 Hello and welcome to malware analysis for Hedrox. Today we will be looking at a Java-based malware and but let's take a look first so you can see how you determine if it's a Java file or not because often you just get samples without any extension so you need to figure out what it is first. If you put it in a hex editor the first thing you will see here is that it starts with the with pk magic number which stands for fill cuts and that's the those are the initials of the I think developer of this zip archive and well that means this is a zip archive and one thing we have here is a manifest this is typical for runnable JAR files. A JAR file is nothing else than an archive that contains .class files and .class files other files in a Java archive that contain the bytecode so that's what we see. We see already this is a runnable JAR there are also JAR files that are not runnable if this manifest doesn't exist. The manifest declares the start of execution in a runnable JAR file and we can see that there is a class with this random name in it and maybe there's more but I don't see more right now that seems to be it okay now how do we analyze those well there are lots of lots of decompilers out there and also bytecode viewers I personally prefer bytecode viewer because this is a tool that combines lots of lots of what's that needs to connect first I guess I try to connect to update the bytecode viewer well that's a Java exception right here okay whatever yeah the so again I like this tool because you can use lots of deep compilers like JD GUI or fan flow or Krakato and you can all use all of them side-by-side if one of them doesn't work it doesn't show everything you just use another one so it's like the Swiss Army knife for for this purpose now if you just drag the sample in here you would probably not yeah you don't have any deep compilation it just shows like the hex view and that's because this tool needs you to set a Dodger extension otherwise it just reacts this way and I really hate that because if you set the extension you might accidentally run it by double clicking or by marking it and pressing enter so in this case I changed the association for Dodger you can do this here in default programs and associated file type and then you can go to the Dodger extension and change that so that for instance notepad opens instead and this will prevent it from running the Dodger if you double-click it because now notepad will just open and show garbage alright but this tool is happy now you can see right here it shows the Java icon and there it is we have this manifest let's take a look at it and it defines the main class so it will look into this class for the main method that's where the entry point of execution is for Java so let's take a look here you see I set the fan flow or decompiler I also set a bytecode decompiler so here we have the bytecode instructions sometimes if there wasn't certain obfuscator use the decompilation won't work because the instructions are so weird that they well make no sense in any decompiled way but they are more flexible than than what you can do here so this may happen and then you need that or sometimes yeah the decompiler might just have problems with other stuff okay but this looks good it looks like it could decompile everything right here and here we have lots of lots of that's the main method that's where it would start execution and we have lots of strings that get decrypted with this decrypt method yeah so it's upfuscated it's not packed I mean it does all of the interesting stuff here like post HTTP get auto start great but great shortcut and so on but we cannot read the strings so we need to deopuscate that for doing that I would just well now that was the wrong I don't want to connect to a projector here okay I would just use the decompiled code and modify it a bit so we see the strings we don't need this it imports this let's just take a look at it okay it's just some kind of nothing important it's a file filter we can leave that out okay we set it to Java and we also save it as a dot Java file with the same name that the class has otherwise the compiler will complain so save the okay to the desktop please that's nice okay and now now we can modify it here's the decrypt function and usually if you have any language decompiled language or scripting language that you are not familiar with I recommend that you first find out where is the entry point to start of execution secondly how is this how is this language able to execute a file and third how can you print out stuff and that's what we will use here system out print line is the print for Java oh no we don't want to do this here would make sense we want to print out the return value let's just say return string that's the return string we will print that out return string and return it all right and maybe also state where this is coming from this is a decrypted string okay and since this function or method it's a method an object-oriented programming languages it's called from yeah basically everywhere where strings are used so we will get all of these strings at once okay there's another thing it does some kind of check here if a file exists I doubt that it does if it doesn't exist I don't know what file is now it will not execute the whole main method also here are some exec functions that's that's one way in Java to execute a file and we should really not do this and it's just to place this that's with this I think it might be good idea to look for other executions we have one here too let's search for it exact there's another one and that's also used and down there so if you just remove it it will make problems but I do not care for that part just remove it also it writes some temporary files here this is interesting we might just want to dump those I mean we don't want to monitor and then search for the files so just write it on to a convenient location what says get ht0 windows and that's some kind of VBS script I guess so let's call it this way that that means it well whatever it writes it will write it to to the same location where the file is and call it this way okay let's search for more execs here's another one okay and that's not what we want and we will also do this here in new file oops that's the shortcut so we name it shortcut dump it says great shortcut right here okay exact there's another one down there auto start hmm this will get interesting and that you don't need that new file auto start dump so that way we can just tell them ever to do what we wanted to do that's nice we don't want it to communicate no I don't want to communicate this is not what we want just don't do it okay print line and this is a post HTTP and we will just print the arguments here so post params this looks okay it even called it in fact the one probably another language not sure and that's probably some I don't know Spanish or whatever so with that you could conclude what language the author is capable of and maybe maybe it's even the mother language mother tongue okay did we get everything is there also this this thing here this is a check if all of these values are set like if the name of the PC is a name and there's a serial number and so on we don't really need that nor do we need that I would just say no matter what just go and execute the rest okay let's take a look here's another thing it will try to download something I don't want it to download anything I don't have an internet connection anyways this is this down function okay protocol protocol in the record like that is whatever and destiny no good I think this looks okay now we could try and see what it does I even though I removed the downloading and the execution I do not recommend that you execute any of this code on a machine that's not secured or that's not meant for running malware you might overlook something so be careful okay we will try it by just compiling it and running it you need to install the JDK the Java development kid okay I will link it below and you might also have to set the environmental variables to make it work so yeah let's compile it what was it again I always have to look this up not I think is it not so sure this that was for running it I guess okay sorry for that one you can also use an IDE of course but that's just the most plain way okay it complains because we have we don't have this class one let's search for it one there it is oh we don't need that anyways return now okay do that again now the Java compiler compiled now our class well this is now now this is the Java code and that's the compiled bytecode that we can now use to run and I think it was well this looks okay couldn't find a file and that made an exception in 368 but we already got some D decrypted strings right here so what's that 368 368 that's here it's it's trying to decompress something so let's look into this function go up there it is okay we don't need that now just print it out what it does and so it doesn't okay let's say the decompress Camino Camino file and new file okay that's better now we compile it and run it again that's better it worked okay we print it into a lock and then we can open it oh let's just open it with our input okay here we have our dumps this is cool all of our dumps and that's our lock file and all of the decrypted strings in here we can already see a lot like locations it connects to and locations it downloads files to and this is cool so here here are some strings that are probably written to those dumps and yeah and in the end it will shut down our system nice nice and these are also worse looking at that's the AutoStar dump okay and here are the other two and yeah see these are just some I guess VB script files helper files that it uses this grades and shortcut yeah in AutoStar okay and yeah well that's it I guess we we did it thank you for watching if you have any questions please post them below and I hope to see you next time bye