Analysis Malicious JAR ( Part 2 )

 

We have completed the majority of the dynamic analysis during the first stage through ANY.RUN sandbox, which provided us with valuable insights into the malware’s behavior. However, dynamic analysis primarily helps us understand the malware’s activities in real-time, uncovering stealthy techniques and interesting indicators. To gain a deeper understanding and uncover more hidden details, we must proceed with the static analysis. As part of our Analysis Arsenal, we will use tools like Notepad++, JD-GUI, FLOSS, and Capa to conduct a more thorough investigation. Let’s begin with JD-GUI. To start, download JD-GUI from the official site and open jd-gui.exe. Once the application is running, click on File, then select Open. Import the malicious JAR file into JD-GUI to continue with our static analysis process. This will allow us to decompile and explore the contents of the JAR file, including the code and its embedded resources, to uncover any malicious logic or hidden behavior.

After importing the malicious JAR file into JD-GUI, we identify several key components:

• metasploit.dat: Likely contains configuration data or payloads related to the Metasploit Framework.

• phNGgjyA.exe: An executable dropped during dynamic analysis, confirming its link to the JAR file.

• metasploit: A possible module or component of Metasploit used for exploitation.

• META-INF: Includes metadata such as the MANIFEST.MF file, which may reveal the file’s structure and entry points.

These elements suggest a sophisticated attack leveraging Metasploit, warranting deeper investigation to fully understand its behavior. After opening metasploit.dat, which likely contains configuration or payload data related to the Metasploit Framework, we uncover some noteworthy details:

• Spawn=2: Indicates that the malware may spawn multiple instances or processes, potentially to aid persistence or evade detection.

• Executable=phNGgjyA.exe: Confirms that phNGgjyA.exe is the primary payload dropped by the JAR file, highlighting its central role in the attack.

These findings further reinforce the conclusion that the JAR file is part of a Metasploit-based attack, with phNGgjyA.exe serving as a key component in its execution.

Note: I used https://www.decompiler.com to open the metasploit.dat file, as JD-GUI is unable to read or decompile .dat files.

Continuing our analysis, after inspecting Payload.class, we uncover several code segments that provide deeper insight into the malicious behavior:

• properties.getProperty("DroppedExecutable"): Indicates the malware retrieves the name or path of a dropped executable—likely referring to phNGgjyA.exe.

• File file3 = new File(file2, "metasploit.dat"): Shows the creation of a metasploit.dat file, likely for storing configuration or payload data, reinforcing its link to Metasploit.

• File file1 = File.createTempFile("~spawn", ".tmp"): Suggests the malware generates a temporary file, possibly for stealthy payload execution or storage.

• InputStream inputStream = clazz.getResourceAsStream("/metasploit.dat"): Reveals that metasploit.dat is accessed as an embedded resource within the JAR, supporting its role in further malicious operations.

These lines collectively illustrate how the malware manages its components and behavior, pointing to a structured, Metasploit-based attack.

Scrolling further through the code, we uncover additional details that shed light on the malware’s configuration and behavior:

• int j = Integer.parseInt(properties.getProperty("LPORT", "4444")): Retrieves the listening port (LPORT), defaulting to 4444. This port is commonly used by the Metasploit Framework for reverse shell communication.

• String str4 = properties.getProperty("LHOST", (String)null): Retrieves the LHOST, which defines the attacker's IP address or hostname. The value is currently null, indicating that the attacker's host is not explicitly set and may be configured elsewhere.

• String str5 = properties.getProperty("URL", (String)null): Retrieves a URL property, which could point to a command-and-control (C2) server or a location from which the malware fetches additional instructions.

• InputStream inputStream1 = null: Appears to be an uninitialized input stream, potentially used later for reading resources or configurations.

The presence of LPORT=4444 reinforces the likelihood that this malware is leveraging Metasploit’s default reverse shell setup. However, the absence of a defined LHOST suggests that the attacker’s connection details may be hidden or dynamically configured at runtime. Further analysis is needed to determine how and where the malware establishes communication with the attacker's system.

As we scroll further through the code, we encounter evidence suggesting that this malware is designed to operate across multiple operating systems, including both Windows and Linux. The relevant code reveals its cross-platform capabilities:

• IS_AIX: Indicates that the malware checks for files in Java directories specific to AIX, a Unix-based operating system.

• addExtension: Appends the .exe extension for Windows systems but omits it for Linux, showing awareness of OS-specific file conventions.

This approach demonstrates that the malware is built with adaptability in mind, allowing it to adjust its behavior based on the underlying operating system—enhancing its versatility and effectiveness across different environments.