Analysis Malicious JAR ( Part 1 )

 

In this malware analysis journey, we delve into the deep analysis of a malicious JAR file created using the Metasploit Framework. The Metasploit Framework is a widely used tool among penetration testers for exploitation and post-exploitation activities. In this analysis, we perform static analysis of the malicious file using both online and offline tools. Additionally, we leverage the ANY.RUN sandbox platform to conduct dynamic analysis, allowing us to observe the file's behavior in a controlled environment.

Metasploit Framework Overview : The Metasploit Framework is a widely recognized open-source platform for penetration testing and security assessment. It facilitates the identification, exploitation, and validation of vulnerabilities in systems and applications. Security professionals and researchers use it to simulate real-world attacks, conduct post-exploitation activities, and assess the resilience of networks and software. With its extensive library of exploits and payloads, Metasploit has become an indispensable tool for ethical hacking and cybersecurity research.

Analysis Arsenal : In this malware analysis, we utilize a combination of advanced tools to gain a deeper understanding of the malicious JAR file. JD-GUI serves as a crucial tool for decompiling Java bytecode, allowing us to inspect the internal structure of the file and analyze its classes, methods, and logic. This helps identify potentially harmful components embedded within the code. For textual analysis, we rely on Notepad++, a versatile text editor that facilitates the inspection of scripts, logs, and other data within the file. Its efficient search and navigation capabilities allow us to quickly locate and analyze suspicious patterns or configurations. To reveal hidden behaviors and capabilities, we use Capa, a powerful binary analysis tool, which identifies functionalities like command execution and network communication. In addition, FLOSS aids in extracting obfuscated or encoded strings, uncovering critical information such as hardcoded URLs, IP addresses, or encoded commands, which are often indicative of malicious intent.

Technical Analysis Through Any.Run Sandbox ( First Stage ) : In the graph below, there is little useful information to determine whether the JAR file is malicious. However, upon clicking on javaw.exe, we uncover some intriguing and potentially significant details that provide further insights into its behavior.

  

After clicking on javaw.exe, scrolling down, and selecting More Info, we observe two key indicators:

• Danger: Generic archive extractor

• Warning: Executable content was dropped or overwritten

These alerts suggest suspicious behavior and may indicate that the JAR file is malicious.

By clicking on Executable content was dropped or overwritten, we can examine which executable file was dropped after executing the malicious JAR file. Upon investigation, we discover that the file \phNGgjyA.exe was dropped into the directory C:\Users\admin\AppData\Local\Temp~spawn6969498444498001177.tmp.dir, which is highly suspicious and warrants further analysis.

Let’s visit the dropped .exe file located at the previously mentioned directory: C:\Users\admin\AppData\Local\Temp. In this folder, we can locate the file phNGgjyA.exe inside the subdirectory ~spawn6969498444498001177.tmp.dir. This file’s presence in a temporary directory is suspicious, as malicious files often use such locations to evade detection. Further investigation of this executable will help us understand its functionality and potential threat.

 

As previously mentioned, the phNGgjyA.exe file was dropped in the directory C:\Users\admin\AppData\Local\Temp~spawn6969498444498001177.tmp.dir.

After conducting a deep analysis, the graph in ANY.RUN has significantly changed, providing more detailed insights. Initially, the graph only showed a sequence of three executables starting from javaw.exe to conhost.exe. However, after further investigation, we uncovered a series of additional processes, revealing more stealthy techniques used by the malicious file. The updated sequence now includes: javaw.exe > rundll32.exe > icacls.exe > java.exe > conhost.exe > conhost.exe > java.exe > conhost.exe > phNGgjyA.exe This expanded chain of processes highlights the file’s ability to use various legitimate system utilities, such as rundll32.exe and icacls.exe, to execute its payloads and maintain persistence, demonstrating its sophistication in evading detection. 

Conclusion Of First Stage : Through a comprehensive analysis using various tools like ANY.RUN, we have been able to uncover a series of events that reveal the malicious nature of the JAR file. Initially, the execution path appeared relatively simple, with processes like javaw.exe and conhost.exe. However, after further investigation, we identified a more complex chain of events involving rundll32.exe, icacls.exe, and multiple instances of java.exe and conhost.exe, ultimately leading to the execution of phNGgjyA.exe. These findings indicate the use of sophisticated techniques, including leveraging legitimate system utilities to carry out malicious actions, making it harder for traditional detection methods to identify the threat. The presence of the dropped executable in a temporary directory further supports the conclusion that this file is indeed malicious and designed to evade detection. In summary, the malicious JAR file demonstrates a well-planned, multi-stage attack, utilizing both static and dynamic evasion tactics, and highlighting the importance of thorough, multilayered analysis in identifying advanced threats.