Java bytecode Malware Analysis
•
1 like•7,172 views
Analysis of a Java-based malware sample with string encoding. An additional challenge that the sample would not decompile totally with free tools.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (9)
Similar to Java bytecode Malware Analysis
Similar to Java bytecode Malware Analysis (20)
Recently uploaded
Recently uploaded (20)
Java bytecode Malware Analysis
- 1. Malware Analysis: Java Bytecode May 2012 Brian Baskin @bbaskin
- 2. Update: Back Story • Intrusion resulting in major monetary loss • System with keylogger and unknown trojan • Java drive-by identified: • 52b989e6-783fc81c.jar – MD5: ee18509d07bf591c73bd30091080e034
- 3. Update: Java IDX results IDX file: JAR52b989e6-783fc81c2.idx (IDX File Version 6.03) [*] Section 2 (Download History) found: URL: http://173.224.71.132:8080/content/Qai.jar IP: 173.224.71.132 <null>: HTTP/1.1 200 OK content-length: 14869 last-modified: Thu, 15 Mar 2012 14:39:44 GMT content-type: application/java-archive date: Thu, 15 Mar 2012 18:55:12 GMT server: nginx deploy-request-content-type: application/x-java-archive [*] Section 3 (Jar Manifest) found: [*] Section 4 (Code Signer) found: [*] Found: Data block. Length: 4 Data: Hex: 00000000 [*] Found: Data block. Length: 3 Data: 0 Hex: 300d0a This “Section 4” data appears to be a pattern indicative of a BlackHole download.
- 5. File details • Java JAR with five included files
- 6. <Insert intrigue> • But, first… • WTF?
- 7. <Shrug and go back to work> • Uncompress with internal Windows zip and let ‘er rip… • Now, let’s take a look at one in WinHex
- 8. Yup… That’s Compiled Java Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 CA FE BA BE 00 00 00 31 00 35 07 00 02 01 00 03 Êþº¾ 1 5 00000010 6D 5F 63 07 00 04 01 00 10 6A 61 76 61 2F 6C 61 m_c java/la 00000020 6E 67 2F 4F 62 6A 65 63 74 01 00 03 6D 5F 67 01 ng/Object m_g 00000030 00 12 4C 6A 61 76 61 2F 6C 61 6E 67 2F 4F 62 6A Ljava/lang/Obj 00000040 65 63 74 3B 01 00 03 6D 5F 65 01 00 13 5B 4C 6A ect; m_e [Lj 00000050 61 76 61 2F 6C 61 6E 67 2F 4F 62 6A 65 63 74 3B ava/lang/Object; 00000060 01 00 03 6D 5F 68 01 00 12 4C 6A 61 76 61 2F 6C m_h Ljava/l 00000070 61 6E 67 2F 53 74 72 69 6E 67 3B 01 00 0D 43 6F ang/String; Co 00000080 6E 73 74 61 6E 74 56 61 6C 75 65 08 00 0D 01 00 nstantValue 00000090 11 56 47 37 52 45 2D 53 57 54 34 45 2D 52 55 49 VG7RE-SWT4E-RUI 000000A0 4F 53 01 00 03 6D 5F 62 01 00 11 4C 6A 61 76 61 OS m_b Ljava 000000B0 2F 6C 61 6E 67 2F 43 6C 61 73 73 3B 01 00 03 6D /lang/Class; m 000000C0 5F 64 08 00 12 01 00 1E 47 59 37 38 54 47 44 45 _d GY78TGDE 000000D0 53 38 39 46 56 59 53 50 44 46 4A 50 39 55 56 46 S89FVYSPDFJP9UVF 000000E0 39 53 30 44 4A 47 01 00 03 6D 5F 61 01 00 15 4C 9S0DJG m_a L 000000F0 6A 61 76 61 2F 75 74 69 6C 2F 4D 61 70 24 45 6E java/util/Map$En 00000100 74 72 79 3B 01 00 08 5A 4B 4D 35 2E 34 2E 33 01 try; ZKM5.4.3 00000110 00 12 5B 4C 6A 61 76 61 2F 6C 61 6E 67 2F 43 6C [Ljava/lang/Cl 00000120 61 73 73 3B 01 00 08 3C 63 6C 69 6E 69 74 3E 01 ass; <clinit> 00000130 00 03 28 29 56 01 00 04 43 6F 64 65 09 00 01 00 ()V Code 00000140 1B 0C 00 05 00 06 0A 00 03 00 1D 0C 00 1E 00 1F
- 9. What do these mean? • CAFEBABE = Magic value • 0031 = 0x31 – Major file version (J2SE 5.0) • Then a huge pool of string values…
- 10. Decompile? • JD-GUI (Java Decompiler) - http://java.decompiler.free.fr/ • Because: decompilers > disassemblers • Awesome, free tool to revert Java byte codes into original Java source
- 11. JD-GUI results: public class m_a extends Expression { public String m_i = z[2]; public String m_c = z[3]; private String m_h = z[4] + z[5].concat(z[1]); public String m_d = z[0]; protected String m_e = z[6]; private static final String[] z = { z(z("")), z(z("8023")), z(z("")), z(z("") ), z(z("030tX")), z(z("+017")), z(z(" 0230302="005")) };
- 12. But, then… private static char[] z(String paramString) { // Byte code: // 0: aload_0 // 1: invokevirtual 105 java/lang/String:toCharArray ()[C // 4: dup // 5: arraylength // 6: iconst_2 // 7: if_icmpge +12 -> 19 // 10: dup // 11: iconst_0 // 12: dup2 …
- 13. WTF? • JD-GUI didn’t know how to parse the bytes… so it disassembled them. • OK, fine. • But, not 100% correctly
- 14. Some of this is wrong… // 14: iconst_5 // 15: irem // 16: tableswitch default:+52 -> 68, 0:+32->48, 1:+37->53, 2:+42->58, 3:+47->63 // 49: bipush 167 // 51: nop // 52: ldc2_w 4157 // 55: goto +15 -> 70 // 58: bipush 64 // 60: goto +10 -> 70 // 63: bipush 76 // 65: goto +5 -> 70
- 15. So, let’s go to the hex editor Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 00000000 2A 59 BE 5F 03 3C A7 00 46 59 1B 5C 34 1B 08 70 *Y¾_ < FY 4 p 00000016 AA 00 00 00 00 00 00 34 00 00 00 00 00 00 00 03 ª 4 00000032 00 00 00 20 00 00 00 25 00 00 00 2A 00 00 00 2F % * / 00000048 10 4F A7 00 14 10 60 A7 00 0F 10 36 A7 00 0A 10 O ` 6 00000064 5C A7 00 05 10 5C 82 92 55 84 01 01 5F 5A 1B A3 ‚’U„ _Z £ 00000080 FF BA BB 00 36 5A 5F B7 00 6C B6 00 6F B0 00 00 ÿº» 6Z_· l¶ o 00000096 00 00 00 01 00 5B 00 00 00 02 00 5C [ 2
- 16. And consult the Java bible… http://docs.oracle.com/javase/specs
- 17. This is better… http://en.wikipedia.org/wiki/Java_bytec ode_instruction_listings Mnemonic Opcode (in hex) Other bytes Stack [before]→[after] Description aaload 32 arrayref, index → value load onto the stack a reference from an array aastore 53 arrayref, index, value → store into a reference in an array aconst_null 01 → null push a null reference onto the stack aload 19 1: index → objectref load a reference onto the stack from a local variable #index
- 18. And start filling in mnemonics 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 2A 59 BE 5F 03 3C A7 00 46 59 1B 5C 34 1B 08 70 AA 00 00 00 00 00 00 34 00 00 00 00 00 00 00 03 00 00 00 20 00 00 00 25 00 00 00 2A 00 00 00 2F 10 4F A7 00 14 10 60 A7 00 0F 10 36 A7 00 0A 10 5C A7 00 05 10 5C 82 92 55 84 01 01 5F 5A 1B A3 FF BA BB 00 36 5A 5F B7 00 6C B6 00 6F B0 00 00 00 00 00 01 00 5B 00 00 00 02 00 5C 2A aload_0 59 dup BE arraylength 5F swap 03 iconst_0 3C istore_1 A7 00 46 goto +70 So far, this looks similar to JD-GUI output…
- 19. Some tricky ones… 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 2A 59 BE 5F 03 3C A7 00 46 59 1B 5C 34 1B 08 70 AA 00 00 00 00 00 00 34 00 00 00 00 00 00 00 03 00 00 00 20 00 00 00 25 00 00 00 2A 00 00 00 2F 10 4F A7 00 14 10 60 A7 00 0F 10 36 A7 00 0A 10 5C A7 00 05 10 5C 82 92 55 84 01 01 5F 5A 1B A3 FF BA BB 00 36 5A 5F B7 00 6C B6 00 6F B0 00 00 00 00 00 01 00 5B 00 00 00 02 00 5C tableswitch (case) statement (0xAA): 00 00 00 = padding 00 00 00 34 = Default, JMP +52 (0x34) 00 00 00 00 = padding 00 00 00 03 = # branches (0-3) 00 00 00 20 JMP + 32 00 00 00 25 JMP + 37 00 00 00 2A JMP + 42 00 00 00 2F JMP + 47
- 20. 13: iload_1 14: iconst_5 15: irem 16: tableswitch default: JMP +52 -> 68, 0: JMP +32->48, 1: JMP+37->53, 2:JMP +42->58, 3:JMP +47->63 49: iastore 50: goto +20 -> 70 53: bipush 96 55: goto +15 -> 70 58: bipush 54 60: goto +10 -> 70 63: bipush 92 65: goto +5 -> 70 68: bipush 92 70: ixor 71: i2c 72: castore 73: iinc 1 1 76: swap 77: dup_x1 78: iload_1 79: if_icmpgt -70 -> 9
- 21. Direct translation to Python def decode(str): key0 = 79 # 0x4F key1 = 96 # 0x60 key2 = 54 # 0x36 key3 = 92 # 0x5C keydef = 92 # 0x5C newstr = "" for i in range (0, length(str)): pos = i % 5 if pos == 0: newstr += chr(ord(str[i]) ^ key0) elif pos == 1: newstr += chr(ord(str[i]) ^ key1) elif pos == 2: newstr += chr(ord(str[i]) ^ key2) elif pos == 3: newstr += chr(ord(str[i]) ^ key3) else: newstr += chr(ord(str[i]) ^ keydef) return newstr codes = ["8023", "030tX", "+017", " 0230302="005"] for code in codes: print decode(code) ## All THAT just for a simple five-byte XOR key?!
- 22. Results Encoded Decoded 8023 030tX +017 ws Win do (Windows) 0230302="005 os.name !{/ >!-zse >jv;q regsvr32 -s "%s“ 9⌂>2f:qf'%#z!! java.io.tmpdir ct !| .d ll (.dll) cu 5u .e xe (.exe)
- 23. FLASH, a-ah, King of the Impossible • Same concept applies to all JIT runtimes – e.g. Flash ActionScript • CVE-2012-0779 – Sourced from Contagio – Contains custom DoSWF encryption – Adobe SWF Investigator to disassemble – … – Profit!
- 24. Update: AndroChef • AndroChef: Commercial (shareware) Java Decompiler • http://www.neshkov.com/ac_decompiler.html • Decompiles sample just fine – But where’s the fun in that?
- 25. Update: AndroChef - Code private static String z(char[] var0) { for(int var1 = 0; var10000 > var1; ++var1) { char var10004 = var10001[var1]; byte var10005; switch(var1 % 5) { case 0: var10005 = 16; break; case 1: var10005 = 61; break; case 2: var10005 = 64; break; case 3: var10005 = 76; break; default: var10005 = 62; } var10001[var1] = (char)(var10004 ^ var10005); } return (new String(var10001)).intern();
- 26. Malware Analysis: Java Bytecode Brian Baskin @bbaskin