Analysis Malicious JAR ( Part 3 )

 

Although it’s not possible to extract phNGgjyA.exe directly through JD-GUI, you can retrieve it using the following method:

1. Visit https://www.decompiler.com.

2. Upload the malicious JAR file.

3. Navigate through the decompiled structure to locate phNGgjyA.exe.

4. Click on phNGgjyA.exe to preview it, then click Download to extract the executable.

This approach allows you to successfully extract phNGgjyA.exe for further static or dynamic analysis.

I have successfully downloaded phNGgjyA.exe.

After extracting phNGgjyA.exe, I will use Floss to extract more information about the executable and reveal additional details, such as LHOST, which we missed earlier and couldn’t extract from Payload.class.

Our extracted strings from Floss are ready for further investigation. Open the text file using Notepad++ to easily read and identify interesting information about the executable file.

The strings are ready for investigation in Notepad++

Scroll down a little bit, and you can find some interesting information such as user-agent strings and an IP address (46.105.97.203), which may be related to our LHOST that was unavailable from Payload.class.

 Now, let's use Capa to analyze and understand the capabilities of the dumped .exe file. This will help us gain a deeper understanding of its functionality and behavior, providing valuable insights into the actions the malware may perform on the infected system .

 After analyzing the dumped .exe file with Capa, several important details were identified:

MITRE ATT&CK Tactic

• Defense Evasion: Obfuscated Files or Information — [T1027]

MBC (Malware Behavior Catalog) Objectives and Behaviors

• Data:

  • Check String [C0019]

  • Encode Data → Base64 [C0026.001]

• Process:

  • Terminate Process [C0018]

Capabilities and Namespace

• Reference Base64 string: data-manipulation/encoding/base64

• Contains PDB path: executable/pe/pdb

• Terminate process: host-interaction/process/terminate

Through our comprehensive analysis of the malicious .jar file and the extracted phNGgjyA.exe using dynamic and static techniques, we have gained significant insights into the malware's capabilities and behavior. The dynamic analysis via Any.run revealed key activities, including the dropping of the executable and its stealthy execution. Static analysis with tools like JD-GUI, Capa, and Floss provided further details, such as the presence of obfuscated code, potential persistence mechanisms, and the use of common techniques like Base64 encoding and process termination. The .exe file exhibited tactics from the ATT&CK framework, specifically under Defense Evasion and Process Control, and demonstrated cross-platform functionality targeting both Windows and Linux systems. In conclusion, the malware demonstrates a well-crafted and versatile attack method, employing various evasion techniques and sophisticated behaviors to avoid detection and effectively compromise systems. This analysis underscores the importance of using both dynamic and static approaches to fully understand and mitigate such advanced threats.