Simple Analysis of an Obfuscated JAR File
Yesterday, I found in my spam trap a file named '0.19238000 1509447305.zip’ (SHA256: 7bddf3bf47293b4ad8ae64b8b770e0805402b487a4d025e31ef586e9a52add91). The ZIP archive contained a Java archive named '0.19238000 1509447305.jar’ (SHA256: b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4). The file had a score of 0/61 in VT[1] and looks to be a nice candidate for a quick analysis.
.jar files are ZIP archives that contain compiled Java classes and a Manifest file that points to the initial class to load. Let’s decompile the classes. To achieve this, I'm using a small Docker container:
$ docker run --rm -ti -v /tmp:/data -w /data jgiannuzzi/jd-cmd "0.19238000 1509447305.jar" 10:50:31.807 INFO jd.cli.Main - Decompiling foo.jar 10:50:31.829 INFO jd.core.output.ZipOutput - ZIP file output will be initialized - 0.19238000 1509447305.src.jar 10:50:34.095 INFO jd.core.output.ZipOutput - Finished with 81 class file(s) and 8 resource file(s) written.
It generates a new ZIP file "/tmp/0.19238000 1509447305.src.jar”. Let’s unzip it:
$ unzip "/tmp/0.19238000 1509447305.src.jar” Archive: /tmp/0.19238000 1509447305.src.jar inflating: q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java … $ cd q945 $ cat META-INF/MANIFEST.MF Manifest-Version: 1.0 Ant-Version: Apache Ant 1.8.0 X-COMMENT: OeNJGNmMkernBqWEKrjYCTEHkSjbSTCXTXsnVuXDEksGlumaeSA Class-Path: Created-By: ZDXsPvlJoPPtiYqDvNmsTQsYFVhbEhXtWdfIEqiMhWB Main-Class: q945.q94827.q48.q81736.q36.q63837.q09.Q6361728063815
You can see that the main class is located in a bunch of sub-directories with random names:
$ tree -d -n -A . . +-- q94827 +-- q48 | +-- q71616 | | +-- q15390 | | | +-- q637 | | | | +-- q27 | | | | +-- q39 | | | | +-- q70738 | | | +-- q82737 | | | | +-- q35152 | | | | +-- q38374 | | | | +-- q74736 | | | +-- q84 | | | +-- q06364 | | | +-- q08 | | | +-- q61725 | | +-- q46390 | | | +-- q61 | | | | +-- q17053 | | | | +-- q26 | | | | +-- q73 | | | +-- q73516 | | | | +-- q17490 | | | | +-- q39 | | | | +-- q60 | | | +-- q92626 | | | +-- q45064 | | | +-- q48254 | | | +-- q74926 | | +-- q80948 | | +-- q192 | | | +-- q45 | | | +-- q52949 | | | +-- q94648 | | +-- q37082 | | | +-- q09 | | | +-- q52815 | | | +-- q90916 | | +-- q38084 | | +-- q06 | | +-- q51 | | +-- q63908 | +-- q7164 | | +-- q35173 | | | +-- q6271 | | | | +-- q08 | | | | +-- q35 | | | | +-- q748 | | | +-- q74 | | | | +-- q36 | | | | +-- q38181 | | | | +-- q81 | | | +-- q93 | | | +-- q0919 | | | +-- q37 | | | +-- q70916 | | +-- q462 | | | +-- q62505 | | | | +-- q05 | | | | +-- q38 | | | | +-- q64 | | | +-- q83548 | | | | +-- q17073 | | | | +-- q49 | | | | +-- q70 | | | +-- q91 | | | +-- q0719 | | | +-- q16 | | | +-- q63816 | | +-- q90729 | | +-- q09162 | | | +-- q45160 | | | +-- q82 | | | +-- q84729 | | +-- q180 | | | +-- q36053 | | | +-- q81 | | | +-- q83738 | | +-- q37 | | +-- q29473 | | +-- q72547 | | +-- q80 | +-- q81736 | +-- q05 | | +-- q539 | | | +-- q0717 | | | +-- q49484 | | | +-- q80608 | | +-- q62 | | | +-- q0548 | | | +-- q2849 | | | +-- q94605 | | +-- q64836 | | +-- q08371 | | +-- q36 | | +-- q71846 | +-- q36 | | +-- q63837 | | | +-- q07151 | | | +-- q09 | | | +-- q90849 | | +-- q91806 | | | +-- q17184 | | | +-- q46380 | | | +-- q639 | | +-- q92747 | | +-- q18381 | | +-- q45371 | | +-- q54645 | +-- q808 | +-- q08 | | +-- q16064 | | +-- q51727 | | +-- q93626 | +-- q39293 | | +-- q35 | | +-- q52519 | | +-- q84 | +-- q47463 | +-- q39453 | +-- q62835 | +-- q90838 +-- q51728 +-- q16362 +-- q93525 +-- q07462 | +-- q3945 | +-- q50 | +-- q82 +-- q25 +-- q08474 +-- q61 +-- q747
The application is split into many small files:
$ find . -name '*.java' -print ./q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java ./q945/q94827/q48/q7164/q90729/q37/q29473/Q7381739181819.java ./q945/q94827/q48/q7164/q90729/q37/q80/Q4916253949194.java ./q945/q94827/q48/q7164/q90729/q09162/q45160/Q4638051825290.java ./q945/q94827/q48/q7164/q90729/q09162/q84729/Q8484629093915.java ./q945/q94827/q48/q7164/q90729/q09162/q82/Q7091637083518.java ./q945/q94827/q48/q7164/q90729/q180/q83738/Q4749061825094.java ./q945/q94827/q48/q7164/q90729/q180/q36053/Q8282728053816.java ./q945/q94827/q48/q7164/q90729/q180/q81/Q2825260845492.java ./q945/q94827/q48/q7164/q35173/q6271/q08/Q7360625191718.java ./q945/q94827/q48/q7164/q35173/q6271/q35/Q5481726151615.java ./q945/q94827/q48/q7164/q35173/q6271/q748/Q1939262939093.java ./q945/q94827/q48/q7164/q35173/q93/q37/Q4535163929294.java ./q945/q94827/q48/q7164/q35173/q93/q0919/Q2606462949491.java ./q945/q94827/q48/q7164/q35173/q93/q70916/Q5073729171919.java ./q945/q94827/q48/q7164/q35173/q74/q36/Q7194527181515.java ./q945/q94827/q48/q7164/q35173/q74/q81/Q1737262939391.java ./q945/q94827/q48/q7164/q35173/q74/q38181/Q6280839171619.java ./q945/q94827/q48/q7164/q462/q91/q0719/Q0519450845491.java ./q945/q94827/q48/q7164/q462/q91/q16/Q0726153815391.java ./q945/q94827/q48/q7164/q462/q91/q63816/Q8152837053717.java ./q945/q94827/q48/q7164/q462/q83548/q17073/Q2619472825393.java ./q945/q94827/q48/q7164/q462/q83548/q49/Q1938370835090.java ./q945/q94827/q48/q7164/q462/q83548/q70/Q8460545073817.java ./q945/q94827/q48/q7164/q462/q62505/q64/Q2817151835190.java ./q945/q94827/q48/q7164/q462/q62505/q38/Q9283936093918.java ./q945/q94827/q48/q7164/q462/q62505/q05/Q6364936053715.java ./q945/q94827/q48/q71616/q15390/q82737/q74736/Q3526374835390.java ./q945/q94827/q48/q71616/q15390/q82737/q38374/Q9092845093618.java ./q945/q94827/q48/q71616/q15390/q82737/q35152/Q7173647083518.java ./q945/q94827/q48/q71616/q15390/q637/q39/Q2745170845291.java ./q945/q94827/q48/q71616/q15390/q637/q70738/Q6274848053616.java ./q945/q94827/q48/q71616/q15390/q637/q27/Q0808381905093.java ./q945/q94827/q48/q71616/q15390/q84/q08/Q6451707183518.java ./q945/q94827/q48/q71616/q15390/q84/q61725/Q3909482945193.java ./q945/q94827/q48/q71616/q15390/q84/q06364/Q9380606193517.java ./q945/q94827/q48/q71616/q80948/q192/q94648/Q4839390925290.java ./q945/q94827/q48/q71616/q80948/q192/q52949/Q1916194915390.java ./q945/q94827/q48/q71616/q80948/q192/q45/Q7351616153618.java ./q945/q94827/q48/q71616/q80948/q38084/q06/Q3747484945092.java ./q945/q94827/q48/q71616/q80948/q38084/q51/Q6270719163817.java ./q945/q94827/q48/q71616/q80948/q38084/q63908/Q6154606183617.java ./q945/q94827/q48/q71616/q80948/q37082/q09/Q9093907163716.java ./q945/q94827/q48/q71616/q80948/q37082/q90916/Q2505484945294.java ./q945/q94827/q48/q71616/q80948/q37082/q52815/Q2606181905393.java ./q945/q94827/q48/q71616/q46390/q92626/q45064/Q4738460905291.java ./q945/q94827/q48/q71616/q46390/q92626/q48254/Q1547390925192.java ./q945/q94827/q48/q71616/q46390/q92626/q74926/Q9190825183619.java ./q945/q94827/q48/q71616/q46390/q61/q17053/Q6472818173917.java ./q945/q94827/q48/q71616/q46390/q61/q26/Q6064518153618.java ./q945/q94827/q48/q71616/q46390/q61/q73/Q1635190905194.java ./q945/q94827/q48/q71616/q46390/q73516/q39/Q5291528193519.java ./q945/q94827/q48/q71616/q46390/q73516/q60/Q2836162905292.java ./q945/q94827/q48/q71616/q46390/q73516/q17490/Q7382728193716.java ./q945/q94827/q48/q81736/q36/q63837/q09/Q6361728063815.java ./q945/q94827/q48/q81736/q36/q91806/q17184/Q3837070905294.java ./q945/q94827/q48/q81736/q36/q91806/q46380/Q4938183625490.java ./q945/q94827/q48/q81736/q36/q91806/q639/Q6354848153717.java ./q945/q94827/q48/q81736/q36/q92747/q54645/Q9064929073918.java ./q945/q94827/q48/q81736/q36/q92747/q45371/Q7264625063916.java ./q945/q94827/q48/q81736/q36/q92747/q18381/Q7383826063615.java ./q945/q94827/q48/q81736/q808/q08/q93626/Q4638374925193.java ./q945/q94827/q48/q81736/q808/q08/q16064/Q8071849153915.java ./q945/q94827/q48/q81736/q808/q08/q51727/Q4549271915294.java ./q945/q94827/q48/q81736/q808/q47463/q90838/Q5484836173617.java ./q945/q94827/q48/q81736/q808/q47463/q62835/Q9363936193516.java ./q945/q94827/q48/q81736/q808/q47463/q39453/Q1937151915394.java ./q945/q94827/q48/q81736/q808/q39293/q84/Q6192749163919.java ./q945/q94827/q48/q81736/q808/q39293/q52519/Q7263947193515.java ./q945/q94827/q48/q81736/q808/q39293/q35/Q3736372905290.java ./q945/q94827/q48/q81736/q05/q62/q2849/Q1915164925292.java ./q945/q94827/q48/q81736/q05/q62/q94605/Q8483728183717.java ./q945/q94827/q48/q81736/q05/q62/q0548/Q0607061935192.java ./q945/q94827/q48/q81736/q05/q539/q80608/Q2548154945491.java ./q945/q94827/q48/q81736/q05/q539/q0717/Q6161737173916.java ./q945/q94827/q48/q81736/q05/q539/q49484/Q9090935163715.java ./q945/q94827/q48/q81736/q05/q64836/q36/Q3729452905190.java ./q945/q94827/q48/q81736/q05/q64836/q71846/Q7272636163517.java ./q945/q94827/q48/q81736/q05/q64836/q08371/Q4825251935292.java ./q945/q94827/q51728/q16362/q93525/q07462/q50/Q3818360939190.java ./Q6361728063815.java
While checking the decompiled code, we can see that the code is obfuscated. Object arrays are used to handle all objects:
public class Q0519450845491 { public static void q6481539083819() throws Exception { q945.q94827.q48.q7164.q35173.q6271.q748.Q1939262939093.Q8281525151616[24] = q945.q94827.q48.q7164.q35173.q6271.q35.Q5481726151615.Q3846063949292[36].getMethods(); } }
The code includes cryptographic functions:
q945.q94827.q48.q7164.q35173.q74.q38181.Q6280839171619.Q3538251949294[37] = Cipher.getInstance("AES");
The archive contains encrypted files
$ file ./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917 ./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917: data
When executed in a sandbox, the following files are created:
_0.57007632454940891986287463537679385.class (SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9)[2]
Windows4710937619573808871.dll (SHA256: 7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798)[3]
This is the Adwind RAT[4]. In my case, the sandbox established a connection to the following C2 server located in Poland: 192.166.218.230:port 8070. While looking at the SSL certificate, I found a reference to an old blog post written by Brad in 2015[5]:
commonName = assylias organizationName = assylias.Inc
As you can see, even if the files belonging to the RAT are known for a while and detected by many antivirus vendors, the dropper remains undetected!
[1] https://www.virustotal.com/en/file/b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4/analysis/1509448583/
[2] https://www.virustotal.com/en/file/97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9/analysis/
[3] https://www.virustotal.com/en/file/7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798/analysis/
[4] https://www.cyphort.com/threat-insights/adwind-rat/
[5] http://www.malware-traffic-analysis.net/2015/08/06/index.html
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Reverse-Engineering Malware: Advanced Code Analysis | Singapore | Nov 18th - Nov 22nd 2024 |
Comments