 welcome to never analysis for Hedgehogs so today we are going to unpack a Java rat using Java agents and if you hear any noises in the background that's my son playing so I hope you don't mind I couldn't do any video otherwise all right now so our sample for today is this jar malware that also jumps onto the corona bandwagon by using COVID-19 as a name that's the way it was uploaded to virus total I assume that is also the name that's being used for maybe it's as email attachment so what I prefer to analyze the job files is bytecode viewer because it provides several ways to decompile it I get combines several decompilers in one tool and you just drag in the jar file here and then you can inspect the contents of it now you need to know Java is just a zip archive and a run over Java one that you can double-click and then it runs will also have a manifest which states the main class because somehow the program needs to know what what method needs to be executed first you can have several classes that have a main method in them and for one of them you need to say well that's the actual entry point at the start of the code so here we see the main class is something something something with big IVL if you open this these packages you find it in here and all of them are some variations of the uppercase IL or JL or just L which is pretty annoying obfuscation so also the strings are encoded or encrypted that's our main method here and well this code is hard to read right I have seen this before though I think this is just one obfuscator packer whatever being used on most of the malware and you will always find an encrypted file and somewhere here it's this file it's encrypted and some of these classes will decrypt this file and then you have the payload so there's no need to try to understand this when you can just try to run the file and then dump it which is what we will do today so we use Java Java agents to run and dump every file that's being loaded and that way you get the actual payload of it quite easily what are Java agents well they are actually part of the instrumentation for Java they are useful for software developers who want to for instance add some logging or performance measurement or do something else that somehow alters the code but not alters the actual source code like they don't want to add for instance a printout command to every class or method that's being called but they still want to log every method so they can use agents to do that for them without changing the source code and that's quite convenient this example tutorial here they implement class logger so it would just print out the class name for every class that's being loaded and similarly you can instead of printing the class name you can just dump the class itself and that's quite easy right so I found this method by an article which as I will also link below and they had ready to use source code for Java agents I downloaded that I downloaded that here into this Java agent folder and that is the source code I would just actually want to change this to uppercase letter because this is the way Java should be written class names are always uppercase and also I think we need to change this one if we do that so okay so the good thing is that they have this this is well documented for non-java programmers to understand so they say it's actually by extreme coders and the Java agent is the frame pre-main methods which acts as some entry points it's executed before the actual main method and then you can add a transformer and the transformer has a class called transform which receives every information about that class and then it can change the bytecode for instance which is not our goal here so the bytecode is returned as is but this part of the code will write dump the class file into file right before it's being executed the use a replacement so you don't have folders but instead of folders you have a name separated with underscores also there's an print for dumping class names so you actually see which class is being dumped and there are exceptions because you don't want to dump all the class classes that belong to Java itself those are not interesting right you can just read the documentation so that's actually all you need to know I just want to do some alteration to it because I don't like this being in the same folder where I have my javao so let's just put this into a folder like dump classes oh no let's make this a bit we will need a dump folder and then say file folder I'm not sure if I need some imports but let's see that the complain of it needs some dump classes right and if this exists if it not exists then create it should not forget that one right so yeah that's it to these two classes now we need to if you don't have it you need the JDK that's a Java development toolkit and then you can actually compile Java in my case it's Java JDK that's the wrong one bin and there you have lots of lots of tools and Java C exe is the compiler and all you need to do is provide the Java file it will complain if it's wrong and it worked that's nice so now we have two classes dump a class the transformer class here in our folder and we can use the jar dot exe to create a runnable jar out of it which we probably need so we say manifest well let's check this first because I changed some things that's the manifest right that needs to be uppercase javas case sensitive so that's important that you have the right casing so the manifest will here tell which one's the pre-main class and now we can use the manifest we say we want to call this dumper jar and we need the dumper class and the transformer class and that's it right that's nice and now using Java dot exe we can execute we can execute the malware with it right so there's a switch called Java agent Java agent and there we say please use the dumper jar and then we execute with the minus jar our actual malware file which is the COVID-19 circular right that's it and it worked it's now dumping the classes that we already know those are I don't know now it's dumping even more and this looks very much not obfuscated this seems to be the actual payload which is good something has happened here a lot of things seem to be happening here because oh you may realize if you open folders now it doesn't work which they just close right away so it's messing with the system and usually when I do stuff like that I let it run for a while like usually have other things to do so a lot of the times I would just leave it on for one or two hours and then check again but this time I would like to go on because I think we have already enough to work with here and I need to kill it somehow so I cannot open the tools folder so what I would do instead is open the command bender and go into the tools folder because I have the system tolerance suit in there and proc explorer explorer right that one should still open up I think it also blocks the task manager shortcuts right and now check that lots of lots of processes let's that's terrible that's that's terrible okay let's just kill the process tree here and so it's gone and we can check our class files and so on unfortunately it still works that once it works the right click open a new window you can still open it that's fine and the dumb classes are in here so here they are we can create a zip out of it and just rename it to jar and then we can drag them into our this well that was my son there's a tool by code viewer open up right so now you just drag this into bite code viewer and can check the classes in here so here something looks like this could be the start of it of the payload a main start class looks quite like it and you see the code itself is not obfuscated anymore but the strings are encrypted which is probably RC4 as you can see here but also if you inspect those I I methods they always have some kind of RC4 implementation so there's still some work to do to understand what's going on in here but that's already quite something you can work with a kill security yeah and that's it for today maybe I will be following up with a string deobfuscator for this one yeah but that's it thank you for watching and if you have any questions please put them into the comments below and see you next time