2016-02-02 Malicious Jar Attachment

Packet Analysis

IoC from this investigation:
============================
myson123456[.]ddns[.]net
178.32.72.136:2550

Here is another example of an email that most users get claiming that they (the user) has something that they need to action on. In this case it is a malicious Java file. Thankfully most email gateways block these types of files from every reaching the user base. Let’s dig in.

Email

The Java file has the following characteristics:

File Name: payment..jar
Size: 118KB
MD5: f4b463e4df4ef274a198bfb07ed3e6cd
SHA256: f4c93ab532e53274bd97c00fccba3b231de0832e743879380f7af7bf81aef60f

Virustotal Link: http://www.virustotal.com/en/file/f4c93ab532e53274bd97c00fccba3b231de0832e743879380f7af7bf81aef60f/analysis/
Detection Ratio: 25 / 54
First Submitted: 2016-02-07 21:28:02 UTC

Malwr link: http://malwr.com/analysis/Y2FmYjEwNGM0MjM5NDBmYWI3YTdjYjJkOTRjY2M5OWY/

Since this is a Java file, I usually like to try and open these up using Java Decomplier to see if there is anything that I can gather or understand. Unfortunately in this case there was nothing that was coming back as you can see:

JD-GUI

So after some Googling around looking for a Java deobfucation tool I came across this one: http://bytecodeviewer.com/. I did not really play around much with this tool (or any other RE suite for that matter), but this one did give me some more information about the JAR file that JD-GUI did not:

ByteCode Viewer example

Just skimming thorugh the file I am not seeing alot that I understand, but some that I do. Using one of the plugins from Bytecode Viewer (the Malicious Code Scanner plugin), I did get back these two lines (which I did see while looking through all the parts of the JAR file):

	Found Method call to java/net/URLClassLoader.<init>(([Ljava/net/URL;)V) at compos/__?????????????????l.<init>(([Ljava/net/URL;)V)
	Found Method call to java/lang/reflect/Method.invoke((Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;) at compos/__?????????????????y.i((Ljava/lang/reflect/Method;)V)

Since I did not see any URL’s or anything of that sort, it is time to run this in my VM and see what the traffic looks like. Initially there is a DNS lookup for the domain of ‘myson123456[.]ddns[.]net’ which points to the IP address of ‘178.32.72.136.’ That IP is registered for the OVH ISP in France:

	http://www.robtex.com/en/advisory/ip/178/32/72/136/
	inetnum:	178.32.72.128 - 178.32.72.159
	netname:	OVH_45490887
	descr:	OVH
	country:	FR
	org:	ORG-JD14-RIPE
	admin-c:	OTC2-RIPE
	tech-c:	OTC2-RIPE
	status:	ASSIGNED PA
	mnt-by:	OVH-MNT
	created:	2013-07-01T15:35:19Z
	last-modified:	2013-07-01T15:35:19Z
	source:	RIPE # Filtered

I looked around to see if there was anything more on the web for this IP address and I did managed to find some hits over at Malwr – unfortunately nothing that shared the same hash was found. Moving on, once the DNS query had completed, it then tried to connect the malicious site on port 2550 which it looks like may have been fixed since the callback is never fully realized as you can see below:

Wireshark

Now even though my system never made contact with the malicious server from above, I did get some interesting artifacts left on the system. As you can see from the results of the RegShot run, some files/folders/regkeys were created. The ones that stood out to me are:

	HKU\S-1-5-21-3862639240-4259269860-3308957193-500\Software\Microsoft\Windows\CurrentVersion\Run\ASHBmwvDjsJ: ""C:\Users\Administrator\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\Administrator\zHOYGzgpAKk\FkJvAfWLwXQ.STRnwH""

	C:\Users\Administrator\zHOYGzgpAKk\FkJvAfWLwXQ.STRnwH
	
	C:\Users\Administrator\zHOYGzgpAKk\ID.txt

The file “ID.txt” only has the following in it: “{“UUID”:”24f3cf4e-c2d9-4194-9251-4a3dc3cfe709″}.” Looking around I was not able to figure out what exactly this ID means. Maybe something to do when the whole infection chain is up and running.

The other file (FkJvAfWLwXQ.STRnwH) that was created under the “zHOYGzgpAKk” folder looks to be the same Java file as the “payment..jar” file just named differently. The size of both files and the hashes are identical. Once again, why the Java file would be pulled out like it has is beyond me at this time.

Also, when running the Java file, the only process that seemed to kick off was “C:\Users\Administrator\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Administrator\zHOYGzgpAKk\FkJvAfWLwXQ.STRnwH” as you can see below in the video.

To check out the Java file to see if you can de-obfuscate it and the PCAP for this example please click here. The password for the zip archive is “herbiegoesbananas.” Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *