Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Simple Analysis of an Obfuscated JAR File SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Simple Analysis of an Obfuscated JAR File

Yesterday, I found in my spam trap a file named '0.19238000 1509447305.zip’ (SHA256: 7bddf3bf47293b4ad8ae64b8b770e0805402b487a4d025e31ef586e9a52add91). The ZIP archive contained a Java archive named '0.19238000 1509447305.jar’ (SHA256: b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4). The file had a score of 0/61 in VT[1] and looks to be a nice candidate for a quick analysis.

.jar files are ZIP archives that contain compiled Java classes and a Manifest file that points to the initial class to load. Let’s decompile the classes. To achieve this, I'm using a small Docker container:

$ docker run --rm -ti -v /tmp:/data -w /data jgiannuzzi/jd-cmd "0.19238000 1509447305.jar"
10:50:31.807 INFO  jd.cli.Main - Decompiling foo.jar
10:50:31.829 INFO  jd.core.output.ZipOutput - ZIP file output will be initialized - 0.19238000 1509447305.src.jar
10:50:34.095 INFO  jd.core.output.ZipOutput - Finished with 81 class file(s) and 8 resource file(s) written.

It generates a new ZIP file "/tmp/0.19238000 1509447305.src.jar”. Let’s unzip it:

$ unzip "/tmp/0.19238000 1509447305.src.jar”
Archive:  /tmp/0.19238000 1509447305.src.jar
  inflating: q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java
…
$ cd q945
$ cat META-INF/MANIFEST.MF
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.0
X-COMMENT: OeNJGNmMkernBqWEKrjYCTEHkSjbSTCXTXsnVuXDEksGlumaeSA
Class-Path:
Created-By: ZDXsPvlJoPPtiYqDvNmsTQsYFVhbEhXtWdfIEqiMhWB
Main-Class: q945.q94827.q48.q81736.q36.q63837.q09.Q6361728063815

You can see that the main class is located in a bunch of sub-directories with random names:

$ tree -d -n -A .
.
+-- q94827
    +-- q48
    |   +-- q71616
    |   |   +-- q15390
    |   |   |   +-- q637
    |   |   |   |   +-- q27
    |   |   |   |   +-- q39
    |   |   |   |   +-- q70738
    |   |   |   +-- q82737
    |   |   |   |   +-- q35152
    |   |   |   |   +-- q38374
    |   |   |   |   +-- q74736
    |   |   |   +-- q84
    |   |   |       +-- q06364
    |   |   |       +-- q08
    |   |   |       +-- q61725
    |   |   +-- q46390
    |   |   |   +-- q61
    |   |   |   |   +-- q17053
    |   |   |   |   +-- q26
    |   |   |   |   +-- q73
    |   |   |   +-- q73516
    |   |   |   |   +-- q17490
    |   |   |   |   +-- q39
    |   |   |   |   +-- q60
    |   |   |   +-- q92626
    |   |   |       +-- q45064
    |   |   |       +-- q48254
    |   |   |       +-- q74926
    |   |   +-- q80948
    |   |       +-- q192
    |   |       |   +-- q45
    |   |       |   +-- q52949
    |   |       |   +-- q94648
    |   |       +-- q37082
    |   |       |   +-- q09
    |   |       |   +-- q52815
    |   |       |   +-- q90916
    |   |       +-- q38084
    |   |           +-- q06
    |   |           +-- q51
    |   |           +-- q63908
    |   +-- q7164
    |   |   +-- q35173
    |   |   |   +-- q6271
    |   |   |   |   +-- q08
    |   |   |   |   +-- q35
    |   |   |   |   +-- q748
    |   |   |   +-- q74
    |   |   |   |   +-- q36
    |   |   |   |   +-- q38181
    |   |   |   |   +-- q81
    |   |   |   +-- q93
    |   |   |       +-- q0919
    |   |   |       +-- q37
    |   |   |       +-- q70916
    |   |   +-- q462
    |   |   |   +-- q62505
    |   |   |   |   +-- q05
    |   |   |   |   +-- q38
    |   |   |   |   +-- q64
    |   |   |   +-- q83548
    |   |   |   |   +-- q17073
    |   |   |   |   +-- q49
    |   |   |   |   +-- q70
    |   |   |   +-- q91
    |   |   |       +-- q0719
    |   |   |       +-- q16
    |   |   |       +-- q63816
    |   |   +-- q90729
    |   |       +-- q09162
    |   |       |   +-- q45160
    |   |       |   +-- q82
    |   |       |   +-- q84729
    |   |       +-- q180
    |   |       |   +-- q36053
    |   |       |   +-- q81
    |   |       |   +-- q83738
    |   |       +-- q37
    |   |           +-- q29473
    |   |           +-- q72547
    |   |           +-- q80
    |   +-- q81736
    |       +-- q05
    |       |   +-- q539
    |       |   |   +-- q0717
    |       |   |   +-- q49484
    |       |   |   +-- q80608
    |       |   +-- q62
    |       |   |   +-- q0548
    |       |   |   +-- q2849
    |       |   |   +-- q94605
    |       |   +-- q64836
    |       |       +-- q08371
    |       |       +-- q36
    |       |       +-- q71846
    |       +-- q36
    |       |   +-- q63837
    |       |   |   +-- q07151
    |       |   |   +-- q09
    |       |   |   +-- q90849
    |       |   +-- q91806
    |       |   |   +-- q17184
    |       |   |   +-- q46380
    |       |   |   +-- q639
    |       |   +-- q92747
    |       |       +-- q18381
    |       |       +-- q45371
    |       |       +-- q54645
    |       +-- q808
    |           +-- q08
    |           |   +-- q16064
    |           |   +-- q51727
    |           |   +-- q93626
    |           +-- q39293
    |           |   +-- q35
    |           |   +-- q52519
    |           |   +-- q84
    |           +-- q47463
    |               +-- q39453
    |               +-- q62835
    |               +-- q90838
    +-- q51728
        +-- q16362
            +-- q93525
                +-- q07462
                |   +-- q3945
                |   +-- q50
                |   +-- q82
                +-- q25
                    +-- q08474
                    +-- q61
                    +-- q747

The application is split into many small files:

$ find . -name '*.java' -print
./q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java
./q945/q94827/q48/q7164/q90729/q37/q29473/Q7381739181819.java
./q945/q94827/q48/q7164/q90729/q37/q80/Q4916253949194.java
./q945/q94827/q48/q7164/q90729/q09162/q45160/Q4638051825290.java
./q945/q94827/q48/q7164/q90729/q09162/q84729/Q8484629093915.java
./q945/q94827/q48/q7164/q90729/q09162/q82/Q7091637083518.java
./q945/q94827/q48/q7164/q90729/q180/q83738/Q4749061825094.java
./q945/q94827/q48/q7164/q90729/q180/q36053/Q8282728053816.java
./q945/q94827/q48/q7164/q90729/q180/q81/Q2825260845492.java
./q945/q94827/q48/q7164/q35173/q6271/q08/Q7360625191718.java
./q945/q94827/q48/q7164/q35173/q6271/q35/Q5481726151615.java
./q945/q94827/q48/q7164/q35173/q6271/q748/Q1939262939093.java
./q945/q94827/q48/q7164/q35173/q93/q37/Q4535163929294.java
./q945/q94827/q48/q7164/q35173/q93/q0919/Q2606462949491.java
./q945/q94827/q48/q7164/q35173/q93/q70916/Q5073729171919.java
./q945/q94827/q48/q7164/q35173/q74/q36/Q7194527181515.java
./q945/q94827/q48/q7164/q35173/q74/q81/Q1737262939391.java
./q945/q94827/q48/q7164/q35173/q74/q38181/Q6280839171619.java
./q945/q94827/q48/q7164/q462/q91/q0719/Q0519450845491.java
./q945/q94827/q48/q7164/q462/q91/q16/Q0726153815391.java
./q945/q94827/q48/q7164/q462/q91/q63816/Q8152837053717.java
./q945/q94827/q48/q7164/q462/q83548/q17073/Q2619472825393.java
./q945/q94827/q48/q7164/q462/q83548/q49/Q1938370835090.java
./q945/q94827/q48/q7164/q462/q83548/q70/Q8460545073817.java
./q945/q94827/q48/q7164/q462/q62505/q64/Q2817151835190.java
./q945/q94827/q48/q7164/q462/q62505/q38/Q9283936093918.java
./q945/q94827/q48/q7164/q462/q62505/q05/Q6364936053715.java
./q945/q94827/q48/q71616/q15390/q82737/q74736/Q3526374835390.java
./q945/q94827/q48/q71616/q15390/q82737/q38374/Q9092845093618.java
./q945/q94827/q48/q71616/q15390/q82737/q35152/Q7173647083518.java
./q945/q94827/q48/q71616/q15390/q637/q39/Q2745170845291.java
./q945/q94827/q48/q71616/q15390/q637/q70738/Q6274848053616.java
./q945/q94827/q48/q71616/q15390/q637/q27/Q0808381905093.java
./q945/q94827/q48/q71616/q15390/q84/q08/Q6451707183518.java
./q945/q94827/q48/q71616/q15390/q84/q61725/Q3909482945193.java
./q945/q94827/q48/q71616/q15390/q84/q06364/Q9380606193517.java
./q945/q94827/q48/q71616/q80948/q192/q94648/Q4839390925290.java
./q945/q94827/q48/q71616/q80948/q192/q52949/Q1916194915390.java
./q945/q94827/q48/q71616/q80948/q192/q45/Q7351616153618.java
./q945/q94827/q48/q71616/q80948/q38084/q06/Q3747484945092.java
./q945/q94827/q48/q71616/q80948/q38084/q51/Q6270719163817.java
./q945/q94827/q48/q71616/q80948/q38084/q63908/Q6154606183617.java
./q945/q94827/q48/q71616/q80948/q37082/q09/Q9093907163716.java
./q945/q94827/q48/q71616/q80948/q37082/q90916/Q2505484945294.java
./q945/q94827/q48/q71616/q80948/q37082/q52815/Q2606181905393.java
./q945/q94827/q48/q71616/q46390/q92626/q45064/Q4738460905291.java
./q945/q94827/q48/q71616/q46390/q92626/q48254/Q1547390925192.java
./q945/q94827/q48/q71616/q46390/q92626/q74926/Q9190825183619.java
./q945/q94827/q48/q71616/q46390/q61/q17053/Q6472818173917.java
./q945/q94827/q48/q71616/q46390/q61/q26/Q6064518153618.java
./q945/q94827/q48/q71616/q46390/q61/q73/Q1635190905194.java
./q945/q94827/q48/q71616/q46390/q73516/q39/Q5291528193519.java
./q945/q94827/q48/q71616/q46390/q73516/q60/Q2836162905292.java
./q945/q94827/q48/q71616/q46390/q73516/q17490/Q7382728193716.java
./q945/q94827/q48/q81736/q36/q63837/q09/Q6361728063815.java
./q945/q94827/q48/q81736/q36/q91806/q17184/Q3837070905294.java
./q945/q94827/q48/q81736/q36/q91806/q46380/Q4938183625490.java
./q945/q94827/q48/q81736/q36/q91806/q639/Q6354848153717.java
./q945/q94827/q48/q81736/q36/q92747/q54645/Q9064929073918.java
./q945/q94827/q48/q81736/q36/q92747/q45371/Q7264625063916.java
./q945/q94827/q48/q81736/q36/q92747/q18381/Q7383826063615.java
./q945/q94827/q48/q81736/q808/q08/q93626/Q4638374925193.java
./q945/q94827/q48/q81736/q808/q08/q16064/Q8071849153915.java
./q945/q94827/q48/q81736/q808/q08/q51727/Q4549271915294.java
./q945/q94827/q48/q81736/q808/q47463/q90838/Q5484836173617.java
./q945/q94827/q48/q81736/q808/q47463/q62835/Q9363936193516.java
./q945/q94827/q48/q81736/q808/q47463/q39453/Q1937151915394.java
./q945/q94827/q48/q81736/q808/q39293/q84/Q6192749163919.java
./q945/q94827/q48/q81736/q808/q39293/q52519/Q7263947193515.java
./q945/q94827/q48/q81736/q808/q39293/q35/Q3736372905290.java
./q945/q94827/q48/q81736/q05/q62/q2849/Q1915164925292.java
./q945/q94827/q48/q81736/q05/q62/q94605/Q8483728183717.java
./q945/q94827/q48/q81736/q05/q62/q0548/Q0607061935192.java
./q945/q94827/q48/q81736/q05/q539/q80608/Q2548154945491.java
./q945/q94827/q48/q81736/q05/q539/q0717/Q6161737173916.java
./q945/q94827/q48/q81736/q05/q539/q49484/Q9090935163715.java
./q945/q94827/q48/q81736/q05/q64836/q36/Q3729452905190.java
./q945/q94827/q48/q81736/q05/q64836/q71846/Q7272636163517.java
./q945/q94827/q48/q81736/q05/q64836/q08371/Q4825251935292.java
./q945/q94827/q51728/q16362/q93525/q07462/q50/Q3818360939190.java
./Q6361728063815.java

While checking the decompiled code, we can see that the code is obfuscated. Object arrays are used to handle all objects:

public class Q0519450845491
{
  public static void q6481539083819()
    throws Exception
  {
    q945.q94827.q48.q7164.q35173.q6271.q748.Q1939262939093.Q8281525151616[24] = q945.q94827.q48.q7164.q35173.q6271.q35.Q5481726151615.Q3846063949292[36].getMethods();
  }
}

The code includes cryptographic functions:

q945.q94827.q48.q7164.q35173.q74.q38181.Q6280839171619.Q3538251949294[37] = Cipher.getInstance("AES");

The archive contains encrypted files

$ file ./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917
./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917: data

When executed in a sandbox, the following files are created:

_0.57007632454940891986287463537679385.class (SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9)[2
Windows4710937619573808871.dll (SHA256: 7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798)[3]

This is the Adwind RAT[4]. In my case, the sandbox established a connection to the following C2 server located in Poland: 192.166.218.230:port 8070. While looking at the SSL certificate, I found a reference to an old blog post written by Brad in 2015[5]:

commonName = assylias
organizationName = assylias.Inc

As you can see, even if the files belonging to the RAT are known for a while and detected by many antivirus vendors, the dropper remains undetected!

[1] https://www.virustotal.com/en/file/b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4/analysis/1509448583/
[2] https://www.virustotal.com/en/file/97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9/analysis/
[3] https://www.virustotal.com/en/file/7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798/analysis/
[4] https://www.cyphort.com/threat-insights/adwind-rat/
[5] http://www.malware-traffic-analysis.net/2015/08/06/index.html

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

499 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!