Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Simple Analysis of an Obfuscated JAR File InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Simple Analysis of an Obfuscated JAR File

Published: 2017-11-03
Last Updated: 2017-11-03 08:46:31 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Yesterday, I found in my spam trap a file named '0.19238000 1509447305.zip’ (SHA256: 7bddf3bf47293b4ad8ae64b8b770e0805402b487a4d025e31ef586e9a52add91). The ZIP archive contained a Java archive named '0.19238000 1509447305.jar’ (SHA256: b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4). The file had a score of 0/61 in VT[1] and looks to be a nice candidate for a quick analysis.

.jar files are ZIP archives that contain compiled Java classes and a Manifest file that points to the initial class to load. Let’s decompile the classes. To achieve this, I'm using a small Docker container:

$ docker run --rm -ti -v /tmp:/data -w /data jgiannuzzi/jd-cmd "0.19238000 1509447305.jar"
10:50:31.807 INFO  jd.cli.Main - Decompiling foo.jar
10:50:31.829 INFO  jd.core.output.ZipOutput - ZIP file output will be initialized - 0.19238000 1509447305.src.jar
10:50:34.095 INFO  jd.core.output.ZipOutput - Finished with 81 class file(s) and 8 resource file(s) written.

It generates a new ZIP file "/tmp/0.19238000 1509447305.src.jar”. Let’s unzip it:

$ unzip "/tmp/0.19238000 1509447305.src.jar”
Archive:  /tmp/0.19238000 1509447305.src.jar
  inflating: q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java
…
$ cd q945
$ cat META-INF/MANIFEST.MF
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.0
X-COMMENT: OeNJGNmMkernBqWEKrjYCTEHkSjbSTCXTXsnVuXDEksGlumaeSA
Class-Path:
Created-By: ZDXsPvlJoPPtiYqDvNmsTQsYFVhbEhXtWdfIEqiMhWB
Main-Class: q945.q94827.q48.q81736.q36.q63837.q09.Q6361728063815

You can see that the main class is located in a bunch of sub-directories with random names:

$ tree -d -n -A .
.
+-- q94827
    +-- q48
    |   +-- q71616
    |   |   +-- q15390
    |   |   |   +-- q637
    |   |   |   |   +-- q27
    |   |   |   |   +-- q39
    |   |   |   |   +-- q70738
    |   |   |   +-- q82737
    |   |   |   |   +-- q35152
    |   |   |   |   +-- q38374
    |   |   |   |   +-- q74736
    |   |   |   +-- q84
    |   |   |       +-- q06364
    |   |   |       +-- q08
    |   |   |       +-- q61725
    |   |   +-- q46390
    |   |   |   +-- q61
    |   |   |   |   +-- q17053
    |   |   |   |   +-- q26
    |   |   |   |   +-- q73
    |   |   |   +-- q73516
    |   |   |   |   +-- q17490
    |   |   |   |   +-- q39
    |   |   |   |   +-- q60
    |   |   |   +-- q92626
    |   |   |       +-- q45064
    |   |   |       +-- q48254
    |   |   |       +-- q74926
    |   |   +-- q80948
    |   |       +-- q192
    |   |       |   +-- q45
    |   |       |   +-- q52949
    |   |       |   +-- q94648
    |   |       +-- q37082
    |   |       |   +-- q09
    |   |       |   +-- q52815
    |   |       |   +-- q90916
    |   |       +-- q38084
    |   |           +-- q06
    |   |           +-- q51
    |   |           +-- q63908
    |   +-- q7164
    |   |   +-- q35173
    |   |   |   +-- q6271
    |   |   |   |   +-- q08
    |   |   |   |   +-- q35
    |   |   |   |   +-- q748
    |   |   |   +-- q74
    |   |   |   |   +-- q36
    |   |   |   |   +-- q38181
    |   |   |   |   +-- q81
    |   |   |   +-- q93
    |   |   |       +-- q0919
    |   |   |       +-- q37
    |   |   |       +-- q70916
    |   |   +-- q462
    |   |   |   +-- q62505
    |   |   |   |   +-- q05
    |   |   |   |   +-- q38
    |   |   |   |   +-- q64
    |   |   |   +-- q83548
    |   |   |   |   +-- q17073
    |   |   |   |   +-- q49
    |   |   |   |   +-- q70
    |   |   |   +-- q91
    |   |   |       +-- q0719
    |   |   |       +-- q16
    |   |   |       +-- q63816
    |   |   +-- q90729
    |   |       +-- q09162
    |   |       |   +-- q45160
    |   |       |   +-- q82
    |   |       |   +-- q84729
    |   |       +-- q180
    |   |       |   +-- q36053
    |   |       |   +-- q81
    |   |       |   +-- q83738
    |   |       +-- q37
    |   |           +-- q29473
    |   |           +-- q72547
    |   |           +-- q80
    |   +-- q81736
    |       +-- q05
    |       |   +-- q539
    |       |   |   +-- q0717
    |       |   |   +-- q49484
    |       |   |   +-- q80608
    |       |   +-- q62
    |       |   |   +-- q0548
    |       |   |   +-- q2849
    |       |   |   +-- q94605
    |       |   +-- q64836
    |       |       +-- q08371
    |       |       +-- q36
    |       |       +-- q71846
    |       +-- q36
    |       |   +-- q63837
    |       |   |   +-- q07151
    |       |   |   +-- q09
    |       |   |   +-- q90849
    |       |   +-- q91806
    |       |   |   +-- q17184
    |       |   |   +-- q46380
    |       |   |   +-- q639
    |       |   +-- q92747
    |       |       +-- q18381
    |       |       +-- q45371
    |       |       +-- q54645
    |       +-- q808
    |           +-- q08
    |           |   +-- q16064
    |           |   +-- q51727
    |           |   +-- q93626
    |           +-- q39293
    |           |   +-- q35
    |           |   +-- q52519
    |           |   +-- q84
    |           +-- q47463
    |               +-- q39453
    |               +-- q62835
    |               +-- q90838
    +-- q51728
        +-- q16362
            +-- q93525
                +-- q07462
                |   +-- q3945
                |   +-- q50
                |   +-- q82
                +-- q25
                    +-- q08474
                    +-- q61
                    +-- q747

The application is split into many small files:

$ find . -name '*.java' -print
./q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java
./q945/q94827/q48/q7164/q90729/q37/q29473/Q7381739181819.java
./q945/q94827/q48/q7164/q90729/q37/q80/Q4916253949194.java
./q945/q94827/q48/q7164/q90729/q09162/q45160/Q4638051825290.java
./q945/q94827/q48/q7164/q90729/q09162/q84729/Q8484629093915.java
./q945/q94827/q48/q7164/q90729/q09162/q82/Q7091637083518.java
./q945/q94827/q48/q7164/q90729/q180/q83738/Q4749061825094.java
./q945/q94827/q48/q7164/q90729/q180/q36053/Q8282728053816.java
./q945/q94827/q48/q7164/q90729/q180/q81/Q2825260845492.java
./q945/q94827/q48/q7164/q35173/q6271/q08/Q7360625191718.java
./q945/q94827/q48/q7164/q35173/q6271/q35/Q5481726151615.java
./q945/q94827/q48/q7164/q35173/q6271/q748/Q1939262939093.java
./q945/q94827/q48/q7164/q35173/q93/q37/Q4535163929294.java
./q945/q94827/q48/q7164/q35173/q93/q0919/Q2606462949491.java
./q945/q94827/q48/q7164/q35173/q93/q70916/Q5073729171919.java
./q945/q94827/q48/q7164/q35173/q74/q36/Q7194527181515.java
./q945/q94827/q48/q7164/q35173/q74/q81/Q1737262939391.java
./q945/q94827/q48/q7164/q35173/q74/q38181/Q6280839171619.java
./q945/q94827/q48/q7164/q462/q91/q0719/Q0519450845491.java
./q945/q94827/q48/q7164/q462/q91/q16/Q0726153815391.java
./q945/q94827/q48/q7164/q462/q91/q63816/Q8152837053717.java
./q945/q94827/q48/q7164/q462/q83548/q17073/Q2619472825393.java
./q945/q94827/q48/q7164/q462/q83548/q49/Q1938370835090.java
./q945/q94827/q48/q7164/q462/q83548/q70/Q8460545073817.java
./q945/q94827/q48/q7164/q462/q62505/q64/Q2817151835190.java
./q945/q94827/q48/q7164/q462/q62505/q38/Q9283936093918.java
./q945/q94827/q48/q7164/q462/q62505/q05/Q6364936053715.java
./q945/q94827/q48/q71616/q15390/q82737/q74736/Q3526374835390.java
./q945/q94827/q48/q71616/q15390/q82737/q38374/Q9092845093618.java
./q945/q94827/q48/q71616/q15390/q82737/q35152/Q7173647083518.java
./q945/q94827/q48/q71616/q15390/q637/q39/Q2745170845291.java
./q945/q94827/q48/q71616/q15390/q637/q70738/Q6274848053616.java
./q945/q94827/q48/q71616/q15390/q637/q27/Q0808381905093.java
./q945/q94827/q48/q71616/q15390/q84/q08/Q6451707183518.java
./q945/q94827/q48/q71616/q15390/q84/q61725/Q3909482945193.java
./q945/q94827/q48/q71616/q15390/q84/q06364/Q9380606193517.java
./q945/q94827/q48/q71616/q80948/q192/q94648/Q4839390925290.java
./q945/q94827/q48/q71616/q80948/q192/q52949/Q1916194915390.java
./q945/q94827/q48/q71616/q80948/q192/q45/Q7351616153618.java
./q945/q94827/q48/q71616/q80948/q38084/q06/Q3747484945092.java
./q945/q94827/q48/q71616/q80948/q38084/q51/Q6270719163817.java
./q945/q94827/q48/q71616/q80948/q38084/q63908/Q6154606183617.java
./q945/q94827/q48/q71616/q80948/q37082/q09/Q9093907163716.java
./q945/q94827/q48/q71616/q80948/q37082/q90916/Q2505484945294.java
./q945/q94827/q48/q71616/q80948/q37082/q52815/Q2606181905393.java
./q945/q94827/q48/q71616/q46390/q92626/q45064/Q4738460905291.java
./q945/q94827/q48/q71616/q46390/q92626/q48254/Q1547390925192.java
./q945/q94827/q48/q71616/q46390/q92626/q74926/Q9190825183619.java
./q945/q94827/q48/q71616/q46390/q61/q17053/Q6472818173917.java
./q945/q94827/q48/q71616/q46390/q61/q26/Q6064518153618.java
./q945/q94827/q48/q71616/q46390/q61/q73/Q1635190905194.java
./q945/q94827/q48/q71616/q46390/q73516/q39/Q5291528193519.java
./q945/q94827/q48/q71616/q46390/q73516/q60/Q2836162905292.java
./q945/q94827/q48/q71616/q46390/q73516/q17490/Q7382728193716.java
./q945/q94827/q48/q81736/q36/q63837/q09/Q6361728063815.java
./q945/q94827/q48/q81736/q36/q91806/q17184/Q3837070905294.java
./q945/q94827/q48/q81736/q36/q91806/q46380/Q4938183625490.java
./q945/q94827/q48/q81736/q36/q91806/q639/Q6354848153717.java
./q945/q94827/q48/q81736/q36/q92747/q54645/Q9064929073918.java
./q945/q94827/q48/q81736/q36/q92747/q45371/Q7264625063916.java
./q945/q94827/q48/q81736/q36/q92747/q18381/Q7383826063615.java
./q945/q94827/q48/q81736/q808/q08/q93626/Q4638374925193.java
./q945/q94827/q48/q81736/q808/q08/q16064/Q8071849153915.java
./q945/q94827/q48/q81736/q808/q08/q51727/Q4549271915294.java
./q945/q94827/q48/q81736/q808/q47463/q90838/Q5484836173617.java
./q945/q94827/q48/q81736/q808/q47463/q62835/Q9363936193516.java
./q945/q94827/q48/q81736/q808/q47463/q39453/Q1937151915394.java
./q945/q94827/q48/q81736/q808/q39293/q84/Q6192749163919.java
./q945/q94827/q48/q81736/q808/q39293/q52519/Q7263947193515.java
./q945/q94827/q48/q81736/q808/q39293/q35/Q3736372905290.java
./q945/q94827/q48/q81736/q05/q62/q2849/Q1915164925292.java
./q945/q94827/q48/q81736/q05/q62/q94605/Q8483728183717.java
./q945/q94827/q48/q81736/q05/q62/q0548/Q0607061935192.java
./q945/q94827/q48/q81736/q05/q539/q80608/Q2548154945491.java
./q945/q94827/q48/q81736/q05/q539/q0717/Q6161737173916.java
./q945/q94827/q48/q81736/q05/q539/q49484/Q9090935163715.java
./q945/q94827/q48/q81736/q05/q64836/q36/Q3729452905190.java
./q945/q94827/q48/q81736/q05/q64836/q71846/Q7272636163517.java
./q945/q94827/q48/q81736/q05/q64836/q08371/Q4825251935292.java
./q945/q94827/q51728/q16362/q93525/q07462/q50/Q3818360939190.java
./Q6361728063815.java

While checking the decompiled code, we can see that the code is obfuscated. Object arrays are used to handle all objects:

public class Q0519450845491
{
  public static void q6481539083819()
    throws Exception
  {
    q945.q94827.q48.q7164.q35173.q6271.q748.Q1939262939093.Q8281525151616[24] = q945.q94827.q48.q7164.q35173.q6271.q35.Q5481726151615.Q3846063949292[36].getMethods();
  }
}

The code includes cryptographic functions:

q945.q94827.q48.q7164.q35173.q74.q38181.Q6280839171619.Q3538251949294[37] = Cipher.getInstance("AES");

The archive contains encrypted files

$ file ./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917
./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917: data

When executed in a sandbox, the following files are created:

_0.57007632454940891986287463537679385.class (SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9)[2
Windows4710937619573808871.dll (SHA256: 7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798)[3]

This is the Adwind RAT[4]. In my case, the sandbox established a connection to the following C2 server located in Poland: 192.166.218.230:port 8070. While looking at the SSL certificate, I found a reference to an old blog post written by Brad in 2015[5]:

commonName = assylias
organizationName = assylias.Inc

As you can see, even if the files belonging to the RAT are known for a while and detected by many antivirus vendors, the dropper remains undetected!

[1] https://www.virustotal.com/en/file/b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4/analysis/1509448583/
[2] https://www.virustotal.com/en/file/97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9/analysis/
[3] https://www.virustotal.com/en/file/7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798/analysis/
[4] https://www.cyphort.com/threat-insights/adwind-rat/
[5] http://www.malware-traffic-analysis.net/2015/08/06/index.html

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)
Diary Archives