Search This Blog

Ring Ø Labs DOES NOT advocate using any of the malware, techniques, or information presented here for harm and doing so may violate the law. These topics are for mitigation and educational purposes only. Read more about us here

Saturday, September 9, 2017

Triaging Java JAR Files

Today we show how to quickly triage Java JAR files with a simple, free, and straightforward Java decompiler.






WARNING: USE OF INFORMATION IN THIS REPORT FOR ANY ACTION AGAINST A MACHINE WITHOUT THE OWNERS CONSENT MAY VIOLATE THE LAW.



DETAILS

Filename
09-2017_B0LET0.jar
Protection
None
MD5
9EE15215CF9695FF0560837900BFC93C
Sample
Type
Malicious Java Downloader
Video


To begin today's analysis, we first define what a Java JAR is:

A JAR (Java ARchive) is a package file format typically used to aggregate many Java class files and associated metadata and resources (text, images, etc.) into one file for distribution.

Simply put, this is the final "executable" you get when you compile your Java code for distribution. As long as Java is installed on your machine, you will be able to run a JAR file by double clicking it.

To analyze a JAR file we can use JD-GUI (Java Decompiler) and essentially reverse the compiled code back to legible source code. In the case of our file today we see many 'blank' classes. This was most likely coded by the author to be annoying or it is future functionality that has not been implemented yet.




Scrolling down the class tree on the left, we soon come to the "Viante" class and this is where the main functionality of this malware resides.




We can see that this particular code is fairly straightforward and is very lightly obfuscated with randomly named variables. However, we can easily follow the execution path and tell that the malware will reach out to "http://191.252.2.91/0509/" to download "kk.zip". If we manually visit this IP and subdirectory we can see that the malware author has staged many other zips for download:



We downloaded all of the Zips above to check their contents and they were all the same. The only variance is the initial Zip name as seen above. This is indicative of the author distributing different variants which are coded to download each of the different named zips. Since all files contain the same malware it does not look like this JAR is set to distribute different malware campaigns e.g.(one for ransomware, another for banking trojans, another for adware, etc.)

If we traverse back to the IP itself we discover that it is running Apache 2 and is set to defaults. This is...shall we say...amateurish? If we were so inclined to poke around this server a bit, I'm sure we could find quite a few things which were still set to default. But, that is outside the scope of this analysis and I DO NOT recommend doing this as it may violate the law.



Malware hosting server aside, we continue our analysis by extracting the contents of the downloaded zip and discover 5 separate files which are named with incorrect PNG picture extensions.



As we follow the JAR code to the end we see that it will rename all of the PNG files to EXE, DRV, and DB (All three renamed files contain MZ headers which denotes an executable, driver, or dll).



After the renaming we end up with the following files which will then be executed through "VM.exe".





CONCLUSION

This analysis was focused on quickly triaging Java JAR files through the use of JD-GUI (Java Decompiler). This simple, free tool allows you to revert JARs back to their Class code and easily follow their logic.


INDICATORS



DROPPED FILES
gbs.png
i.dk
prs.png
vm.png
vmwarebase.dll