Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Dumping COVID-19.jar with Java Instrumentation
#1
Bug 
Quote:
[Image: blog-default-header-1.jpg]

There is a generic and easy way to unpack Java malware that is not well-known yet. For demonstration I use a recent JAR malware sample that jumps on the COVID-19 bandwagon.

From the point of view of a threat actor, Java based malware has the advantage that it works regardless of the operating system as long as Java is installed. While the numbers of Java malware have declined in the last 5 years, certain strains are still seen frequently in the wild, e.g., the backdoor Adwind. Malware authors are also still creating new Java based strains like the information stealer Qealler which was first seen in February 2019.

Almost all of those threats are packed, using protection tools like Allatori which makes reverse engineering a bit harder.

In the following video I demonstrate a generic way to unpack Java based malware dynamically. This method uses Java instrumentation, more specifically Java Agents. They are a tool for developers to change the behaviour of their programs without having to modify the original source code. The Java Agent is part of a separate JAR file that is applied to the actual software while running it. That way developers can easily add profiling or logging.

In this instance a Java Agent will dump all Java classes while they are being executed, thus dynamically unpacking the protected payload.

...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>