Mjag is a newly observed downloader trojan built using the .NET framework and packaged using the SmartAssembly obfuscator.

It is delivered via malicious links distributed in small-scale spam and phishing campaigns. When opened, these links direct users to file-hosting sites, where Mjag is then downloaded to the affected device. Mjag will then copy itself to several directories before creating a registry key to maintain persistence.

Once installed, Mjag will attempt to deploy a hard-coded payload before connecting to a command and control (C2) server, however, older versions of Mjag have been observed failing to deploy their payloads correctly. This is thought to be the result of an error in the code used to contact the C2 server and is fixed in newer versions.

The Mjag dropper is used to drop the Punisher RAT.

Indicators of Compromise

URLs

• tenau.pw/owa/neftioban1830369427520181030abbidialtddt30102018_pdf.exe

Domains

• tenau.pw
• chris101.ddns.net

MD5

• 0a459c18e3b8bdef87a6fb7ea860acdb