Today we show how to quickly triage Java JAR files and how to escalate your analysis when facing professional-grade obfuscators like ProGuard or Allatori.
Filename: 09-2017_B0LET0.jar
MD5: 9EE15215CF9695FF0560837900BFC93C
Sample: Download via Reverse.it
Video Walkthrough
Technical Details: The JAR Format
A JAR (Java ARchive) is a package file format used to aggregate many Java class files, metadata, and resources into one file for distribution. Simply put, this is the final "executable" produced when Java code is compiled. As long as a Java Runtime Environment (JRE) is installed, these files can be executed with a double-click, making them a cross-platform favorite for malware authors.
In our initial triage, we use JD-GUI (Java Decompiler) to reverse the compiled bytecode back into source code. While this sample contains many "blank" classes meant to annoy researchers, the core logic is eventually found in the "Viante" class.
The Infection Chain
Analysis reveals that the malware reaches out to http://191.252.2.91/0509/kk.zip. The downloaded archive contains five files disguised as .png images. The JAR code then executes a renaming routine to restore their true functional extensions (EXE and DRV) before launching them via a secondary process, VM.exe.
Advanced Analysis: Fighting Obfuscators
While this sample was lightly obfuscated, professional malware often employs tools like ProGuard or Allatori. When you encounter these, simple decompilation often fails or produces unreadable "spaghetti" code. Here is how to escalate your analysis:
1. Recognizing Advanced Obfuscation
If you see class and method names replaced by single letters (a(), b.c()) or unprintable characters, the code has been renamed. More dangerous is Control Flow Flattening, where logical structures are collapsed into a massive, unreadable switch-case loop.
2. Advanced Toolkit: JADX and Deobfuscators
Switch from JD-GUI to JADX. JADX has a built-in "Deobfuscation" feature that automatically attempts to rename members back into a logical (though generic) sequence. For stubborn samples, Java-Deobfuscator (CLI) can often remove "dead code" and decrypt strings that are hidden behind complex math functions.
3. Dynamic Instrumentation
If the code is too complex to read, watch it work. Using JVisualVM or Java-Tracer allows you to log method calls in real-time. Even if a method is named a.a(), seeing it pass a URL string to java.net.URL reveals its true purpose instantly.
4. Memory Dumps
Advanced loaders may download encrypted bytecode and load it directly into memory using a Custom ClassLoader. To catch these, set a debugger breakpoint on java.lang.ClassLoader.defineClass(). This is the "bottleneck" where all Java code must pass; by intercepting it here, you can dump the decrypted, malicious bytecode directly from memory before it ever runs.
Conclusion
Java malware analysis ranges from simple triage with JD-GUI to deep-dive memory forensics. By understanding the underlying Java Runtime Environment (JRE) architecture, you can always find a point to intercept and unmask the payload, no matter how many layers of ProGuard or Allatori the author has applied.