Simple Analysis of an Obfuscated JAR File
Yesterday, I found in my spam trap a file named '0.19238000 1509447305.zip’ (SHA256: 7bddf3bf47293b4ad8ae64b8b770e0805402b487a4d025e31ef586e9a52add91). The ZIP archive contained a Java archive named '0.19238000 1509447305.jar’ (SHA256: b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4). The file had a score of 0/61 in VT[1] and looks to be a nice candidate for a quick analysis.
.jar files are ZIP archives that contain compiled Java classes and a Manifest file that points to the initial class to load. Let’s decompile the classes. To achieve this, I'm using a small Docker container:
$ docker run --rm -ti -v /tmp:/data -w /data jgiannuzzi/jd-cmd "0.19238000 1509447305.jar" 10:50:31.807 INFO jd.cli.Main - Decompiling foo.jar 10:50:31.829 INFO jd.core.output.ZipOutput - ZIP file output will be initialized - 0.19238000 1509447305.src.jar 10:50:34.095 INFO jd.core.output.ZipOutput - Finished with 81 class file(s) and 8 resource file(s) written.
It generates a new ZIP file "/tmp/0.19238000 1509447305.src.jar”. Let’s unzip it:
$ unzip "/tmp/0.19238000 1509447305.src.jar” Archive: /tmp/0.19238000 1509447305.src.jar inflating: q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java … $ cd q945 $ cat META-INF/MANIFEST.MF Manifest-Version: 1.0 Ant-Version: Apache Ant 1.8.0 X-COMMENT: OeNJGNmMkernBqWEKrjYCTEHkSjbSTCXTXsnVuXDEksGlumaeSA Class-Path: Created-By: ZDXsPvlJoPPtiYqDvNmsTQsYFVhbEhXtWdfIEqiMhWB Main-Class: q945.q94827.q48.q81736.q36.q63837.q09.Q6361728063815
You can see that the main class is located in a bunch of sub-directories with random names:
$ tree -d -n -A .
.
+-- q94827
+-- q48
| +-- q71616
| | +-- q15390
| | | +-- q637
| | | | +-- q27
| | | | +-- q39
| | | | +-- q70738
| | | +-- q82737
| | | | +-- q35152
| | | | +-- q38374
| | | | +-- q74736
| | | +-- q84
| | | +-- q06364
| | | +-- q08
| | | +-- q61725
| | +-- q46390
| | | +-- q61
| | | | +-- q17053
| | | | +-- q26
| | | | +-- q73
| | | +-- q73516
| | | | +-- q17490
| | | | +-- q39
| | | | +-- q60
| | | +-- q92626
| | | +-- q45064
| | | +-- q48254
| | | +-- q74926
| | +-- q80948
| | +-- q192
| | | +-- q45
| | | +-- q52949
| | | +-- q94648
| | +-- q37082
| | | +-- q09
| | | +-- q52815
| | | +-- q90916
| | +-- q38084
| | +-- q06
| | +-- q51
| | +-- q63908
| +-- q7164
| | +-- q35173
| | | +-- q6271
| | | | +-- q08
| | | | +-- q35
| | | | +-- q748
| | | +-- q74
| | | | +-- q36
| | | | +-- q38181
| | | | +-- q81
| | | +-- q93
| | | +-- q0919
| | | +-- q37
| | | +-- q70916
| | +-- q462
| | | +-- q62505
| | | | +-- q05
| | | | +-- q38
| | | | +-- q64
| | | +-- q83548
| | | | +-- q17073
| | | | +-- q49
| | | | +-- q70
| | | +-- q91
| | | +-- q0719
| | | +-- q16
| | | +-- q63816
| | +-- q90729
| | +-- q09162
| | | +-- q45160
| | | +-- q82
| | | +-- q84729
| | +-- q180
| | | +-- q36053
| | | +-- q81
| | | +-- q83738
| | +-- q37
| | +-- q29473
| | +-- q72547
| | +-- q80
| +-- q81736
| +-- q05
| | +-- q539
| | | +-- q0717
| | | +-- q49484
| | | +-- q80608
| | +-- q62
| | | +-- q0548
| | | +-- q2849
| | | +-- q94605
| | +-- q64836
| | +-- q08371
| | +-- q36
| | +-- q71846
| +-- q36
| | +-- q63837
| | | +-- q07151
| | | +-- q09
| | | +-- q90849
| | +-- q91806
| | | +-- q17184
| | | +-- q46380
| | | +-- q639
| | +-- q92747
| | +-- q18381
| | +-- q45371
| | +-- q54645
| +-- q808
| +-- q08
| | +-- q16064
| | +-- q51727
| | +-- q93626
| +-- q39293
| | +-- q35
| | +-- q52519
| | +-- q84
| +-- q47463
| +-- q39453
| +-- q62835
| +-- q90838
+-- q51728
+-- q16362
+-- q93525
+-- q07462
| +-- q3945
| +-- q50
| +-- q82
+-- q25
+-- q08474
+-- q61
+-- q747
The application is split into many small files:
$ find . -name '*.java' -print ./q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java ./q945/q94827/q48/q7164/q90729/q37/q29473/Q7381739181819.java ./q945/q94827/q48/q7164/q90729/q37/q80/Q4916253949194.java ./q945/q94827/q48/q7164/q90729/q09162/q45160/Q4638051825290.java ./q945/q94827/q48/q7164/q90729/q09162/q84729/Q8484629093915.java ./q945/q94827/q48/q7164/q90729/q09162/q82/Q7091637083518.java ./q945/q94827/q48/q7164/q90729/q180/q83738/Q4749061825094.java ./q945/q94827/q48/q7164/q90729/q180/q36053/Q8282728053816.java ./q945/q94827/q48/q7164/q90729/q180/q81/Q2825260845492.java ./q945/q94827/q48/q7164/q35173/q6271/q08/Q7360625191718.java ./q945/q94827/q48/q7164/q35173/q6271/q35/Q5481726151615.java ./q945/q94827/q48/q7164/q35173/q6271/q748/Q1939262939093.java ./q945/q94827/q48/q7164/q35173/q93/q37/Q4535163929294.java ./q945/q94827/q48/q7164/q35173/q93/q0919/Q2606462949491.java ./q945/q94827/q48/q7164/q35173/q93/q70916/Q5073729171919.java ./q945/q94827/q48/q7164/q35173/q74/q36/Q7194527181515.java ./q945/q94827/q48/q7164/q35173/q74/q81/Q1737262939391.java ./q945/q94827/q48/q7164/q35173/q74/q38181/Q6280839171619.java ./q945/q94827/q48/q7164/q462/q91/q0719/Q0519450845491.java ./q945/q94827/q48/q7164/q462/q91/q16/Q0726153815391.java ./q945/q94827/q48/q7164/q462/q91/q63816/Q8152837053717.java ./q945/q94827/q48/q7164/q462/q83548/q17073/Q2619472825393.java ./q945/q94827/q48/q7164/q462/q83548/q49/Q1938370835090.java ./q945/q94827/q48/q7164/q462/q83548/q70/Q8460545073817.java ./q945/q94827/q48/q7164/q462/q62505/q64/Q2817151835190.java ./q945/q94827/q48/q7164/q462/q62505/q38/Q9283936093918.java ./q945/q94827/q48/q7164/q462/q62505/q05/Q6364936053715.java ./q945/q94827/q48/q71616/q15390/q82737/q74736/Q3526374835390.java ./q945/q94827/q48/q71616/q15390/q82737/q38374/Q9092845093618.java ./q945/q94827/q48/q71616/q15390/q82737/q35152/Q7173647083518.java ./q945/q94827/q48/q71616/q15390/q637/q39/Q2745170845291.java ./q945/q94827/q48/q71616/q15390/q637/q70738/Q6274848053616.java ./q945/q94827/q48/q71616/q15390/q637/q27/Q0808381905093.java ./q945/q94827/q48/q71616/q15390/q84/q08/Q6451707183518.java ./q945/q94827/q48/q71616/q15390/q84/q61725/Q3909482945193.java ./q945/q94827/q48/q71616/q15390/q84/q06364/Q9380606193517.java ./q945/q94827/q48/q71616/q80948/q192/q94648/Q4839390925290.java ./q945/q94827/q48/q71616/q80948/q192/q52949/Q1916194915390.java ./q945/q94827/q48/q71616/q80948/q192/q45/Q7351616153618.java ./q945/q94827/q48/q71616/q80948/q38084/q06/Q3747484945092.java ./q945/q94827/q48/q71616/q80948/q38084/q51/Q6270719163817.java ./q945/q94827/q48/q71616/q80948/q38084/q63908/Q6154606183617.java ./q945/q94827/q48/q71616/q80948/q37082/q09/Q9093907163716.java ./q945/q94827/q48/q71616/q80948/q37082/q90916/Q2505484945294.java ./q945/q94827/q48/q71616/q80948/q37082/q52815/Q2606181905393.java ./q945/q94827/q48/q71616/q46390/q92626/q45064/Q4738460905291.java ./q945/q94827/q48/q71616/q46390/q92626/q48254/Q1547390925192.java ./q945/q94827/q48/q71616/q46390/q92626/q74926/Q9190825183619.java ./q945/q94827/q48/q71616/q46390/q61/q17053/Q6472818173917.java ./q945/q94827/q48/q71616/q46390/q61/q26/Q6064518153618.java ./q945/q94827/q48/q71616/q46390/q61/q73/Q1635190905194.java ./q945/q94827/q48/q71616/q46390/q73516/q39/Q5291528193519.java ./q945/q94827/q48/q71616/q46390/q73516/q60/Q2836162905292.java ./q945/q94827/q48/q71616/q46390/q73516/q17490/Q7382728193716.java ./q945/q94827/q48/q81736/q36/q63837/q09/Q6361728063815.java ./q945/q94827/q48/q81736/q36/q91806/q17184/Q3837070905294.java ./q945/q94827/q48/q81736/q36/q91806/q46380/Q4938183625490.java ./q945/q94827/q48/q81736/q36/q91806/q639/Q6354848153717.java ./q945/q94827/q48/q81736/q36/q92747/q54645/Q9064929073918.java ./q945/q94827/q48/q81736/q36/q92747/q45371/Q7264625063916.java ./q945/q94827/q48/q81736/q36/q92747/q18381/Q7383826063615.java ./q945/q94827/q48/q81736/q808/q08/q93626/Q4638374925193.java ./q945/q94827/q48/q81736/q808/q08/q16064/Q8071849153915.java ./q945/q94827/q48/q81736/q808/q08/q51727/Q4549271915294.java ./q945/q94827/q48/q81736/q808/q47463/q90838/Q5484836173617.java ./q945/q94827/q48/q81736/q808/q47463/q62835/Q9363936193516.java ./q945/q94827/q48/q81736/q808/q47463/q39453/Q1937151915394.java ./q945/q94827/q48/q81736/q808/q39293/q84/Q6192749163919.java ./q945/q94827/q48/q81736/q808/q39293/q52519/Q7263947193515.java ./q945/q94827/q48/q81736/q808/q39293/q35/Q3736372905290.java ./q945/q94827/q48/q81736/q05/q62/q2849/Q1915164925292.java ./q945/q94827/q48/q81736/q05/q62/q94605/Q8483728183717.java ./q945/q94827/q48/q81736/q05/q62/q0548/Q0607061935192.java ./q945/q94827/q48/q81736/q05/q539/q80608/Q2548154945491.java ./q945/q94827/q48/q81736/q05/q539/q0717/Q6161737173916.java ./q945/q94827/q48/q81736/q05/q539/q49484/Q9090935163715.java ./q945/q94827/q48/q81736/q05/q64836/q36/Q3729452905190.java ./q945/q94827/q48/q81736/q05/q64836/q71846/Q7272636163517.java ./q945/q94827/q48/q81736/q05/q64836/q08371/Q4825251935292.java ./q945/q94827/q51728/q16362/q93525/q07462/q50/Q3818360939190.java ./Q6361728063815.java
While checking the decompiled code, we can see that the code is obfuscated. Object arrays are used to handle all objects:
public class Q0519450845491
{
public static void q6481539083819()
throws Exception
{
q945.q94827.q48.q7164.q35173.q6271.q748.Q1939262939093.Q8281525151616[24] = q945.q94827.q48.q7164.q35173.q6271.q35.Q5481726151615.Q3846063949292[36].getMethods();
}
}
The code includes cryptographic functions:
q945.q94827.q48.q7164.q35173.q74.q38181.Q6280839171619.Q3538251949294[37] = Cipher.getInstance("AES");
The archive contains encrypted files
$ file ./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917 ./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917: data
When executed in a sandbox, the following files are created:
_0.57007632454940891986287463537679385.class (SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9)[2]
Windows4710937619573808871.dll (SHA256: 7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798)[3]
This is the Adwind RAT[4]. In my case, the sandbox established a connection to the following C2 server located in Poland: 192.166.218.230:port 8070. While looking at the SSL certificate, I found a reference to an old blog post written by Brad in 2015[5]:
commonName = assylias organizationName = assylias.Inc
As you can see, even if the files belonging to the RAT are known for a while and detected by many antivirus vendors, the dropper remains undetected!
[1] https://www.virustotal.com/en/file/b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4/analysis/1509448583/
[2] https://www.virustotal.com/en/file/97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9/analysis/
[3] https://www.virustotal.com/en/file/7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798/analysis/
[4] https://www.cyphort.com/threat-insights/adwind-rat/
[5] http://www.malware-traffic-analysis.net/2015/08/06/index.html
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
| Reverse-Engineering Malware: Advanced Code Analysis | Singapore | Nov 18th - Nov 22nd 2024 |
Comments