Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Simple Analysis of an Obfuscated JAR File SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Simple Analysis of an Obfuscated JAR File

Yesterday, I found in my spam trap a file named '0.19238000 1509447305.zip’ (SHA256: 7bddf3bf47293b4ad8ae64b8b770e0805402b487a4d025e31ef586e9a52add91). The ZIP archive contained a Java archive named '0.19238000 1509447305.jar’ (SHA256: b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4). The file had a score of 0/61 in VT[1] and looks to be a nice candidate for a quick analysis.

.jar files are ZIP archives that contain compiled Java classes and a Manifest file that points to the initial class to load. Let’s decompile the classes. To achieve this, I'm using a small Docker container:

$ docker run --rm -ti -v /tmp:/data -w /data jgiannuzzi/jd-cmd "0.19238000 1509447305.jar"
10:50:31.807 INFO  jd.cli.Main - Decompiling foo.jar
10:50:31.829 INFO  jd.core.output.ZipOutput - ZIP file output will be initialized - 0.19238000 1509447305.src.jar
10:50:34.095 INFO  jd.core.output.ZipOutput - Finished with 81 class file(s) and 8 resource file(s) written.

It generates a new ZIP file "/tmp/0.19238000 1509447305.src.jar”. Let’s unzip it:

$ unzip "/tmp/0.19238000 1509447305.src.jar”
Archive:  /tmp/0.19238000 1509447305.src.jar
  inflating: q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java
…
$ cd q945
$ cat META-INF/MANIFEST.MF
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.0
X-COMMENT: OeNJGNmMkernBqWEKrjYCTEHkSjbSTCXTXsnVuXDEksGlumaeSA
Class-Path:
Created-By: ZDXsPvlJoPPtiYqDvNmsTQsYFVhbEhXtWdfIEqiMhWB
Main-Class: q945.q94827.q48.q81736.q36.q63837.q09.Q6361728063815

You can see that the main class is located in a bunch of sub-directories with random names:

$ tree -d -n -A .
.
+-- q94827
    +-- q48
    |   +-- q71616
    |   |   +-- q15390
    |   |   |   +-- q637
    |   |   |   |   +-- q27
    |   |   |   |   +-- q39
    |   |   |   |   +-- q70738
    |   |   |   +-- q82737
    |   |   |   |   +-- q35152
    |   |   |   |   +-- q38374
    |   |   |   |   +-- q74736
    |   |   |   +-- q84
    |   |   |       +-- q06364
    |   |   |       +-- q08
    |   |   |       +-- q61725
    |   |   +-- q46390
    |   |   |   +-- q61
    |   |   |   |   +-- q17053
    |   |   |   |   +-- q26
    |   |   |   |   +-- q73
    |   |   |   +-- q73516
    |   |   |   |   +-- q17490
    |   |   |   |   +-- q39
    |   |   |   |   +-- q60
    |   |   |   +-- q92626
    |   |   |       +-- q45064
    |   |   |       +-- q48254
    |   |   |       +-- q74926
    |   |   +-- q80948
    |   |       +-- q192
    |   |       |   +-- q45
    |   |       |   +-- q52949
    |   |       |   +-- q94648
    |   |       +-- q37082
    |   |       |   +-- q09
    |   |       |   +-- q52815
    |   |       |   +-- q90916
    |   |       +-- q38084
    |   |           +-- q06
    |   |           +-- q51
    |   |           +-- q63908
    |   +-- q7164
    |   |   +-- q35173
    |   |   |   +-- q6271
    |   |   |   |   +-- q08
    |   |   |   |   +-- q35
    |   |   |   |   +-- q748
    |   |   |   +-- q74
    |   |   |   |   +-- q36
    |   |   |   |   +-- q38181
    |   |   |   |   +-- q81
    |   |   |   +-- q93
    |   |   |       +-- q0919
    |   |   |       +-- q37
    |   |   |       +-- q70916
    |   |   +-- q462
    |   |   |   +-- q62505
    |   |   |   |   +-- q05
    |   |   |   |   +-- q38
    |   |   |   |   +-- q64
    |   |   |   +-- q83548
    |   |   |   |   +-- q17073
    |   |   |   |   +-- q49
    |   |   |   |   +-- q70
    |   |   |   +-- q91
    |   |   |       +-- q0719
    |   |   |       +-- q16
    |   |   |       +-- q63816
    |   |   +-- q90729
    |   |       +-- q09162
    |   |       |   +-- q45160
    |   |       |   +-- q82
    |   |       |   +-- q84729
    |   |       +-- q180
    |   |       |   +-- q36053
    |   |       |   +-- q81
    |   |       |   +-- q83738
    |   |       +-- q37
    |   |           +-- q29473
    |   |           +-- q72547
    |   |           +-- q80
    |   +-- q81736
    |       +-- q05
    |       |   +-- q539
    |       |   |   +-- q0717
    |       |   |   +-- q49484
    |       |   |   +-- q80608
    |       |   +-- q62
    |       |   |   +-- q0548
    |       |   |   +-- q2849
    |       |   |   +-- q94605
    |       |   +-- q64836
    |       |       +-- q08371
    |       |       +-- q36
    |       |       +-- q71846
    |       +-- q36
    |       |   +-- q63837
    |       |   |   +-- q07151
    |       |   |   +-- q09
    |       |   |   +-- q90849
    |       |   +-- q91806
    |       |   |   +-- q17184
    |       |   |   +-- q46380
    |       |   |   +-- q639
    |       |   +-- q92747
    |       |       +-- q18381
    |       |       +-- q45371
    |       |       +-- q54645
    |       +-- q808
    |           +-- q08
    |           |   +-- q16064
    |           |   +-- q51727
    |           |   +-- q93626
    |           +-- q39293
    |           |   +-- q35
    |           |   +-- q52519
    |           |   +-- q84
    |           +-- q47463
    |               +-- q39453
    |               +-- q62835
    |               +-- q90838
    +-- q51728
        +-- q16362
            +-- q93525
                +-- q07462
                |   +-- q3945
                |   +-- q50
                |   +-- q82
                +-- q25
                    +-- q08474
                    +-- q61
                    +-- q747

The application is split into many small files:

$ find . -name '*.java' -print
./q945/q94827/q48/q7164/q90729/q37/q72547/Q3829054919394.java
./q945/q94827/q48/q7164/q90729/q37/q29473/Q7381739181819.java
./q945/q94827/q48/q7164/q90729/q37/q80/Q4916253949194.java
./q945/q94827/q48/q7164/q90729/q09162/q45160/Q4638051825290.java
./q945/q94827/q48/q7164/q90729/q09162/q84729/Q8484629093915.java
./q945/q94827/q48/q7164/q90729/q09162/q82/Q7091637083518.java
./q945/q94827/q48/q7164/q90729/q180/q83738/Q4749061825094.java
./q945/q94827/q48/q7164/q90729/q180/q36053/Q8282728053816.java
./q945/q94827/q48/q7164/q90729/q180/q81/Q2825260845492.java
./q945/q94827/q48/q7164/q35173/q6271/q08/Q7360625191718.java
./q945/q94827/q48/q7164/q35173/q6271/q35/Q5481726151615.java
./q945/q94827/q48/q7164/q35173/q6271/q748/Q1939262939093.java
./q945/q94827/q48/q7164/q35173/q93/q37/Q4535163929294.java
./q945/q94827/q48/q7164/q35173/q93/q0919/Q2606462949491.java
./q945/q94827/q48/q7164/q35173/q93/q70916/Q5073729171919.java
./q945/q94827/q48/q7164/q35173/q74/q36/Q7194527181515.java
./q945/q94827/q48/q7164/q35173/q74/q81/Q1737262939391.java
./q945/q94827/q48/q7164/q35173/q74/q38181/Q6280839171619.java
./q945/q94827/q48/q7164/q462/q91/q0719/Q0519450845491.java
./q945/q94827/q48/q7164/q462/q91/q16/Q0726153815391.java
./q945/q94827/q48/q7164/q462/q91/q63816/Q8152837053717.java
./q945/q94827/q48/q7164/q462/q83548/q17073/Q2619472825393.java
./q945/q94827/q48/q7164/q462/q83548/q49/Q1938370835090.java
./q945/q94827/q48/q7164/q462/q83548/q70/Q8460545073817.java
./q945/q94827/q48/q7164/q462/q62505/q64/Q2817151835190.java
./q945/q94827/q48/q7164/q462/q62505/q38/Q9283936093918.java
./q945/q94827/q48/q7164/q462/q62505/q05/Q6364936053715.java
./q945/q94827/q48/q71616/q15390/q82737/q74736/Q3526374835390.java
./q945/q94827/q48/q71616/q15390/q82737/q38374/Q9092845093618.java
./q945/q94827/q48/q71616/q15390/q82737/q35152/Q7173647083518.java
./q945/q94827/q48/q71616/q15390/q637/q39/Q2745170845291.java
./q945/q94827/q48/q71616/q15390/q637/q70738/Q6274848053616.java
./q945/q94827/q48/q71616/q15390/q637/q27/Q0808381905093.java
./q945/q94827/q48/q71616/q15390/q84/q08/Q6451707183518.java
./q945/q94827/q48/q71616/q15390/q84/q61725/Q3909482945193.java
./q945/q94827/q48/q71616/q15390/q84/q06364/Q9380606193517.java
./q945/q94827/q48/q71616/q80948/q192/q94648/Q4839390925290.java
./q945/q94827/q48/q71616/q80948/q192/q52949/Q1916194915390.java
./q945/q94827/q48/q71616/q80948/q192/q45/Q7351616153618.java
./q945/q94827/q48/q71616/q80948/q38084/q06/Q3747484945092.java
./q945/q94827/q48/q71616/q80948/q38084/q51/Q6270719163817.java
./q945/q94827/q48/q71616/q80948/q38084/q63908/Q6154606183617.java
./q945/q94827/q48/q71616/q80948/q37082/q09/Q9093907163716.java
./q945/q94827/q48/q71616/q80948/q37082/q90916/Q2505484945294.java
./q945/q94827/q48/q71616/q80948/q37082/q52815/Q2606181905393.java
./q945/q94827/q48/q71616/q46390/q92626/q45064/Q4738460905291.java
./q945/q94827/q48/q71616/q46390/q92626/q48254/Q1547390925192.java
./q945/q94827/q48/q71616/q46390/q92626/q74926/Q9190825183619.java
./q945/q94827/q48/q71616/q46390/q61/q17053/Q6472818173917.java
./q945/q94827/q48/q71616/q46390/q61/q26/Q6064518153618.java
./q945/q94827/q48/q71616/q46390/q61/q73/Q1635190905194.java
./q945/q94827/q48/q71616/q46390/q73516/q39/Q5291528193519.java
./q945/q94827/q48/q71616/q46390/q73516/q60/Q2836162905292.java
./q945/q94827/q48/q71616/q46390/q73516/q17490/Q7382728193716.java
./q945/q94827/q48/q81736/q36/q63837/q09/Q6361728063815.java
./q945/q94827/q48/q81736/q36/q91806/q17184/Q3837070905294.java
./q945/q94827/q48/q81736/q36/q91806/q46380/Q4938183625490.java
./q945/q94827/q48/q81736/q36/q91806/q639/Q6354848153717.java
./q945/q94827/q48/q81736/q36/q92747/q54645/Q9064929073918.java
./q945/q94827/q48/q81736/q36/q92747/q45371/Q7264625063916.java
./q945/q94827/q48/q81736/q36/q92747/q18381/Q7383826063615.java
./q945/q94827/q48/q81736/q808/q08/q93626/Q4638374925193.java
./q945/q94827/q48/q81736/q808/q08/q16064/Q8071849153915.java
./q945/q94827/q48/q81736/q808/q08/q51727/Q4549271915294.java
./q945/q94827/q48/q81736/q808/q47463/q90838/Q5484836173617.java
./q945/q94827/q48/q81736/q808/q47463/q62835/Q9363936193516.java
./q945/q94827/q48/q81736/q808/q47463/q39453/Q1937151915394.java
./q945/q94827/q48/q81736/q808/q39293/q84/Q6192749163919.java
./q945/q94827/q48/q81736/q808/q39293/q52519/Q7263947193515.java
./q945/q94827/q48/q81736/q808/q39293/q35/Q3736372905290.java
./q945/q94827/q48/q81736/q05/q62/q2849/Q1915164925292.java
./q945/q94827/q48/q81736/q05/q62/q94605/Q8483728183717.java
./q945/q94827/q48/q81736/q05/q62/q0548/Q0607061935192.java
./q945/q94827/q48/q81736/q05/q539/q80608/Q2548154945491.java
./q945/q94827/q48/q81736/q05/q539/q0717/Q6161737173916.java
./q945/q94827/q48/q81736/q05/q539/q49484/Q9090935163715.java
./q945/q94827/q48/q81736/q05/q64836/q36/Q3729452905190.java
./q945/q94827/q48/q81736/q05/q64836/q71846/Q7272636163517.java
./q945/q94827/q48/q81736/q05/q64836/q08371/Q4825251935292.java
./q945/q94827/q51728/q16362/q93525/q07462/q50/Q3818360939190.java
./Q6361728063815.java

While checking the decompiled code, we can see that the code is obfuscated. Object arrays are used to handle all objects:

public class Q0519450845491
{
  public static void q6481539083819()
    throws Exception
  {
    q945.q94827.q48.q7164.q35173.q6271.q748.Q1939262939093.Q8281525151616[24] = q945.q94827.q48.q7164.q35173.q6271.q35.Q5481726151615.Q3846063949292[36].getMethods();
  }
}

The code includes cryptographic functions:

q945.q94827.q48.q7164.q35173.q74.q38181.Q6280839171619.Q3538251949294[37] = Cipher.getInstance("AES");

The archive contains encrypted files

$ file ./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917
./q945/q94827/q48/q81736/q36/q63837/q07151/Q7191626053917: data

When executed in a sandbox, the following files are created:

_0.57007632454940891986287463537679385.class (SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9)[2
Windows4710937619573808871.dll (SHA256: 7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798)[3]

This is the Adwind RAT[4]. In my case, the sandbox established a connection to the following C2 server located in Poland: 192.166.218.230:port 8070. While looking at the SSL certificate, I found a reference to an old blog post written by Brad in 2015[5]:

commonName = assylias
organizationName = assylias.Inc

As you can see, even if the files belonging to the RAT are known for a while and detected by many antivirus vendors, the dropper remains undetected!

[1] https://www.virustotal.com/en/file/b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4/analysis/1509448583/
[2] https://www.virustotal.com/en/file/97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9/analysis/
[3] https://www.virustotal.com/en/file/7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798/analysis/
[4] https://www.cyphort.com/threat-insights/adwind-rat/
[5] http://www.malware-traffic-analysis.net/2015/08/06/index.html

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

488 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!