JBifrost: In Cold Blood
Following the last blog post, we will do a more technically-oriented analysis of the Adwind/JBifrost RAT.
First we will do a quick review of the RAT since last September.
Latest news concerning JBifrost
The site jbifrost.com is no more hosting the forum and store. Now it’s simply redirecting to a developer website called RedPois0n. The only link that I could find with this person and JBifrost is the fact that he created a Java application in order to check and remove Java RAT infections: jRAT Remover.
I don’t know when this change took place, but it was most likely during December 2016. Does it mean Adwind change its name again?
However, this doesn’t mean JBifrost or the next Adwind incarnation is dead.
Indeed, this RAT is still active at the time of writing, for example this sample was received 2 days ago: https://www.hybrid-analysis.com/sample/ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411?environmentId=100
Another change appeared in samples last year: some are using Base64 encode file to “hide” the main JAR payload.
It is possible this was a test, because new samples are back to the main encrypted JAR.
All this indicates that the developer(s) of Adwind/JBifrost are still actively maintaining the RAT and are still distributing it.
Dive-deep analysis of the RAT
When writing the last blog post concerning JBifrost, I had already examined dozens of JAR samples with different structures and decryption functions. Since last July, there was not much change in the way Adwind/JBifrost is decrypting his configuration, so it seems that the developer is content of his work for the time being.
Note: In the following, I won’t show the Java code of the malware, nor will I explain my methods.
1 – JAR Structure
We’re going to see what is the structure of the last sample indicated before:
Archive: Payment Advice.jar Obfuscation by Allatori Obfuscator http://www.allatori.com Length Date Time Name --------- ---------- ----- ---- 0 2017-01-04 08:33 META-INF/ 208 2017-01-04 08:33 META-INF/MANIFEST.MF 0 2017-01-04 08:33 Te/ 0 2017-01-04 08:33 Te/YAe/ 218848 2017-01-04 08:33 Te/YAe/x.Fz 0 2017-01-04 08:33 Kkw/ 0 2017-01-04 08:33 Kkw/se/ 256 2017-01-04 08:33 Kkw/se/n.g 0 2017-01-04 08:33 v/ 0 2017-01-04 08:33 v/JDQ/ 1476 2017-01-04 08:33 v/JDQ/D.A 352 2017-01-04 08:33 drop.box 1476 2017-01-04 08:33 sky.drive 256 2017-01-04 08:33 mega.download 0 2017-01-04 08:33 w/ 710 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyka.class 464 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyfa.class 560 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskysa.class 426 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyqa.class 1179 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyaa.class 1727 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskypa.class 477 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyw.class 1413 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyi.class 570 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyb.class 3222 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyl.class 411 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyr.class 1278 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyu.class 1393 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyn.class 1348 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskya.class 2187 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyo.class 924 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyp.class 735 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyy.class 827 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyq.class 1177 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskys.class 713 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyf.class 950 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyc.class 4776 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyz.class 4225 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskye.class 1116 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyh.class 2129 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyt.class 1598 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskym.class 896 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyd.class 1039 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyk.class 1399 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyv.class 2575 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyj.class 2564 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyg.class 2131 2017-01-04 08:33 w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyx.class 0 2017-01-04 08:33 operational/ 1208 2017-01-04 08:33 operational/JRat.class --------- ------- 271219 49 files
We see in the second line (text in green) that the JAR is clearly using Allatori to obfuscate the Java code. An old habit of the developer since at least 2014. Nowadays, it’s used both for crypters and the final payload.
The files marked in orange before are of interest for the decryption of the configuration and the final JAR file.
The MANIFEST.MF file indicates the main class of the JAR file to be: operational.JRat (still a pun about his JRat competitor)
This class is only a caller for the class:
manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyz
You can quickly see that the analysis of such samples could be really painful due to the use of such long class names…
It is also accentuated by the fact that Allatori use forbidden names for several variable (like int, case, null, etc…).
2 – Extraction of the final JAR from the crypter
The first class called will begin by extracting the JAR file which is encrypted in one of the orange file shown before.
This class will use one specific decryption function which will take three parameters:
- A RSA private key file
- An AES encrypted key file
- An encrypted file
I won’t go into specifics about the decryption function, but it can summed up as follows:
RSA private-key decrypts -> AES key decrypts -> file
We saw in the files that two files in orange have a size of 256 bits. Those are the AES-256 keys for the encrypted files.
There is two AES keys, because the extraction is done in two times:
- Extraction of an XML file via the decryption function from 3 hardcoded path to the files -> contains 3 variables:
PRIVATE_PASSWORD #File containing the second RSA private key PASSWORD_CRYPTED #File containing the second AES encrypted key SERVER_PATH #Encrypted final JAR
- Extraction of the final JAR via the decryption function containing the three values before
This JAR is then called by the crypter and will take control from there.
3 – Final JAR structure
Once the file is decrypted, it’s possible to see its real content:
Length Date Time Name
--------- ---------- ----- ----
134 2017-01-04 23:47 META-INF/MANIFEST.MF
2684 2017-01-04 23:47 com/DataProtector.class
494 2017-01-04 23:47 com/Protector.class
793 2017-01-04 23:47 com/ProtectorException.class
1897 2017-01-04 23:47 com/Title.class
2725 2017-01-04 23:47 com/TitleManager.class
53760 2017-01-04 23:47 com/key/amd64.dll
46592 2017-01-04 23:47 com/key/x86.dll
44544 2017-01-04 23:47 com/protector/amd64.dll
39424 2017-01-04 23:47 com/protector/x86.dll
639 2017-01-04 23:47 module/Server.class
27 2017-01-04 23:47 module/api.json
4387 2017-01-04 23:47 org/json/CDL.class
13779 2017-01-04 23:47 org/json/JSONArray.class
754 2017-01-04 23:47 org/json/JSONException.class
6584 2017-01-04 23:47 org/json/JSONML.class
196 2017-01-04 23:47 org/json/JSONObject$1.class
881 2017-01-04 23:47 org/json/JSONObject$Null.class
24459 2017-01-04 23:47 org/json/JSONObject.class
156 2017-01-04 23:47 org/json/JSONString.class
604 2017-01-04 23:47 org/json/JSONStringer.class
5916 2017-01-04 23:47 org/json/JSONTokener.class
4109 2017-01-04 23:47 org/json/JSONWriter.class
1757 2017-01-04 23:47 org/json/Property.class
7558 2017-01-04 23:47 org/json/XML.class
4715 2017-01-04 23:47 org/json/XMLTokener.class
1882 2017-01-04 23:47 util/generic/Base64.class
1575 2017-01-04 23:47 util/generic/Compress.class
2481 2017-01-04 23:47 util/generic/Copy.class
1499 2017-01-04 23:47 util/generic/Random.class
739 2017-01-04 23:47 util/generic/RandomRange.class
1748 2017-01-04 23:47 util/generic/Reader.class
3820 2017-01-04 23:47 util/generic/RunFile.class
1657 2017-01-04 23:47 util/generic/RunJarFile.class
3452 2017-01-04 23:47 util/generic/Shell.class
480 2017-01-04 23:47 util/generic/Sleep.class
1154 2017-01-04 23:47 util/mac/MacPermission.class
2449 2017-01-04 23:47 util/windows/Regedit.class
1504 2017-01-04 23:47 util/windows/WscriptProcess.class
8426 2017-01-04 23:47 server/t/iIiiiiiiii.class
1971 2017-01-04 23:47 server/t/iiiIiiIIIi.class
2826 2017-01-04 23:47 server/t/IiIiiIIiii.class
5800 2017-01-04 23:47 server/t/iiIIiiiIII.class
2127 2017-01-04 23:47 server/t/iiIiIiiIiI.class
2448 2017-01-04 23:47 server/t/iiIIiIIiII.class
1423 2017-01-04 23:47 server/t/iiIiIIIiII.class
2393 2017-01-04 23:47 server/t/IIiIiiiiiI.class
935 2017-01-04 23:47 server/t/iiiiiiIiiI.class
1260 2017-01-04 23:47 server/t/IIIIIIiiiI.class
1305 2017-01-04 23:47 server/t/IIiiIiIiIi.class
536 2017-01-04 23:47 server/t/IIiiIIiiii.class
1253 2017-01-04 23:47 server/t/IiIiIIiiii.class
2329 2017-01-04 23:47 server/b/iIiiiiiiii.class
1484 2017-01-04 23:47 server/b/IiIiiIIiii.class
5480 2017-01-04 23:47 server/b/iiIIiiiIII.class
2523 2017-01-04 23:47 server/b/iiiIiiIIIi.class
533 2017-01-04 23:47 server/b/iiIiIiiIiI.class
1471 2017-01-04 23:47 server/b/iiIIiIIiII.class
1380 2017-01-04 23:47 server/b/iiIiIIIiII.class
1078 2017-01-04 23:47 server/b/IIiIiiiiiI.class
1856 2017-01-04 23:47 server/b/iiiiiiIiiI.class
3269 2017-01-04 23:47 server/b/IIIIIIiiiI.class
2472 2017-01-04 23:47 server/b/IIiiIiIiIi.class
2485 2017-01-04 23:47 server/b/IIiiIIiiii.class
3166 2017-01-04 23:47 server/b/IiIiIIiiii.class
1392 2017-01-04 23:47 server/b/IiiiiIIIII.class
2275 2017-01-04 23:47 server/b/IIiIIiiiii.class
1022 2017-01-04 23:47 server/m/iIiiiiiiii.class
1491 2017-01-04 23:47 server/m/iiiIiiIIIi.class
1361 2017-01-04 23:47 server/m/IiIiiIIiii.class
4895 2017-01-04 23:47 server/m/iiIIiiiIII.class
9827 2017-01-04 23:47 server/main/Start.class
3458 2017-01-04 23:47 server/y/iiiIiiIIIi.class
2022 2017-01-04 23:47 server/y/iiIIiiiIII.class
433 2017-01-04 23:47 server/y/iIiiiiiiii.class
2366 2017-01-04 23:47 server/y/iiIiIiiIiI.class
3211 2017-01-04 23:47 server/y/iiIIiIIiII.class
3281 2017-01-04 23:47 server/y/iiIiIIIiII.class
3751 2017-01-04 23:47 server/y/IIiIiiiiiI.class
1404 2017-01-04 23:47 server/y/IiIiiIIiii.class
1162 2017-01-04 23:47 server/y/iiiiiiIiiI.class
448 2017-01-04 23:47 server/resources/config.json
256 2017-01-04 23:47 server/resources/Key2.json
1476 2017-01-04 23:47 server/resources/Key1.json
--------- -------
401768 84 files
We see here that there is a lot of new class and files which will served the real RAT content.
The MANIFEST.MF file indicates the main class as: server.main.Start
We see that there is a lot of third party libraries contained, especially JSON related ones.
Indeed, if we look at the last three files, in green, we see that those are containing a JSON extension. We also see an interesting file name: config.json
If we try to open this file directly, we have the following:
<92>±S^Mîøã¢/^Yý5õ<84>_eU$mt©Ñ<80>R^O<8d>MÚQ^?^Z\î<8a>sÒ\¡¦fJ^Uìn <9e>$ó×<87>îv}aå<8e>^çeÞÓB Z/µ"úO<95>Æ^RÕä^S¶dÑ<91>^H b7ÚÃbÚU9Fûw^^^X]^@Ø<8b>vÃU^^ %»^@¤^[^Qw^WlAl÷<95>:¤q^CsºªºéÀ<97>ÊkoØõ^M<92>ùõ²ägz^^<92>Ë^M½ ^^zhÚ*7^]tÂâî$<93>!e¸½9fÀ^BÎ<8a>¥$@Z×^\^MI^?^?^Z<82><9a>µ<81>ñG<8f>\0<9e>«^BPsÚ<94><8d>^FÓ<97>;WfK\+_ss^<9c>^Br<96>!("^Q?)ð¶©á!<92>7\¶^P6ò£^Sòw¸ Ò<8e><9f>Dnyb<91>Î<94>·^WÓf^Bή¬<9a>k<9a>E"ªÈ"<98>PÙ^L¥óººO<9b>·! <83>Ód@<85>^B ßðÆ<89>^MxÔxÌ5'ë<85>q^«¾<86>Cɪ<8d>Qý^^¥û<85>áQ^N·º·ÀÒ<8a>^T^H¨^M^Xýy¥eG_Ï<83>¿<8c>õr^\©é&uh;g^M<90>wH%mÉ®¤|U\^B<86>K^F<87>\^WºAòÊ®^X¹b<95>ÙÜ<80>^U<8a>²¼Û´-^Bò7^O<81>2^BÏÜsë¶Åd<98>Ç×»ârb^Vâ<80>Jvø<9a>÷%<96>Þõ6<88><87>©\/¤© WEô<9b>*^R©o0?]«ï<9e>t^F*ét
Ok, so this means, it’s also encrypted. We can see that the Key2.json file has also a size of 256, so the Key1.json file must be the RSA private key.
4 – Config.json file
We now can use a new decryption function which will give us the following file:
{ "NETWORK":[{"PORT":17387,"DNS":"hland002.ddns.net"}], "INSTALL":true, "MODULE_PATH":"aF/AnZ/cGH.z", "PLUGIN_FOLDER":"nqMZnQRfPay", "JRE_FOLDER":"Cxavwv", "JAR_FOLDER":"AKPFNBkSlJZ", "JAR_EXTENSION":"dGFedJ", "ENCRYPT_KEY":"HQgdoIXBNSjZaKKKXgKwSqMwM", "DELAY_INSTALL":2, "NICKNAME":"User", "VMWARE":false, "PLUGIN_EXTENSION":"jTkzF", "WEBSITE_PROJECT":"https://jrat.io", "JAR_NAME":"fATpFIXVyqv", "JAR_REGISTRY":"VgOSzWhTrCu", "DELAY_CONNECT":2, "VBOX":false }
If we report to the Hybrid Analysis sum up, we see that at one point in the execution of the RAT, it will add a registry key.
In this case, this is the following value:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v VgOSzWhTrCu /t REG_EXPAND_SZ /d "\"%APPDATA%\Oracle\bin\javaw.exe\" -jar \"%USERPROFILE%\AKPFNBkSlJZ\fATpFIXVyqv.dGFedJ\"" /f
We see here the values from the JSON: JAR_REGISTRY, JAR_FOLDER, JAR_NAME, JAR_EXTENSION
This confirm that the JSON file is indeed linked to the values seen in the installation process. This means that by a static analysis it’s possible to retrieve such parameters to use as IOC.
The NETWORK value is especially important as this can be used to search other sample and correlate them to other threats or specific groups.
Afterword
This article tried to show that Adwind/JBifrost is still a current threat to system worldwide and can be used on three different platform (Win,Mac,Linux) thanks to the Java versatility.
I’ll try to do a follow-up to this post concerning the communication of this RAT with his C&C.
I would like to thank John Bambenek, who gave me the inspiration for this article (especially in a video that I can’t get find anymore, which included talk about “eating cookies in your bed”…).