  • Perform Port Scan
  • Download user-input files
  • Manipulate Clipboard
  • Remote Control
  • View JSP Environment Information
  • Port Map
  • Java Reflect
  • Create / Delete Directory
  • Execute SQL Script

NOTES:

This tool allows Web user interfaced server management and manipulation. It runs on any JavaServer Pages (JSP) compatible Web server. It may perform the certain actions on the affected system.

  SOLUTION

Minimum Scan Engine: 9.800
VSAPI OPR PATTERN File: 10.207.00
VSAPI OPR PATTERN Date: 09 Aug 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as JS_SPRATS.SM1. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.