Simple Analysis of an Obfuscated JAR File
Yesterday, I found in my spam trap a file named '0.19238000 1509447305.zip’ (SHA256: 7bddf3bf47293b4ad8ae64b8b770e0805402b487a4d025e31ef586e9a52add91). The ZIP archive contained a Java archive named '0.19238000 1509447305.jar’ (SHA256: b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4). The file had a score of 0/61 in VT[1] and looks to be a nice candidate for a quick analysis.
.jar files are ZIP archives that contain compiled Java classes and a Manifest file that points to the initial class to load. Let’s decompile the classes. To achieve this, I'm using a small Docker container:
$ docker run --rm -ti -v /tmp:/data -w /data jgiannuzzi/jd-cmd "0.19238000 1509447305.jar" 10:50:31.807 INFO jd.cli.Main - Decompiling foo.jar 10:50:31.829 INFO jd.core.output.ZipOutput - ZIP file output will be initialized - 0.19238000 1509447305.src.jar 10:50:34.095 INFO jd.core.output.ZipOutput - Finished with 81 class file(s) and 8 resource file(s) written.
It generates a new ZIP file "/tmp/0.19238000 1509447305.src.jar”. Let’s unzip it:
$ unzip "/tmp/0.19238000 1509447305.src.jar” Archive: /tmp/0.19238000 1509447305.src.jar inflating: q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java … $ cd q945 $ cat META-INF/MANIFEST.MF Manifest-Version: 1.0 Ant-Version: Apache Ant 1.8.0 X-COMMENT: OeNJGNmMkernBqWEKrjYCTEHkSjbSTCXTXsnVuXDEksGlumaeSA Class-Path: Created-By: ZDXsPvlJoPPtiYqDvNmsTQsYFVhbEhXtWdfIEqiMhWB Main-Class: q945.q94827.q48.q81736.q36.q63837.q09.Q6361728063815
You can see that the main class is located in a bunch of sub-directories with random names:
$ tree -d -n -A .
.
+-- q94827
+-- q48
| +-- q71616
| | +-- q15390
| | | +-- q637
| | | | +-- q27
| | | | +-- q39
| | | | +-- q70738
| | | +-- q82737
| | | | +-- q35152
| | | | +-- q38374
| | | | +-- q74736
| | | +-- q84
| | | +-- q06364
| | | +-- q08
| | | +-- q61725
| | +-- q46390
| | | +-- q61
| | | | +-- q17053
| | | | +-- q26
| | | | +-- q73
| | | +-- q73516
| | | | +-- q17490
| | | | +-- q39
| | | | +-- q60
| | | +-- q92626
| | | +-- q45064
| | | +-- q48254
| | | +-- q74926
| | +-- q80948
| | +-- q192
| | | +-- q45
| | | +-- q52949
| | | +-- q94648
| | +-- q37082
| | | +-- q09
| | | +-- q52815
| | | +-- q90916
| | +-- q38084
| | +-- q06
| | +-- q51
| | +-- q63908
| +-- q7164
| | +-- q35173
| | | +-- q6271
| | | | +-- q08
| | | | +-- q35
| | | | +-- q748
| | | +-- q74
| | | | +-- q36
| | | | +-- q38181
| | | | +-- q81
| | | +-- q93
| | | +-- q0919
| | | +-- q37
| | | +-- q70916
| | +-- q462
| | | +-- q62505
| | | | +-- q05
| | | | +-- q38
| | | | +-- q64
| | | +-- q83548
| | | | +-- q17073
| | | | +-- q49
| | | | +-- q70
| | | +-- q91
| | | +-- q0719
| | | +-- q16
| | | +-- q63816
| | +-- q90729
| | +-- q09162
| | | +-- q45160
| | | +-- q82
| | | +-- q84729
| | +-- q180
| | | +-- q36053
| | | +-- q81
| | | +-- q83738
| | +-- q37
| | +-- q29473
| | +-- q72547
| | +-- q80
| +-- q81736
| +-- q05
| | +-- q539
| | | +-- q0717
| | | +-- q49484
| | | +-- q80608
| | +-- q62
| | | +-- q0548
| | | +-- q2849
| | | +-- q94605
| | +-- q64836
| | +-- q08371
| | +-- q36
| | +-- q71846
| +-- q36
| | +-- q63837
| | | +-- q07151
| | | +-- q09
| | | +-- q90849
| | +-- q91806
| | | +-- q17184
| | | +-- q46380
| | | +-- q639
| | +-- q92747
| | +-- q18381
| | +-- q45371
| | +-- q54645
| +-- q808
| +-- q08
| | +-- q16064
| | +-- q51727
| | +-- q93626
| +-- q39293
| | +-- q35
| | +-- q52519
| | +-- q84
| +-- q47463
| +-- q39453
| +-- q62835
| +-- q90838
+-- q51728
+-- q16362
+-- q93525
+-- q07462
| +-- q3945
| +-- q50
| +-- q82
+-- q25
+-- q08474
+-- q61
+-- q747
The application is split into many small files:
$ find . -name '*.java' -print ./q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java ./q945/q94827/q48/q7164/q90729/q37/q29473/Q7381739181819.java ./q945/q94827/q48/q7164/q90729/q37/q80/Q4916253949194.java ./q945/q94827/q48/q7164/q90729/q09162/q45160/Q4638051825290.java ./q945/q94827/q48/q7164/q90729/q09162/q84729/Q8484629093915.java ./q945/q94827/q48/q7164/q90729/q09162/q82/Q7091637083518.java ./q945/q94827/q48/q7164/q90729/q180/q83738/Q4749061825094.java ./q945/q94827/q48/q7164/q90729/q180/q36053/Q8282728053816.java ./q945/q94827/q48/q7164/q90729/q180/q81/Q2825260845492.java ./q945/q94827/q48/q7164/q35173/q6271/q08/Q7360625191718.java ./q945/q94827/q48/q7164/q35173/q6271/q35/Q5481726151615.java ./q945/q94827/q48/q7164/q35173/q6271/q748/Q1939262939093.java ./q945/q94827/q48/q7164/q35173/q93/q37/Q4535163929294.java ./q945/q94827/q48/q7164/q35173/q93/q0919/Q2606462949491.java ./q945/q94827/q48/q7164/q35173/q93/q70916/Q5073729171919.java ./q945/q94827/q48/q7164/q35173/q74/q36/Q7194527181515.java ./q945/q94827/q48/q7164/q35173/q74/q81/Q1737262939391.java ./q945/q94827/q48/q7164/q35173/q74/q38181/Q6280839171619.java ./q945/q94827/q48/q7164/q462/q91/q0719/Q0519450845491.java ./q945/q94827/q48/q7164/q462/q91/q16/Q0726153815391.java ./q945/q94827/q48/q7164/q462/q91/q63816/Q8152837053717.java ./q945/q94827/q48/q7164/q462/q83548/q17073/Q2619472825393.java ./q945/q94827/q48/q7164/q462/q83548/q49/Q1938370835090.java ./q945/q94827/q48/q7164/q462/q83548/q70/Q8460545073817.java ./q945/q94827/q48/q7164/q462/q62505/q64/Q2817151835190.java ./q945/q94827/q48/q7164/q462/q62505/q38/Q9283936093918.java ./q945/q94827/q48/q7164/q462/q62505/q05/Q6364936053715.java ./q945/q94827/q48/q71616/q15390/q82737/q74736/Q3526374835390.java ./q945/q94827/q48/q71616/q15390/q82737/q38374/Q9092845093618.java ./q945/q94827/q48/q71616/q15390/q82737/q35152/Q7173647083518.java ./q945/q94827/q48/q71616/q15390/q637/q39/Q2745170845291.java ./q945/q94827/q48/q71616/q15390/q637/q70738/Q6274848053616.java ./q945/q94827/q48/q71616/q15390/q637/q27/Q0808381905093.java ./q945/q94827/q48/q71616/q15390/q84/q08/Q6451707183518.java ./q945/q94827/q48/q71616/q15390/q84/q61725/Q3909482945193.java ./q945/q94827/q48/q71616/q15390/q84/q06364/Q9380606193517.java ./q945/q94827/q48/q71616/q80948/q192/q94648/Q4839390925290.java ./q945/q94827/q48/q71616/q80948/q192/q52949/Q1916194915390.java ./q945/q94827/q48/q71616/q80948/q192/q45/Q7351616153618.java ./q945/q94827/q48/q71616/q80948/q38084/q06/Q3747484945092.java ./q945/q94827/q48/q71616/q80948/q38084/q51/Q6270719163817.java ./q945/q94827/q48/q71616/q80948/q38084/q63908/Q6154606183617.java ./q945/q94827/q48/q71616/q80948/q37082/q09/Q9093907163716.java ./q945/q94827/q48/q71616/q80948/q37082/q90916/Q2505484945294.java ./q945/q94827/q48/q71616/q80948/q37082/q52815/Q2606181905393.java ./q945/q94827/q48/q71616/q46390/q92626/q45064/Q4738460905291.java ./q945/q94827/q48/q71616/q46390/q92626/q48254/Q1547390925192.java ./q945/q94827/q48/q71616/q46390/q92626/q74926/Q9190825183619.java ./q945/q94827/q48/q71616/q46390/q61/q17053/Q6472818173917.java ./q945/q94827/q48/q71616/q46390/q61/q26/Q6064518153618.java ./q945/q94827/q48/q71616/q46390/q61/q73/Q1635190905194.java ./q945/q94827/q48/q71616/q46390/q73516/q39/Q5291528193519.java ./q945/q94827/q48/q71616/q46390/q73516/q60/Q2836162905292.java ./q945/q94827/q48/q71616/q46390/q73516/q17490/Q7382728193716.java ./q945/q94827/q48/q81736/q36/q63837/q09/Q6361728063815.java ./q945/q94827/q48/q81736/q36/q91806/q17184/Q3837070905294.java ./q945/q94827/q48/q81736/q36/q91806/q46380/Q4938183625490.java ./q945/q94827/q48/q81736/q36/q91806/q639/Q6354848153717.java ./q945/q94827/q48/q81736/q36/q92747/q54645/Q9064929073918.java ./q945/q94827/q48/q81736/q36/q92747/q45371/Q7264625063916.java ./q945/q94827/q48/q81736/q36/q92747/q18381/Q7383826063615.java ./q945/q94827/q48/q81736/q808/q08/q93626/Q4638374925193.java ./q945/q94827/q48/q81736/q808/q08/q16064/Q8071849153915.java ./q945/q94827/q48/q81736/q808/q08/q51727/Q4549271915294.java ./q945/q94827/q48/q81736/q808/q47463/q90838/Q5484836173617.java ./q945/q94827/q48/q81736/q808/q47463/q62835/Q9363936193516.java ./q945/q94827/q48/q81736/q808/q47463/q39453/Q1937151915394.java ./q945/q94827/q48/q81736/q808/q39293/q84/Q6192749163919.java ./q945/q94827/q48/q81736/q808/q39293/q52519/Q7263947193515.java ./q945/q94827/q48/q81736/q808/q39293/q35/Q3736372905290.java ./q945/q94827/q48/q81736/q05/q62/q2849/Q1915164925292.java ./q945/q94827/q48/q81736/q05/q62/q94605/Q8483728183717.java ./q945/q94827/q48/q81736/q05/q62/q0548/Q0607061935192.java ./q945/q94827/q48/q81736/q05/q539/q80608/Q2548154945491.java ./q945/q94827/q48/q81736/q05/q539/q0717/Q6161737173916.java ./q945/q94827/q48/q81736/q05/q539/q49484/Q9090935163715.java ./q945/q94827/q48/q81736/q05/q64836/q36/Q3729452905190.java ./q945/q94827/q48/q81736/q05/q64836/q71846/Q7272636163517.java ./q945/q94827/q48/q81736/q05/q64836/q08371/Q4825251935292.java ./q945/q94827/q51728/q16362/q93525/q07462/q50/Q3818360939190.java ./Q6361728063815.java
While checking the decompiled code, we can see that the code is obfuscated. Object arrays are used to handle all objects:
public class Q0519450845491
{
public static void q6481539083819()
throws Exception
{
q945.q94827.q48.q7164.q35173.q6271.q748.Q1939262939093.Q8281525151616[24] = q945.q94827.q48.q7164.q35173.q6271.q35.Q5481726151615.Q3846063949292[36].getMethods();
}
}
The code includes cryptographic functions:
q945.q94827.q48.q7164.q35173.q74.q38181.Q6280839171619.Q3538251949294[37] = Cipher.getInstance("AES");
The archive contains encrypted files
$ file ./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917 ./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917: data
When executed in a sandbox, the following files are created:
_0.57007632454940891986287463537679385.class (SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9)[2]
Windows4710937619573808871.dll (SHA256: 7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798)[3]
This is the Adwind RAT[4]. In my case, the sandbox established a connection to the following C2 server located in Poland: 192.166.218.230:port 8070. While looking at the SSL certificate, I found a reference to an old blog post written by Brad in 2015[5]:
commonName = assylias organizationName = assylias.Inc
As you can see, even if the files belonging to the RAT are known for a while and detected by many antivirus vendors, the dropper remains undetected!
[1] https://www.virustotal.com/en/file/b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4/analysis/1509448583/
[2] https://www.virustotal.com/en/file/97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9/analysis/
[3] https://www.virustotal.com/en/file/7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798/analysis/
[4] https://www.cyphort.com/threat-insights/adwind-rat/
[5] http://www.malware-traffic-analysis.net/2015/08/06/index.html
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago