• Save
Java bytecode Malware Analysis
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Java bytecode Malware Analysis

  • 3,158 views
Uploaded on

Analysis of a Java-based malware sample with string encoding. An additional challenge that the sample would not decompile totally with free tools.

Analysis of a Java-based malware sample with string encoding. An additional challenge that the sample would not decompile totally with free tools.

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
3,158
On Slideshare
1,883
From Embeds
1,275
Number of Embeds
30

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 1,275

http://ghettoforensics.blogspot.com 558
http://www.ghettoforensics.com 504
http://ghetto420.rssing.com 55
http://feedreader.com 41
http://ghettoforensics.blogspot.ru 17
https://twitter.com 17
http://ghettoforensics.blogspot.jp 10
http://ghettoforensics.blogspot.ca 9
http://ghettoforensics.blogspot.co.uk 9
http://ghettoforensics.blogspot.com.au 9
http://ghettoforensics.blogspot.com.ar 6
http://ghettoforensics.blogspot.in 5
http://8932940317431555433_fcebeb416ea47dd57d466db93eab8c52a8330c04.blogspot.com 5
http://ghettoforensics.blogspot.it 5
http://ghettoforensics.blogspot.de 4
http://ghettoforensics.blogspot.com.br 4
http://translate.googleusercontent.com 2
http://ghettoforensics.blogspot.mx 2
http://ghettoforensics.blogspot.com.es 2
http://pickpdf.com 1
http://www.google.fr&_=1401474651913 HTTP 1
https://www.linkedin.com 1
http://www.google.fr&_=1401210135386 HTTP 1
http://ghettoforensics.blogspot.nl 1
http://ghettoforensics.blogspot.fr 1
http://ghettoforensics.blogspot.se 1
http://ghettoforensics.blogspot.sg 1
http://ghettoforensics.blogspot.hu 1
http://ghettoforensics.blogspot.no 1
http://webcache.googleusercontent.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Malware Analysis:Java BytecodeMay 2012Brian Baskin@bbaskin
  • 2. Update: Back Story• Intrusion resulting in major monetary loss• System with keylogger and unknown trojan• Java drive-by identified:• 52b989e6-783fc81c.jar– MD5: ee18509d07bf591c73bd30091080e034
  • 3. Update: Java IDX resultsIDX file: JAR52b989e6-783fc81c2.idx (IDX File Version 6.03)[*] Section 2 (Download History) found:URL: http://173.224.71.132:8080/content/Qai.jarIP: 173.224.71.132<null>: HTTP/1.1 200 OKcontent-length: 14869last-modified: Thu, 15 Mar 2012 14:39:44 GMTcontent-type: application/java-archivedate: Thu, 15 Mar 2012 18:55:12 GMTserver: nginxdeploy-request-content-type: application/x-java-archive[*] Section 3 (Jar Manifest) found:[*] Section 4 (Code Signer) found:[*] Found: Data block. Length: 4Data: Hex: 00000000[*] Found: Data block. Length: 3Data: 0 Hex: 300d0aThis “Section 4” dataappears to be apattern indicative of aBlackHole download.
  • 4. First:• Java Sucks
  • 5. File details• Java JAR with five included files
  • 6. <Insert intrigue>• But, first…• WTF?
  • 7. <Shrug and go back to work>• Uncompress with internal Windows zip and let‘er rip…• Now, let’s take a look at one in WinHex
  • 8. Yup… That’s Compiled JavaOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F00000000 CA FE BA BE 00 00 00 31 00 35 07 00 02 01 00 03 Êþº¾ 1 500000010 6D 5F 63 07 00 04 01 00 10 6A 61 76 61 2F 6C 61 m_c java/la00000020 6E 67 2F 4F 62 6A 65 63 74 01 00 03 6D 5F 67 01 ng/Object m_g00000030 00 12 4C 6A 61 76 61 2F 6C 61 6E 67 2F 4F 62 6A Ljava/lang/Obj00000040 65 63 74 3B 01 00 03 6D 5F 65 01 00 13 5B 4C 6A ect; m_e [Lj00000050 61 76 61 2F 6C 61 6E 67 2F 4F 62 6A 65 63 74 3B ava/lang/Object;00000060 01 00 03 6D 5F 68 01 00 12 4C 6A 61 76 61 2F 6C m_h Ljava/l00000070 61 6E 67 2F 53 74 72 69 6E 67 3B 01 00 0D 43 6F ang/String; Co00000080 6E 73 74 61 6E 74 56 61 6C 75 65 08 00 0D 01 00 nstantValue00000090 11 56 47 37 52 45 2D 53 57 54 34 45 2D 52 55 49 VG7RE-SWT4E-RUI000000A0 4F 53 01 00 03 6D 5F 62 01 00 11 4C 6A 61 76 61 OS m_b Ljava000000B0 2F 6C 61 6E 67 2F 43 6C 61 73 73 3B 01 00 03 6D /lang/Class; m000000C0 5F 64 08 00 12 01 00 1E 47 59 37 38 54 47 44 45 _d GY78TGDE000000D0 53 38 39 46 56 59 53 50 44 46 4A 50 39 55 56 46 S89FVYSPDFJP9UVF000000E0 39 53 30 44 4A 47 01 00 03 6D 5F 61 01 00 15 4C 9S0DJG m_a L000000F0 6A 61 76 61 2F 75 74 69 6C 2F 4D 61 70 24 45 6E java/util/Map$En00000100 74 72 79 3B 01 00 08 5A 4B 4D 35 2E 34 2E 33 01 try; ZKM5.4.300000110 00 12 5B 4C 6A 61 76 61 2F 6C 61 6E 67 2F 43 6C [Ljava/lang/Cl00000120 61 73 73 3B 01 00 08 3C 63 6C 69 6E 69 74 3E 01 ass; <clinit>00000130 00 03 28 29 56 01 00 04 43 6F 64 65 09 00 01 00 ()V Code00000140 1B 0C 00 05 00 06 0A 00 03 00 1D 0C 00 1E 00 1F
  • 9. What do these mean?• CAFEBABE = Magic value• 0031 = 0x31 – Major file version (J2SE 5.0)• Then a huge pool of string values…
  • 10. Decompile?• JD-GUI (Java Decompiler) -http://java.decompiler.free.fr/• Because: decompilers > disassemblers• Awesome, free tool to revert Java byte codesinto original Java source
  • 11. JD-GUI results:public class m_a extends Expression{public String m_i = z[2];public String m_c = z[3];private String m_h = z[4] +z[5].concat(z[1]);public String m_d = z[0];protected String m_e = z[6];private static final String[] z = {z(z("")), z(z("8023")), z(z("")), z(z("")), z(z("030tX")), z(z("+017")), z(z("0230302="005")) };
  • 12. But, then…private static char[] z(String paramString){// Byte code:// 0: aload_0// 1: invokevirtual 105java/lang/String:toCharArray ()[C// 4: dup// 5: arraylength// 6: iconst_2// 7: if_icmpge +12 -> 19// 10: dup// 11: iconst_0// 12: dup2…
  • 13. WTF?• JD-GUI didn’t know how to parse the bytes…so it disassembled them.• OK, fine.• But, not 100% correctly
  • 14. Some of this is wrong…// 14: iconst_5// 15: irem// 16: tableswitch default:+52 -> 68,0:+32->48, 1:+37->53, 2:+42->58, 3:+47->63// 49: bipush 167// 51: nop// 52: ldc2_w 4157// 55: goto +15 -> 70// 58: bipush 64// 60: goto +10 -> 70// 63: bipush 76// 65: goto +5 -> 70
  • 15. So, let’s go to the hex editorOffset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1500000000 2A 59 BE 5F 03 3C A7 00 46 59 1B 5C 34 1B 08 70 *Y¾_ < FY 4 p00000016 AA 00 00 00 00 00 00 34 00 00 00 00 00 00 00 03 ª 400000032 00 00 00 20 00 00 00 25 00 00 00 2A 00 00 00 2F % * /00000048 10 4F A7 00 14 10 60 A7 00 0F 10 36 A7 00 0A 10 O ` 600000064 5C A7 00 05 10 5C 82 92 55 84 01 01 5F 5A 1B A3 ‚’U„ _Z £00000080 FF BA BB 00 36 5A 5F B7 00 6C B6 00 6F B0 00 00 ÿº» 6Z_· l¶ o00000096 00 00 00 01 00 5B 00 00 00 02 00 5C [ 2
  • 16. And consult the Java bible…http://docs.oracle.com/javase/specs
  • 17. This is better…http://en.wikipedia.org/wiki/Java_bytecode_instruction_listingsMnemonicOpcode(in hex)Other bytesStack[before]→[after]Descriptionaaload 32 arrayref, index → value load onto the stack a reference from an arrayaastore 53 arrayref, index, value → store into a reference in an arrayaconst_null 01 → null push a null reference onto the stackaload 19 1: index → objectrefload a reference onto the stack from a localvariable #index
  • 18. And start filling in mnemonics0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 152A 59 BE 5F 03 3C A7 00 46 59 1B 5C 34 1B 08 70AA 00 00 00 00 00 00 34 00 00 00 00 00 00 00 0300 00 00 20 00 00 00 25 00 00 00 2A 00 00 00 2F10 4F A7 00 14 10 60 A7 00 0F 10 36 A7 00 0A 105C A7 00 05 10 5C 82 92 55 84 01 01 5F 5A 1B A3FF BA BB 00 36 5A 5F B7 00 6C B6 00 6F B0 00 0000 00 00 01 00 5B 00 00 00 02 00 5C2A aload_059 dupBE arraylength5F swap03 iconst_03C istore_1A7 00 46 goto +70So far, this looks similar to JD-GUI output…
  • 19. Some tricky ones…0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 152A 59 BE 5F 03 3C A7 00 46 59 1B 5C 34 1B 08 70AA 00 00 00 00 00 00 34 00 00 00 00 00 00 00 0300 00 00 20 00 00 00 25 00 00 00 2A 00 00 00 2F10 4F A7 00 14 10 60 A7 00 0F 10 36 A7 00 0A 105C A7 00 05 10 5C 82 92 55 84 01 01 5F 5A 1B A3FF BA BB 00 36 5A 5F B7 00 6C B6 00 6F B0 00 0000 00 00 01 00 5B 00 00 00 02 00 5Ctableswitch (case) statement (0xAA):00 00 00 = padding00 00 00 34 = Default, JMP +52 (0x34)00 00 00 00 = padding 00 00 00 03 = # branches (0-3)00 00 00 20 JMP + 32 00 00 00 25 JMP + 3700 00 00 2A JMP + 42 00 00 00 2F JMP + 47
  • 20. 13: iload_114: iconst_515: irem16: tableswitch default: JMP +52 -> 68, 0: JMP +32->48, 1: JMP+37->53,2:JMP +42->58, 3:JMP +47->6349: iastore50: goto +20 -> 7053: bipush 9655: goto +15 -> 7058: bipush 5460: goto +10 -> 7063: bipush 9265: goto +5 -> 7068: bipush 9270: ixor71: i2c72: castore73: iinc 1 176: swap77: dup_x178: iload_179: if_icmpgt -70 -> 9
  • 21. Direct translation to Pythondef decode(str):key0 = 79 # 0x4Fkey1 = 96 # 0x60key2 = 54 # 0x36key3 = 92 # 0x5Ckeydef = 92 # 0x5Cnewstr = ""for i in range (0, length(str)):pos = i % 5if pos == 0: newstr += chr(ord(str[i]) ^ key0)elif pos == 1: newstr += chr(ord(str[i]) ^ key1)elif pos == 2: newstr += chr(ord(str[i]) ^ key2)elif pos == 3: newstr += chr(ord(str[i]) ^ key3)else: newstr += chr(ord(str[i]) ^ keydef)return newstrcodes = ["8023", "030tX", "+017", " 0230302="005"]for code in codes: print decode(code)## All THAT just for a simple five-byte XOR key?!
  • 22. ResultsEncoded Decoded8023030tX+017wsWindo (Windows)0230302="005 os.name!{/ >!-zse >jv;q regsvr32 -s "%s“9⌂>2f:qf%#z!! java.io.tmpdirct!|.dll (.dll)cu5u.exe (.exe)
  • 23. FLASH, a-ah, King of the Impossible• Same concept applies to all JIT runtimes– e.g. Flash ActionScript• CVE-2012-0779– Sourced from Contagio– Contains custom DoSWF encryption– Adobe SWF Investigator to disassemble– …– Profit!
  • 24. Update: AndroChef• AndroChef: Commercial (shareware) JavaDecompiler• http://www.neshkov.com/ac_decompiler.html• Decompiles sample just fine– But where’s the fun in that?
  • 25. Update: AndroChef - Codeprivate static String z(char[] var0) {for(int var1 = 0; var10000 > var1; ++var1) {char var10004 = var10001[var1];byte var10005;switch(var1 % 5) {case 0:var10005 = 16;break;case 1:var10005 = 61;break;case 2:var10005 = 64;break;case 3:var10005 = 76;break;default:var10005 = 62;}var10001[var1] = (char)(var10004 ^ var10005);}return (new String(var10001)).intern();
  • 26. Malware Analysis:Java BytecodeBrian Baskin@bbaskin