Mjag Downloader Trojan

Mjag is a newly observed downloader trojan built using the .NET framework and packaged using the SmartAssembly obfuscator.

It is delivered via malicious links distributed in small-scale spam and phishing campaigns. When opened, these links direct users to file-hosting sites, where Mjag is then downloaded to the affected device. Mjag will then copy itself to several directories before creating a registry key to maintain persistence.

Once installed, Mjag will attempt to deploy a hard-coded payload before connecting to a command and control (C2) server, however, older versions of Mjag have been observed failing to deploy their payloads correctly. This is thought to be the result of an error in the code used to contact the C2 server and is fixed in newer versions.

The Mjag dropper is used to drop the Punisher RAT.

Indicators of Compromise


  • tenau.pw/owa/neftioban1830369427520181030abbidialtddt30102018_pdf.exe


  • tenau.pw
  • chris101.ddns.net


  • 0a459c18e3b8bdef87a6fb7ea860acdb

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: