Home / malware TrojanDownloader:Java/OpenConnection.KR
First posted on 07 November 2019.
Source: MicrosoftAliases :
TrojanDownloader:Java/OpenConnection.KR is also known as Trojan-Downloader.Java.Agent.ja, Java.Trojan.Downloader.OpenConnection.AL, Java.Downloader.161, Troj/JavaDl-BE.
Explanation :
TrojanDownloader:Java/OpenConnection.KR is a trojan Java applet that could allow the downloading and execution of arbitrary malicious files. InstallationTrojanDownloader:Java/OpenConnection.KR may be served from a malicious website as a Java archive, as in the following: JavaSignedApplet.jar As found in the wild, the archive contains one Java class named "RequiredJavaComponent.class". Payload Downloads and executes arbitrary files This applet takes parameters for the URL and file name from the HTML page it was loaded from, such as the following: hxxp://expa83.co.cc/bl2/drop.php?e=JavaSignedApplet hxxp://mildworld.co.cc/news/exe.php?x=xoxo hxxp://servicechip.co.cc/news/exe.php?x=xoxo hxxp://shieldsystem.co.cc/news/exe.php?x=xoxo hxxp://splextor197.tk/bl2/payload.php?e=JavaSignedApplet hxxp://www.war-arron.com/bl/drop.php?e=JavaSignedApplet Once downloaded and saved, the trojan executes these files. Additional information The name of the Java applet could be anything and does not affect the applet's functionality. It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn't necessarily mean that the system is compromised. Most of the time it reflects the fact that at some stage a webpage with a malicious applet had been visited and cached internally. To thwart such a notification, it is often enough to purge the cache using a web browser's configurable security options. Analysis by Chris Stubbs
Last update 07 November 2019
