JBifrost: In Cold Blood

11. January 2017 Java RAT 0
JBifrost: In Cold Blood

Following the last blog post, we will do a more technically-oriented analysis of the Adwind/JBifrost RAT.

First we will do a quick review of the RAT since last September.

 

Latest news concerning JBifrost

 

The site jbifrost.com is no more hosting the forum and store. Now it’s simply redirecting to a developer website called RedPois0n. The only link that I could find with this person and JBifrost is the fact that he created a Java application in order to check and remove Java RAT infections: jRAT Remover.

I don’t know when this change took place, but it was most likely during December 2016. Does it mean Adwind change its name again?

 

redpois0n.com
Redirection to redpois0n.com

 

However, this doesn’t mean JBifrost or the next Adwind incarnation is dead.

Indeed, this RAT is still active at the time of writing, for example this sample was received 2 days ago: https://www.hybrid-analysis.com/sample/ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411?environmentId=100

 

Another change appeared in samples last year: some are using Base64 encode file to “hide” the main JAR payload.

It is possible this was a test, because new samples are back to the main encrypted JAR.

 

All this indicates that the developer(s) of Adwind/JBifrost are still actively maintaining the RAT and are still distributing it.

 

Dive-deep analysis of the RAT

 

When writing the last blog post concerning JBifrost, I had already examined dozens of JAR samples with different structures and decryption functions. Since last July, there was not much change in the way Adwind/JBifrost is decrypting his configuration, so it seems that the developer is content of his work for the time being.

 

Note: In the following, I won’t show the Java code of the malware, nor will I explain my methods.

 

1 – JAR Structure

We’re going to see what is the structure of the last sample indicated before:

Archive:  Payment Advice.jar
Obfuscation by Allatori Obfuscator http://www.allatori.com
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2017-01-04 08:33   META-INF/
      208  2017-01-04 08:33   META-INF/MANIFEST.MF
        0  2017-01-04 08:33   Te/
        0  2017-01-04 08:33   Te/YAe/
   218848  2017-01-04 08:33   Te/YAe/x.Fz
        0  2017-01-04 08:33   Kkw/
        0  2017-01-04 08:33   Kkw/se/
      256  2017-01-04 08:33   Kkw/se/n.g
        0  2017-01-04 08:33   v/
        0  2017-01-04 08:33   v/JDQ/
     1476  2017-01-04 08:33   v/JDQ/D.A
      352  2017-01-04 08:33   drop.box
     1476  2017-01-04 08:33   sky.drive
      256  2017-01-04 08:33   mega.download
        0  2017-01-04 08:33   w/
      710  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyka.class
      464  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyfa.class
      560  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskysa.class
      426  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyqa.class
     1179  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyaa.class
     1727  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskypa.class
      477  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyw.class
     1413  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyi.class
      570  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyb.class
     3222  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyl.class
      411  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyr.class
     1278  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyu.class
     1393  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyn.class
     1348  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskya.class
     2187  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyo.class
      924  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyp.class
      735  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyy.class
      827  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyq.class
     1177  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskys.class
      713  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyf.class
      950  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyc.class
     4776  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyz.class
     4225  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskye.class
     1116  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyh.class
     2129  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyt.class
     1598  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskym.class
      896  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyd.class
     1039  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyk.class
     1399  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyv.class
     2575  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyj.class
     2564  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyg.class
     2131  2017-01-04 08:33   w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyx.class
        0  2017-01-04 08:33   operational/
     1208  2017-01-04 08:33   operational/JRat.class
---------                     -------
   271219                     49 files

 

We see in the second line (text in green)  that the JAR is clearly using Allatori to obfuscate the Java code. An old habit of the developer since at least 2014. Nowadays, it’s used both for crypters and the final payload.

 

The files marked in orange before are of interest for the decryption of the configuration and the final JAR file.

 

The MANIFEST.MF file indicates the main class of the JAR file to be: operational.JRat (still a pun about his JRat competitor)

This class is only a caller for the class:

manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyz

You can quickly see that the analysis of such samples could be really painful due to the use of such long class names…

It is also accentuated by the fact that Allatori use forbidden names for several variable (like int, case, null, etc…).

 

2 – Extraction of the final JAR from the crypter

 

The first class called will begin by extracting the JAR file which is encrypted in one of the orange file shown before.

 

This class will use one specific decryption function which will take three parameters:

  • A RSA private key file
  • An AES encrypted key file
  • An encrypted file

 

I won’t go into specifics about the decryption function, but it can summed up as follows:

RSA private-key decrypts ->  AES key decrypts -> file

 

We saw in the files that two files in orange have a size of 256 bits. Those are the AES-256 keys for the encrypted files.

 

There is two AES keys, because the extraction is done in two times:

  • Extraction of an XML file via the decryption function from 3 hardcoded path to the files -> contains 3 variables:
PRIVATE_PASSWORD #File containing the second RSA private key
PASSWORD_CRYPTED #File containing the second AES encrypted key
SERVER_PATH      #Encrypted final JAR
  • Extraction of the final JAR via the decryption function containing the three values before

 

This JAR is then called by the crypter and will take control from there.

 

3 – Final JAR structure

 

Once the file is decrypted, it’s possible to see its real content:

  Length      Date    Time    Name
---------  ---------- -----   ----
      134  2017-01-04 23:47   META-INF/MANIFEST.MF
     2684  2017-01-04 23:47   com/DataProtector.class
      494  2017-01-04 23:47   com/Protector.class
      793  2017-01-04 23:47   com/ProtectorException.class
     1897  2017-01-04 23:47   com/Title.class
     2725  2017-01-04 23:47   com/TitleManager.class
    53760  2017-01-04 23:47   com/key/amd64.dll
    46592  2017-01-04 23:47   com/key/x86.dll
    44544  2017-01-04 23:47   com/protector/amd64.dll
    39424  2017-01-04 23:47   com/protector/x86.dll
      639  2017-01-04 23:47   module/Server.class
       27  2017-01-04 23:47   module/api.json
     4387  2017-01-04 23:47   org/json/CDL.class
    13779  2017-01-04 23:47   org/json/JSONArray.class
      754  2017-01-04 23:47   org/json/JSONException.class
     6584  2017-01-04 23:47   org/json/JSONML.class
      196  2017-01-04 23:47   org/json/JSONObject$1.class
      881  2017-01-04 23:47   org/json/JSONObject$Null.class
    24459  2017-01-04 23:47   org/json/JSONObject.class
      156  2017-01-04 23:47   org/json/JSONString.class
      604  2017-01-04 23:47   org/json/JSONStringer.class
     5916  2017-01-04 23:47   org/json/JSONTokener.class
     4109  2017-01-04 23:47   org/json/JSONWriter.class
     1757  2017-01-04 23:47   org/json/Property.class
     7558  2017-01-04 23:47   org/json/XML.class
     4715  2017-01-04 23:47   org/json/XMLTokener.class
     1882  2017-01-04 23:47   util/generic/Base64.class
     1575  2017-01-04 23:47   util/generic/Compress.class
     2481  2017-01-04 23:47   util/generic/Copy.class
     1499  2017-01-04 23:47   util/generic/Random.class
      739  2017-01-04 23:47   util/generic/RandomRange.class
     1748  2017-01-04 23:47   util/generic/Reader.class
     3820  2017-01-04 23:47   util/generic/RunFile.class
     1657  2017-01-04 23:47   util/generic/RunJarFile.class
     3452  2017-01-04 23:47   util/generic/Shell.class
      480  2017-01-04 23:47   util/generic/Sleep.class
     1154  2017-01-04 23:47   util/mac/MacPermission.class
     2449  2017-01-04 23:47   util/windows/Regedit.class
     1504  2017-01-04 23:47   util/windows/WscriptProcess.class
     8426  2017-01-04 23:47   server/t/iIiiiiiiii.class
     1971  2017-01-04 23:47   server/t/iiiIiiIIIi.class
     2826  2017-01-04 23:47   server/t/IiIiiIIiii.class
     5800  2017-01-04 23:47   server/t/iiIIiiiIII.class
     2127  2017-01-04 23:47   server/t/iiIiIiiIiI.class
     2448  2017-01-04 23:47   server/t/iiIIiIIiII.class
     1423  2017-01-04 23:47   server/t/iiIiIIIiII.class
     2393  2017-01-04 23:47   server/t/IIiIiiiiiI.class
      935  2017-01-04 23:47   server/t/iiiiiiIiiI.class
     1260  2017-01-04 23:47   server/t/IIIIIIiiiI.class
     1305  2017-01-04 23:47   server/t/IIiiIiIiIi.class
      536  2017-01-04 23:47   server/t/IIiiIIiiii.class
     1253  2017-01-04 23:47   server/t/IiIiIIiiii.class
     2329  2017-01-04 23:47   server/b/iIiiiiiiii.class
     1484  2017-01-04 23:47   server/b/IiIiiIIiii.class
     5480  2017-01-04 23:47   server/b/iiIIiiiIII.class
     2523  2017-01-04 23:47   server/b/iiiIiiIIIi.class
      533  2017-01-04 23:47   server/b/iiIiIiiIiI.class
     1471  2017-01-04 23:47   server/b/iiIIiIIiII.class
     1380  2017-01-04 23:47   server/b/iiIiIIIiII.class
     1078  2017-01-04 23:47   server/b/IIiIiiiiiI.class
     1856  2017-01-04 23:47   server/b/iiiiiiIiiI.class
     3269  2017-01-04 23:47   server/b/IIIIIIiiiI.class
     2472  2017-01-04 23:47   server/b/IIiiIiIiIi.class
     2485  2017-01-04 23:47   server/b/IIiiIIiiii.class
     3166  2017-01-04 23:47   server/b/IiIiIIiiii.class
     1392  2017-01-04 23:47   server/b/IiiiiIIIII.class
     2275  2017-01-04 23:47   server/b/IIiIIiiiii.class
     1022  2017-01-04 23:47   server/m/iIiiiiiiii.class
     1491  2017-01-04 23:47   server/m/iiiIiiIIIi.class
     1361  2017-01-04 23:47   server/m/IiIiiIIiii.class
     4895  2017-01-04 23:47   server/m/iiIIiiiIII.class
     9827  2017-01-04 23:47   server/main/Start.class
     3458  2017-01-04 23:47   server/y/iiiIiiIIIi.class
     2022  2017-01-04 23:47   server/y/iiIIiiiIII.class
      433  2017-01-04 23:47   server/y/iIiiiiiiii.class
     2366  2017-01-04 23:47   server/y/iiIiIiiIiI.class
     3211  2017-01-04 23:47   server/y/iiIIiIIiII.class
     3281  2017-01-04 23:47   server/y/iiIiIIIiII.class
     3751  2017-01-04 23:47   server/y/IIiIiiiiiI.class
     1404  2017-01-04 23:47   server/y/IiIiiIIiii.class
     1162  2017-01-04 23:47   server/y/iiiiiiIiiI.class
      448  2017-01-04 23:47   server/resources/config.json
      256  2017-01-04 23:47   server/resources/Key2.json
     1476  2017-01-04 23:47   server/resources/Key1.json
---------                     -------
   401768                     84 files

 

We see here that there is a lot of new class and files which will served the real RAT content.

The MANIFEST.MF file indicates the main class as: server.main.Start

 

We see that there is a lot of third party libraries contained, especially JSON related ones.

Indeed, if we look at the last three files, in green, we see that those are containing a JSON extension. We also see an interesting file name: config.json

If we try to open this file directly, we have the following:

<92>±S^Mîøã¢/^Yý5õ<84>_eU$mt©Ñ<80>R^O<8d>MÚQ^?^Z<8a>sÒ\¡¦fJ^Uìn <9e>$ó×<87>îv}aå<8e>^çeÞÓB Z/µ"úO<95>Æ^RÕä^S¶dÑ<91>^H b7ÚÃbÚU9­Fûw^^^X]^@Ø<8b>vÃU^^^@¤^[^Qw^WlAl÷<95>q^CsºªºéÀ<97>ÊkoØõ^M<92>ùõ²ägz^^<92>Ë^M½    ^^zhÚ­*7^]tÂâî$<93>!e¸½9fÀ^BÎ<8a>¥$@Z×^\^MI^?^?^Z<82><9a>µ<81>ñG<8f>\0<9e>«^BPsÚ<94><8d>^FÓ<97>;WfK\+_ss^<9c>^Br<96>!("^Q?)ð¶©á!<92>7\¶^P6ò£^Sòw¸ Ò<8e><9f>Dnyb­<91>Î<94>·^WÓf^Bή¬<9a>k<9a>E"ªÈ"<98>^L¥óººO<9b>·!    <83>Ód@<85>^B
ßðÆ<89>^MxÔxÌ5'ë<85>q^«¾<86>Cɪ<8d>^^¥û<85>áQ^N·º·ÀÒ<8a>^T^H¨^M^Xýy¥eG_Ï<83>¿<8c>õr^\©é&uh;g^M<90>wH%mÉ®¤|U\^B<86>K^F<87>\^WºAòÊ®^X¹b<95>ÙÜ<80>^U<8a>²¼Û´-^Bò7^O<81>2^BÏÜsë¶Åd<98>Ç×»ârb^Vâ<80>Jvø<9a>÷%<96>Þõ6<88><87>©\/¤©
WEô<9b>*^R©o0?]«ï<9e>t^F*ét

 

Ok, so this means, it’s also encrypted. We can see that the Key2.json file has also a size of 256, so the Key1.json file must be the RSA private key.

 

4 – Config.json file

 

We now can use a new decryption function which will give us the following file:

{
   "NETWORK":[{"PORT":17387,"DNS":"hland002.ddns.net"}],
   "INSTALL":true,
   "MODULE_PATH":"aF/AnZ/cGH.z",
   "PLUGIN_FOLDER":"nqMZnQRfPay",
   "JRE_FOLDER":"Cxavwv",
   "JAR_FOLDER":"AKPFNBkSlJZ",
   "JAR_EXTENSION":"dGFedJ",
   "ENCRYPT_KEY":"HQgdoIXBNSjZaKKKXgKwSqMwM",
   "DELAY_INSTALL":2,
   "NICKNAME":"User",
   "VMWARE":false,
   "PLUGIN_EXTENSION":"jTkzF",
   "WEBSITE_PROJECT":"https://jrat.io",
   "JAR_NAME":"fATpFIXVyqv",
   "JAR_REGISTRY":"VgOSzWhTrCu",
   "DELAY_CONNECT":2,
   "VBOX":false
}

 

If we report to the Hybrid Analysis sum up, we see that at one point in the execution of the RAT, it will add a registry key.

In this case, this is the following value:

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v VgOSzWhTrCu /t REG_EXPAND_SZ /d "\"%APPDATA%\Oracle\bin\javaw.exe\" -jar \"%USERPROFILE%\AKPFNBkSlJZ\fATpFIXVyqv.dGFedJ\"" /f

 

We see here the values from the JSON: JAR_REGISTRY, JAR_FOLDER, JAR_NAME, JAR_EXTENSION

 

This confirm that the JSON file is indeed linked to the values seen in the installation process. This means that by a static analysis it’s possible to retrieve such parameters to use as IOC.

The NETWORK value is especially important as this can be used to search other sample and correlate them to other threats or specific groups.

 

Afterword

 

This article tried to show that Adwind/JBifrost is still a current threat to system worldwide and can be used on three different platform (Win,Mac,Linux) thanks to the Java versatility.

 

I’ll try to do a follow-up to this post concerning the communication of this RAT with his C&C.

 

I would like to thank John Bambenek, who gave me the inspiration for this article (especially in a video that I can’t get find anymore, which included talk about “eating cookies in your bed”…).