AdWind Analysis, part 1 of…however many it takes…

Whether you call it AdWind, JRat, JBifrost, or some other name, odds are this irritating thing continues to hit your enterprise/customers/friends in huge malspam waves.  Should the target be allowing JAR files in attachments?  Of course not…but they probably do anyway.  So be it.


Anyway, so we’ve gotten an email, and in that email is an attachment.

Screen Shot 2017-10-06 at 9.43.21 AM

Well, I don’t know about you, but I’ve never gotten a FedEx delivery notice as a JAR file, so this is highly suspect.  I’m the suspicious type, so I want to take a look at this rather than assuming it’s just a pilot program FedEx is testing out.  Let’s have a look with ByteCodeViewer.

Screen Shot 2017-10-06 at 9.48.34 AM

Here, we find the name of the main class.  This is already not looking good.  At this point, I’m thinking the RAT was run through a crypter.  Well, let’s find out.  We’ll go check out the main class.

Screen Shot 2017-10-06 at 9.49.04 AM

As I suspected, that’s a whole lot of “nope.”  Sure, it’s possible to manually follow all of this and decode it, but the crypter has done its job, in that it’s made code analysis difficult enough that I’m unwilling to do it at this time.

Well…what comes next?  Screw it, let’s just run it and see what happens!

Screen Shot 2017-10-06 at 9.57.34 AM

Screen Shot 2017-10-06 at 9.59.53 AM

And…it fails to run.  Why?  Why wouldn’t it run here, when it definitely runs when our “customers” run it?  Oh…anti-virtualization is still a thing?  FINE!!

Well, this is Java, so it’s probably cross-platform.  I many cases, the anti-virtualization stuff is specifically targeted to Windows, so let’s see if maybe this will run in a Linux VM.

Screen Shot 2017-10-06 at 10.15.49 AMScreen Shot 2017-10-06 at 10.16.15 AM…and, it seems to be running.  Additionally, it looks like it’s running a .class file from /tmp.  Cool.


Screen Shot 2017-10-06 at 10.10.40 AM

Also, we have it reaching out to a C2 IP.  For many of us, we can stop the analysis process here and now.  We have enough to determine whether or not the target host was compromised.  That said, let’s keep going.

Screen Shot 2017-10-06 at 10.17.05 AMScreen Shot 2017-10-06 at 10.17.25 AM

As we can see here, though, it’s not actually a class file, but another JAR.  I suppose the next question is whether it’s created a new jar, or made a copy of itself.Screen Shot 2017-10-06 at 10.23.57 AM

Well, that answers that.  It’s a new JAR file.  I wonder if maybe, just maybe, this is the decrypted version of the RAT…

Screen Shot 2017-10-06 at 10.26.39 AM

And yes, it looks as though in this case, when executed, a decrypted copy of the RAT is created.  Fun stuff.

Screen Shot 2017-10-06 at 10.28.53 AM

Unfortunately, it’s not THAT fun.  As soon as we dig in, we can see that this is still pretty heavily obfuscated.  Luckily, there’s an “app” for that.  MHelwig on GitHub wrote an AdWind decryptor.  It didn’t work properly when I ran it, so I snagged the source code and fixed a couple of things.  My version is available here.


That said, I’m tired of typing right now…so I’m going to wrap this up, and I’ll run through the rest of the process in Part II.

Article Link: