 When you're dealing with samples on a daily basis, you will at some point inevitably have some kind of samples you've never seen before. And that are so rare that no one has ever put the work in writing an extractor, unpecker, whatever. One certain type of that is launches wrappers, installers, converters that create PE files out of something else that use some kind of options where you need to extract those and you don't know how. Here is one way you could approach this based on something I did for a customer sample. So in this case except for J. So let's check it out. Right so one of the things that's rarely talked about in any malware analysis tutorials is like often you're not analyzing malware, you're actually getting files from customers and they want to know if the file is malicious or something else and something sometimes the files they send in are not complete and cannot run. So how do you obtain information as much as possible information? So you can tell the customer what else you need from them. Like this is the case with this sample here. This is not a customer sample just to be sure. I just searched a similar one on VirusTotal because the files on VirusTotal are public anyway. So yeah but let's assume this is a customer file I got and when I execute this it tells me oh no the Java VM could not be found on your system and here I looked at this environment variable called exit for J Java home. If you search for exit for J it's a well I did that and I installed the program so it's kind of a wizard for creating ex of PE files out of Java applications. So okay of course the first thing I did to potentially solve this problem is I defined a path variable called exit for J Java home environment variable and I put the JRE the Java runtime environment into the path. I put it into the exit for J Java home. I put it into Java home. I installed several versions of the Java runtime and still the file would not run and as it turns out this is actually a misleading error message. This file as it is right now cannot run. So yeah exit for J is actually something you would have to buy but you can get a test version of that and this tremendously helped here in you know getting to know more about this file. If you check this wizard for creating the PE file out of a jar you will see one thing there's like project type and there's a regular mode and there's a jar in EXE mode. So basically what you can do is you can create a launcher that does not have an embedded jar. It just points to a jar file that's like outside of it and if that's missing it cannot run. That would be regular mode. If you use jar in EXE mode it will search in the Java class path that's like an option that's given later. Okay let me just fill this in. What's the short name of your app? All right and let's just do the ssr distribution. So okay executable name. Now these are like options you can already see. Now here is something that's called class path. So you can say okay please scan environment variables or scan a directory or whatever and then you point it to in this case music directory. Okay so it will look in this directory for the actual jar file that it should execute and in that jar file it will search or it will execute the main class that you give here like main class of my app. Okay you tell it a version number just put anything in there and now we can compile an executable and it appears here. So all right so what this sample does. Now I wanted to find out more about this sample and one thing that I noticed is let's create an image of it. So if you check the visualization one thing you would notice is like there's most most of it doesn't seem like there's place for any jar. I mean if there was an archive it would look a bit differently. For example let's take potex analyzer and create an output of potex analyzer because that's a java archive right. So that's potex analyzer and here you can see that's what a java archive looks like. You have this mass or this like with mass with some dots inside and then in the end there are some more more usky strings which is blue in the white byte plot. That's what a java archive looks like and it's actually just a zip archive with java class files inside and a manifest. So compare this to this and there's really no location where you would say okay this is probably a java archive and here of course it could be kind of encrypted but if it was encrypted it would also show as being high in entropy which is not the case. It does not seem like there's anything packed inside this file just based from the entropy and bipolar image. Now we could see like there's this overlay a lot of the times when you have launches, installers, similar things the overlay is the interesting thing to look at because a lot of them will put information into the overlay. The overlay is just appended data so let's check this in the sample. So you say go to and put the overlay here and that's where we arrive at. So and yeah there's some kind of information in here. You see like there's some mumble jumble about like log files, log file names, some jars are mentioned and here are environment variables so but they have also some kind of encoding before them like you see this is like this belongs to XF4j. So what I did because of course I could guess what these mean but I want to be sure. I used the wizard and I created a test file like this one and then I just switched some of the parameters like let's say we change this to we uncheck this one so and then we need to change the name so it's the second one say finished compile the new one so now like we have two test files the first one will have like our default and the second one will have like just one tiny change and then you can compare those with something like vbindiff that's why you will see vbindiff when we say no execute vbindiff 2 so vbindiff will if you press enter you will go to the first bytes that are different when comparing these files and you see well firstly there are these bytes so they may have to do with the option but it's kind of a lot for just changing one flag in the file and then you see this byte so that looks more like a flag right because there's one and there's zero so apparently they encoded it as a string instead of using byte values but the only thing we checked or changed was allow VM path through parameters right so this is where we find those second thing we also see our inputs into these programs like this is the short name of your app so we know this is the short name of our application that we told this program to put into the configuration so that's where we find this of course and here is a the class path right we told it to use music search music for additional draw files and then look in these draw files for main class of my app so again we know like where this is located but now we need to find like kind of patterns inside this and what happens if we change things so this is you will notice that this is not zero terminated these strings like immediately after short name of your app there is like another character so it somehow has to know where the end of this where the end of this is so if we open our tests file here okay we can directly search for short name to get to the area like this has a length of 12 in hex so where do you see it 12 you see it here that is our that's a d-word and that directly in front of the this one that will say how long the value is so also we noted for instance this is the one that says okay we passed through parameters are allowed or are not allowed so that's the one here so what's in front of that it's just one because it's like the the entry is literally just one byte and so that's like the first clue we can get and then things I also notice and that's especially in comparison with our sample here is like this error log then there starts the next entry but this is apparently not not some kind of length because it would be too long here's another entry and what you may notice is like here's another zero so this is like another flag probably and then there are 69 like in front of this flag we have the the size which is one because the flag is just one byte and there's the 68 and after the 68 you know there's this entry with the flag and then there's 69 and then there's another length so we have always the same pattern of like this is some kind of id here 68 69 and so on then 0 a no that's the length um this is some kind of id and yeah 6a is the next after the id follows the length of the option or setting and after that the actual entry value so it's always the same so what I did is created a configuration extractor that just looks for these IDs which I found by you know for each setting that is in the x4j wizard I just created a new variant of the file and then I could compare what setting changed and then I knew okay this vm pass through parameters have like 7d if you compare this here they have 7d allow vm pass through parameters there are some more like certain things that are a little bit more special like the class path you have several options to add and you can say it's an archive it's a directory whatever again like this is the same principle you just change one thing and then you will see okay they have this encoded here because this s means scan directory or d means directory or a means archive and so on so um so this is how I created a configuration extractor based on wow that info and I found out let's just execute it on our file yes I want to quit I don't want to save it thanks uh if I put this uh applies this configurator on my sample um I get the important information firstly we know there's no uh jar file inside this so this is just launcher it's just uh the file that executes files other files and what files that executes that's inside this configuration so here we know that's the class path these files are relevant these files um are the ones they look for um to find this main class ptdgci text client so it's some kind of text text program from 2015 it seems uh written in java and it applies those parameters to start the vm so and then you know okay um if there was a splash screen which doesn't seem to be set here uh you you could also check the splash screen image in the with resource hacker or something but yeah and that's a program name here um yeah I noticed you know the one uh program that one program that there was this uh value at the beginning that um you know that changed with every built so every time I built a new file this one here was completely different so I tried okay what if I built the same configuration again and then it appeared that this was the same so it's not not some kind of timestamp um it's actually some kind of checksum because if the configuration file is the same it will produce the same the same numbers so this seems to be just some checksum so you can compare and say okay this is this has not been tampered with afterwards and you can immediately say okay this is the same configuration um yeah so what I could do with this information is essentially I could tell the customer okay this file is just a launcher and uh whether that is part of something malicious depends on these files and you find them here so you know you can say okay please look for the file plastic 1 2 0 jar and then we will check those if they are malicious um so yeah I think this should be a you know talked about more because a lot of times what you deal with and your daily workers matter analyst is you have corrupt files you have like things that look like garbage you have log files um and this is something I do not see much talked about how to deal with those and like when to say a file is clean um when do you stop looking if there's something malicious in it um I think I might do more videos about that so but yeah I hope this gave you some insight on how to work with you know launcher generators you can also use the same if you have some kind of builder if you have a builder for anything really to uh see how it affects the created files so yeah and that's it for today thanks for watching and leave a like see you next time