Thursday, April 28, 2016

Post #19 (Or... "Anyone Want A .JAR Of .DOCX?")

It happened like it happens so many times on a daily basis. “Yes, you see, I took my company issued laptop home. Yes, and I got an e-mail from someone I trust, and it had an attachment, and I clicked on it. When the attachment just wouldn't open, I realized I had done something wrong. Oh, the e-mail? Yeah, no, it wasn't corporate e-mail. I was checking my personal e-mail. I was at home!”

The, attachment, in this case, was very succinctly named “Docx.jar”. Now, as a novice in the arena of malware analysis, I like .JAR files, because all I need to do is dump them into JD-Gui and start rummaging through code. However, before we do that, let's at least get the footwork out of the way.

Filename: Docx.jar

Size: 212Kb

MD5: ab3e11b7a5fd924be74d3d737fddb9f8

Basic file information. That having been said, let's get right to it!

The first thing I did, as previously stated, was open the .JAR file in JD-Gui.

Those are some wonderfully obfuscated class names right there. However, the class names are not really what drew my interest. That was all in the META-INF > MANIFEST.MF section:

So, I have taken the liberty of researching each of these libraries and summarizing them below:

lib/json-20160212.jar

This is json. Not a whole lot more to say other than that, but if you want a description: "JSON is a light-weight, language independent, data interchange format." Also, as of this writing, this is the current version of JSON, so we know the malware sample can't be any older than 2 months, again as of this writing.

Reference: http://mvnrepository.com/artifact/org.json/json/20160212

lib/synthetica.jar

"Synthetica is a Look and Feel for Swing and is based on Synth which is part of the Java Platform version 1.5. Synthetica provides many different looks through Themes for the core components of Swing with rounded borders, shadowed popup menus and nice icons. Moreover it enables you to modify existing Themes and to create your own look and feel only by editing a XML-based configuration file - you don't have to write complex Java-GUI-Code." So, this is used for making the GUI component of the malware (as seen by the attacker) appear as desired.

Reference: http://www.javasoft.de/synthetica/

lib/syntheticaBlackEye.jar

This is a theme for Synthetica. So, this is what the GUI will look like to the attacker. The reference website has screenshots and a demo.

Reference: http://www.javasoft.de/synthetica/themes/

lib/weblaf-complete-1.29.jar

"Java Look and Feel for cross-platform Swing applications." So, more GUI stuff. Enough said.

Reference: http://weblookandfeel.com/

lib/JNativeHook.jar

"Global keyboard and mouse listeners for Java." Okay, now we are getting into the meat of things here. If I had to take a guess, I'd say we are spying on keyboard and mouse actions.

Reference: https://github.com/kwhat/jnativehook

lib/bridj-0.6.2.jar

"BridJ aims to be the ultimate Java / native interoperability library (BSD-licensed). Call C, C++, ObjectiveC libraries without compiling native code." Again, just conjecture here, but this should let us reach a little more deeply into the OS itself, rather than relying solely on outside Java code.

Reference: https://code.google.com/archive/p/bridj/

lib/slf4j-api-1.7.2.jar

"The Simple Logging Facade for Java (SLF4J) serves as a simple facade or abstraction for various logging frameworks (e.g. java.util.logging, logback, log4j) allowing the end user to plug in the desired logging framework at deployment time." Gonna guess that this will be used to feed verbose data back to attacker.

Reference: http://www.slf4j.org/

lib/webcam-capture-0.3.10.jar

"This library allows you to use your build-in or external webcam directly from Java. It's designed to abstract commonly used camera features and support multiple capturing farmeworks." Scary beyond reason, but also fairly obvious.

Reference: http://webcam-capture.sarxos.pl/

So, if it wasn't already painfully obvious, this malware is a spying utility. It can access the webcam, as well as perform mouse/keyboard logging. From the attackers side, they will see a nice web GUI from which they can spy on their targets.

NOTE: When I initially started looking at this in my office's VM, I could've sworn that I saw a library that dealt with microphone/audio hooking, but I haven't been able to confirm that while analyzing at home.

I didn't dig any further into the source code, mostly because it was too obfuscated for my nascent skillset to handle. I did, however, have a basic idea of what the malware would do, so it seemed the time to switch over to dynamic analysis mode.

So, I first did some diffing, then I did some packet captures. But, before we even go that far, let's look at what happened when I opened the command line and just launched the malware:

C:\Users\Malware Inspector\Desktop\Samples\Samples\Downloads>java -jar Docx.jar

Main-Class : qua.quaverse.qarallax.Bismillahirrahmanirrahim

slave

MinusFiftyCroreEightyThreeLakhSixtySixThousandTwoHundredEightyEight.MinusOneCror

eSeventySixLakhEightThousandTwoHundredSixty.OneArabNinetyEightCroreNinetySevenLa

khSixtyThousandSixHundredThirtyFive Error for Resource : embedding

Looking for Resource on Linked : sun.misc.Launcher.AppClassLoader

id=72000000095 to_id=71000000095

C:\Users\Malware Inspector\Desktop\Samples\Samples\Downloads\Docx.jar

C:\Users\Malware Inspector\.3ojHSEnbdL\Q5Dn8.1H8FbR9Is0x\c6x84fwpDqN9EMt3c\XvBa_

_DMv6TPoRppl.jar

Downloading Library: http://lib.qarallax.com/qarallax-lib/bridj/bridj-0.6.2.jar

=> C:\Users\MALWAR~1\AppData\Local\Temp\1664903225628141467460795952903701664903

2279860 => C:\Users\Malware Inspector\.3ojHSEnbdL\Q5Dn8.1H8FbR9Is0x\c6x84fwpDqN9

EMt3c\lib\bridj-0.6.2.jar

Done.

Downloading Library: http://lib.qarallax.com/qarallax-lib/slf4j/slf4j-api-1.7.2.

jar => C:\Users\MALWAR~1\AppData\Local\Temp\166502376151971210550982508354760166

50237642460 => C:\Users\Malware Inspector\.3ojHSEnbdL\Q5Dn8.1H8FbR9Is0x\c6x84fwp

DqN9EMt3c\lib\slf4j-api-1.7.2.jar

Done.

Downloading Library: http://lib.qarallax.com/qarallax-lib/webcam/webcam-capture-

0.3.10.jar => C:\Users\MALWAR~1\AppData\Local\Temp\16650368914530208876014234498

671816650368931477 => C:\Users\Malware Inspector\.3ojHSEnbdL\Q5Dn8.1H8FbR9Is0x\c

6x84fwpDqN9EMt3c\lib\webcam-capture-0.3.10.jar

Done.

Downloading Library: http://lib.qarallax.com/qarallax-lib/json/json-20160212.jar

=> C:\Users\MALWAR~1\AppData\Local\Temp\166506227099993837444470750942358166506

22728788 => C:\Users\Malware Inspector\.3ojHSEnbdL\Q5Dn8.1H8FbR9Is0x\c6x84fwpDqN

9EMt3c\lib\json-20160212.jar

Done.

Downloading Library: http://lib.qarallax.com/qarallax-lib/jnhook/JNativeHook.jar

=> C:\Users\MALWAR~1\AppData\Local\Temp\166507268013941068474720167227991166507

26818341 => C:\Users\Malware Inspector\.3ojHSEnbdL\Q5Dn8.1H8FbR9Is0x\c6x84fwpDqN

9EMt3c\lib\JNativeHook.jar

Done.

So, despite ALL of that obfuscation effort, I now see where the library files are being downloaded from. First, let's get some info on that host!

Grabbed the WHOIS information for the host, and here is what we get:

Domain Name: QARALLAX.COM

Registry Domain ID : 2002157315_DOMAIN_COM-VRSN

Registrar WHOIS Server : http://whois.nicproxy.com

Registrar URL: http://www.nicproxy.com

Updated Date: 2016-04-23T08:02:50Z

Creation Date: 2016-02-12T09:44:30Z

Registrar Registration Expiration Date: 2017-02-12T09:44:30Z

Registrar:NICS TELEKOMUNIKASYON TICARET LTD.STI.

Registrar IANA ID: 1454

Registrar Abuse Contact Email: abuse@nicproxy.com

Registrar Abuse Contact Phone: +90.2122132963

Reseller: NATRO COMMUNICATION LTD.

Domain Status: ok http://www.icann.org/epp#OK

Registry Registrant ID: CID-901373.G3Z7E1G2

Registrant Name: NicProxy Customer

Registrant Organization: Whois Privacy Protection Service.

Registrant Street: Elif Sok. No 4

Registrant City: Istanbul

Registrant State / Province: Sisli

Registrant Postal Code: 34394

Registrant Country: TR

Registrant Phone: +90.2122132963

Registrant Phone Ext:

Registrant Fax: +90.2122132963

Registrant Fax Ext:

Registrant Email: 901373.g3z7e1g2@nicproxy-customer.com

Registry Admin ID: CID-901373.G3Z7E1G2

Admin Name: NicProxy Customer

Admin Organization: Whois Privacy Protection Service.

Admin Street: Elif Sok. No 4

Admin City: Istanbul

Admin State / Province: Sisli

Admin Postal Code: 34394

Admin Country: TR

Admin Phone: +90.2122132963

Admin Phone Ext:

Admin Fax: +90.2122132963

Admin Fax Ext:

Admin Email: 901373.g3z7e1g2@nicproxy-customer.com

Registry Tech ID: CID-901373.G3Z7E1G2

Tech Name: NicProxy Customer

Tech Organization: Whois Privacy Protection Service.

Tech Street: Elif Sok. No 4

Tech City: Istanbul

Tech State / Province: Sisli

Tech Postal Code: 34394

Tech Country: TR

Tech Phone: +90.2122132963

Tech Phone Ext:

Tech Fax: +90.2122132963

Tech Fax Ext:

Tech Email: 901373.g3z7e1g2@nicproxy-customer.com

Name Server: NS1.DIGITALOCEAN.COM

Name Server: NS2.DIGITALOCEAN.COM

DNSSEC: Unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Also, we can see that the IP address is 104.236.159.161, and the website title is “Jrypter | Jrypt it!”

Did a quick Google on that site name, and it turns out Jrypter is a “Java binary crypter”, according to their website. It also claims to be provided by QUAverse. So, I performed another Google query, and we see that:

"Quaverse RAT or QRAT is a fairly new Remote Access Tool (RAT) introduced in May 2015. This RAT is marketed as an undetectable Java RAT. As you might expect from a RAT, the tool is capable of grabbing passwords, key logging and browsing files on the victim's computer...

...Attached to it was a .zip attachment containing an executable .JAR file." (source: https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/)

Well, that is starting to sound very familiar, I'd say. But, I don't want to call it a day just because I think I found the malware family to which this file belongs. That isn't very fun, nor does it teach me anything.

So, interestingly enough, the path to which the files are dropped are the same in my test environment as they were when I discovered the malware initially on the victim's machine. Files are dropped to “C:\Users\{USERNAME}\.3ojHSEnbdL” and additional subdirectories.

At this point, a startup entry is created as well:

"C:\Program Files\Java\jre1.8.0_77\bin\java" -jar "C:\Users\Malware Inspector\.3ojHSEnbdL\Q5Dn8.1H8FbR9Is0x\c6x84fwpDqN9EMt3c\XvBa__DMv6TPoRppl.jar"

That file “XvBa__DMv6TPoRppl.jar” is just “Docx.jar” again. At this point, I started looking at network traffic to/from my machine, and I noted this in CurrPorts:

java.exe 2956 TCP 50989 10.0.2.15 1714 85.17.30.134 ersey.eurodyley.com Established C:\Program Files\Java\jre1.8.0_77\bin\java.exe

So, there is our established connection to the malware's server over port 1714. Time to perform another host lookup!

Domain Name: eurodyley.com

Registry Domain ID: 1968501325_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.register.com

Registrar URL: http://www.register.com

Updated Date: 2015-10-14T15:33:47Z

Creation Date: 2015-10-14T15:33:46Z

Registrar Registration Expiration Date: 2016-10-14T15:33:46Z

Registrar: Register.com, Inc.

Registrar IANA ID: 9

Registrar Abuse Contact Email: abuse@web.com

Registrar Abuse Contact Phone: +1.8773812449

Reseller:

Domain Status: clientTransferProhibited http://icann.org/epp#clientTransferProhibited

Registry Registrant ID:

Registrant Name: Genenergy Padicious

Registrant Organization:

Registrant Street: 848 N. Rainbow Road #8001

Registrant City: Las Vegas

Registrant State/Province: NV

Registrant Postal Code: 89107

Registrant Country: US

Registrant Phone: +1.7754326453

Registrant Phone Ext.:

Registrant Fax:

Registrant Fax Ext.:

Registrant Email: server247@matilogicully.net

Registry Admin ID:

Admin Name: Genenergy Padicious

Admin Organization:

Admin Street: 848 N. Rainbow Road #8001

Admin City: Las Vegas

Admin State/Province: NV

Admin Postal Code: 89107

Admin Country: US

Admin Phone: +1.7754326453

Admin Phone Ext.:

Admin Fax:

Admin Fax Ext.:

Admin Email: server247@matilogicully.net

Registry Tech ID:

Tech Name: Genenergy Padicious

Tech Organization:

Tech Street: 848 N. Rainbow Road #8001

Tech City: Las Vegas

Tech State/Province: NV

Tech Postal Code: 89107

Tech Country: US

Tech Phone: +1.7754326453

Tech Phone Ext.:

Tech Fax:

Tech Fax Ext.:

Tech Email: server247@matilogicully.net

Name Server: dns2.register.com

Name Server: dns1.register.com

DNSSEC: Unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

The IP address is 83.149.125.235. Now, I will NOT port scan an IP address I do not own nor do not have written permission to scan, but I can see if the IP address has ever been hit by one of Shodan's scanners. Unfortunately, it had not been hit by Shodan, but the original IP address that was listed in my packet captures (so, where the host lived on 04/15/2016) was 85.17.30.134, and that had been hit by Shodan:

22 - SSH

25 - SMTP

53 - DNS

80 - HTTP

110 - POP3

143 - IMAP

465 - SMTPS

587 - SMTP

993 - IMAP-SSL

995 - POP3-SSL

3306 - MySQL

All common ports, but I did not see that 1714 port listed anywhere, which is a shame.

Dug through my packet captures with Wireshark and Network Miner, but the traffic is encrypted, so couldn't get much deeper at this step.

Now, I did go ahead and run wget against the first host we encountered, and I managed to pull down a bit more than just the original library files:

syshook/system-hook-2.2

"Global Keyboard / Mouse Hook for Java applications."

Reference: https://github.com/kristian/system-hook/releases

sql/sqlite-jdbc-3.8.11.2.jar

"SQLite JDBC, developed by Taro L. Saito, is a library for accessing and creating SQLite database files in Java."

Reference: https://bitbucket.org/xerial/sqlite-jdbc

jna/jna.jar, jna-platform.jar

"JNA provides Java programs easy access to native shared libraries without writing anything but Java code - no JNI or native code is required. This functionality is comparable to Windows' Platform/Invoke and Python's ctypes"

Reference: https://github.com/java-native-access/jna

dumper/laz.qrc, outdmp.qrc, wtfdmp.qrc

NOTE: Had to tackle these a bit differently. Despite them all having the same extension, taking a look at the magic numbers for each file (or running them through trid) revealed that they were actually 2 executables and a zip archive file, respectively within the list.

laz.qrc => laz.exe

Once this file was renamed, I just launched it via command line and got the below result; I looked up the LaZagne project, and it is a one-stop application for dumping credentials from various applications:

outdmp.qrc => outdmp.exe

I recognized the icon for this file, and running it via command line confirmed that it was Outlook Password Dump by Security Xploded:

wtfdmp.qrc => wtfdump.zip

Had to unzip this file first, but once I did I saw an executable named "qumper.exe". Ran it in command line. This looks exactly the LaZagne project except with a custom banner:

Truthfully, that is where my analysis ends. Seems we have a multi-faceted spying tool that has a range of capabilities, though I am not sure all of them are being employed by the attackers as of yet, or at least not with the dropper I encountered. I may come back and edit this post if I gain more information afterward.

Thanks for reading, as always, and remember to stay safe out there. You never know what risk you may be exposed to at any given time!

Friday, April 8, 2016

INFO: I Have Not Disappeared!

Hello, everybody!

It has been a few months since I last posted, and that is due to a variety of factors (personal/professional time is completely occupied, no good material to write about, etc.) However, I have a few articles lined up, and I should be back to posting in the next week or two.

That was all I really wanted to say. Hope you all are having a wonderful and secure day!

Cheers!