How to Analyze Java Malware – A Case Study of STRRAT How to Analyze Java Malware – A Case Study of STRRAT Prepared by: Vlad Pasca, Senior Malware & Threat Analyst SecurityScorecard.com info@securityscorecard.com Tower 49 12 E 49th Street Suite 15-001 New York, NY 10017 1.800.682.1707 Table of contents Table of contents 1 Executive summary 2 Analysis and findings 2 STRRAT commands 8 Indicators of Compromise 42 securityscorecard.com | 1 Executive summary STRRAT is a Java-based malware that executes multiple commands transmitted by the C2 server. The JAR file was obfuscated using the Allatori obfuscator. It establishes persistence on the host by copying to the Startup folder and creating a scheduled task and a Run registry entry. The functionalities of the implemented commands include: reboot the machine, uninstall the malware and delete all its traces, download and execute files, update the initial JAR file, execute commands using cmd and powershell, open/delete/download/upload files specified by the C2 server, perform keylogger activities, retrieve a list of running processes, implement a reverse proxy on the machine, install RDPWrap that enables Remote Desktop Host support, steal passwords from multiple browsers and email clients, attempt to elevate privileges, and implement a functional ransomware module. Analysis and findings SHA256: 0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a We will perform a detailed analysis of the STRRAT malware that was dropped by Vjw0rm. As we’ve already described in the Vjw0rm whitepaper, the JAR file is deobfuscated using the Java deobfuscator. As shown in Figure 1, the malware was obfuscated using the Allatori Obfuscator: Figure 1 The process verifies whether any arguments were passed and sets a boolean value accordingly: Figure 2 If a single argument is provided, the RAT creates a file called "C:\Users\\64578lock.file", as highlighted below: securityscorecard.com | 2 https://resources.securityscorecard.com/research/acasestudyofVjw0rm https://github.com/java-deobfuscator/deobfuscator https://github.com/java-deobfuscator/deobfuscator Figure 3 Figure 4 The configuration file called “config.txt” is decrypted using the AES algorithm, with the key derived from the “strigoi” string: Figure 5 securityscorecard.com | 3 Figure 6 Multiple JAR files that will be used in the malicious activity are downloaded and saved to the “C:\Users\\lib” directory: Figure 7 Figure 8 The getAbsolutePath method is utilized to retrieve the path of the JAR file. It displays an error message if NULL is returned: Figure 9 Figure 10 The first decrypted parameter from the configuration represents the primary C2 server, and the second is the primary C2 port. The fourth and fifth parameters contain the secondary C2 server and port: securityscorecard.com | 4 Figure 11 Figure 12 The malware establishes persistence by creating a scheduled task called “Skype”: Figure 13 The malicious process obtains the path of the AppData folder using SHGetFolderPath (26 = CSIDL_APPDATA). It creates a directory called “strlogs” inside AppData using the mkdir function: securityscorecard.com | 5 Figure 14 Figure 15 Figure 16 The RAT creates a socket and connects it to the C2 server on the primary port. If the connection is unsuccessful, it tries contacting the backup C2 server (see Figure 17). Figure 17 securityscorecard.com | 6 The process copies the JAR file to the Startup folder (7 = CSIDL_STARTUP): Figure 18 Figure 19 The malicious process creates a new entry under the “Software\Microsoft\Windows\CurrentVersion\Run” registry key that will allow the “javaw.exe” executable to run the initial JAR file. This is accomplished using the WindowsRegOpenKey, WindowsRegQueryValueEx, and WindowsRegSetValueEx functions: Figure 20 securityscorecard.com | 7 Figure 21 Figure 22 The C2 server transmits multiple elements that are delimited by “|”. The first one is the command that will be executed by STRRAT: Figure 23 STRRAT commands reboot command The impacted machine is rebooted using the shutdown command (see Figure 23). shutdown command The malicious process stops the current host, as shown below: Figure 24 uninstall command This command implements the uninstall routine. The scheduled task called “Skype” is deleted, the JAR file that was copied to the Startup folder is deleted along with the initial JAR, and the Registry value used for persistence is deleted using WindowsRegDeleteValue: securityscorecard.com | 8 Figure 25 Figure 26 disconnect command The process closes the socket created before and then exits: Figure 27 down-n-exec command The malware downloads a file found in a URL supplied by the C2 server and saves it in the AppData directory: Figure 28 Figure 29 securityscorecard.com | 9 Depending on the downloaded file’s extension, it can be executed using wscript.exe, java.exe, and cmd.exe: Figure 30 The malicious process sends an update message to the C2 server (“update-status|Executed File”) and another one indicating that it’s ready to receive new commands: Figure 31 Figure 32 update command This command is used to update the JAR file. It launches the new JAR using the Java executable: Figure 33 securityscorecard.com | 10 Figure 34 up-n-exec command This command is similar to the down-n-exec command presented above. It downloads a file executed using wscript.exe, java.exe, or cmd.exe: Figure 35 remote-cmd command The RAT executes a command transmitted by the C2 server using cmd.exe. It retrieves the content of the “COMPUTERNAME” (or “HOSTNAME”) and “USERNAME” environment variables that will be exfiltrated: Figure 36 securityscorecard.com | 11 Figure 37 Figure 38 A new socket that transmits the information to the C2 server is created: Figure 39 Figure 40 securityscorecard.com | 12 power-shell command The command is similar to the one described above. However, the sent command is run via powershell.exe (see Figure 41). Figure 41 file-manager command The malware enumerates the files and directories located in the User’s home directory. It constructs a string that contains the following data: ● “F” + filename + file size in KB + lastModified timestamp ● “D” + directory name + lastModified timestamp Figure 42 Figure 43 A new thread is created, which deals with the following subcommands: “navigate”, “nav-key-log”, “open”, “delete”, “savefile”, and “bringfile”. Figure 44 securityscorecard.com | 13 Figure 45 The “navigate” subcommand is utilized to enumerate the files found in a particular folder, as highlighted in Figure 46. Figure 46 The “nav-key-log” subcommand enumerates the keylogger directory found in “AppData\strlogs”. The “open” subcommand is used to run a file using “cmd.exe /c”. Using the “delete” subcommand, the malware deletes a regular file/folder (figure 47). securityscorecard.com | 14 Figure 47 The “savefile” subcommand is utilized to create a new file and populate it with content sent by the C2 server: Figure 48 Finally, the last subcommand is used to exfiltrate a regular file to the remote server: securityscorecard.com | 15 Figure 49 keylogger command The malicious process creates an HTML file that contains a string corresponding to this malware family, “Generated by Strigoi Master”: Figure 50 Figure 51 securityscorecard.com | 16 Figure 52 The RAT constructs a globalKeyboardHook and implements the addKeyListener function, which listens to keyPressed and keyReleased events: Figure 53 It verifies which keys were pressed. Then it calls the getVirtualKeyCode function, as shown in figure 54. securityscorecard.com | 17 Figure 54 The window name on which the keys were pressed is also recorded using the GetForegroundWindow and GetWindowText methods: Figure 55 securityscorecard.com | 18 Figure 56 o-keylogger command The malware creates an HTML file named: “keylogs_” + random int between 0 and 9998 + “.html”. This file stores the pressed keys during the keylogger operation: Figure 57 processes command The RAT retrieves a list of running processes via a WMI query, which will be exfiltrated to the C2 server. It can kill a specific process based on its PID using the taskkill command: Figure 58 Figure 59 securityscorecard.com | 19 Figure 60 h-browser command The malicious process checks if the Chrome and Firefox browsers are installed on the machine in the “C:\Program Files” and “C:\Program Files (x86)” directories, as shown below: Figure 61 Figure 62 The following subcommands are implemented: “start”, “stop”, and “exit” (see Figure 63). securityscorecard.com | 20 Figure 63 The process opens Chrome or Firefox in a new window with the “Strigoi Browser” title. Figure 64 securityscorecard.com | 21 The following events are implemented: “mouse-event left”, “mouse-event right”, and “key-event”. These events are used to navigate in the newly created browser window. For example, in the case of mouse events, the malware calls the PostMessage function with the parameters 513 (WM_LBUTTONDOWN), 514 (WM_LBUTTONUP), and 516 (WM_RBUTTONDOWN), 517 (WM_RBUTTONUP), respectively: Figure 65 startup-list command The malware extracts the Startup programs and the programs found in the Run registry keys: Figure 66 securityscorecard.com | 22 Figure 67 The following subcommands are implemented: “reload”, “delete”, and “add”. The process can delete and add programs in the Startup folder, as well as entries under the Run registry keys (see Figure 68). Figure 68 remote-screen command securityscorecard.com | 23 The RAT creates two threads that implement the remote screen function: Figure 69 Figure 70 The following events are handled: "key-event", "mouse-move", "mouse-wheel", "mouse-double", "mouse-left", and "mouse-right". The malware can manipulate the Mouse cursor using the mouseMove, mouseWheel, mousePress, and mouseRelease functions: Figure 71 securityscorecard.com | 24 Figure 72 rev-proxy command This command implements a reverse proxy on the host. It receives a “CONNECT IP:Port” request and sends back a “200 Connection Established” message, as highlighted below: Figure 73 Figure 74 securityscorecard.com | 25 Figure 75 hrdp-new command Firstly, the process verifies whether the Chrome and Firefox browsers are installed on the machine: Figure 76 Figure 77 It downloads RDPWrap from http[:]//wshsoft[.]company/multrdp.jpg, which enables Remote securityscorecard.com | 26 Desktop Host support on Windows: Figure 78 Figure 79 The process runs RDPWrap, creates a new user consisting of five letters, and prevents the display of the last username by modifying a Registry value. The new username is sent to the C2 server: Figure 80 securityscorecard.com | 27 Figure 81 Figure 82 The following subcommands are implemented: "CLONE", "EXITS", and "EXIT". securityscorecard.com | 28 Figure 83 Using the “CLONE” subcommand, the malicious process retrieves a Firefox profile and clones it using a batch file called “Firefox.bat”. It starts Firefox with the “-no-remote -profile” parameters, which specifies the cloned user’s Profile: Figure 84 By specifying the “EXITS” subcommand, the newly created account is deleted. The modified securityscorecard.com | 29 Registry value is set back to 0: Figure 85 Finally, the last subcommand is utilized to log off the RDP session that was established, as displayed below: Figure 86 hrdp-res command The command is similar to the one described above; however, the username is specified by the C2 server: Figure 87 securityscorecard.com | 30 chrome-pass command The RAT only targets the Windows operating system, as shown below: Figure 88 Figure 89 The “Login Data” database is copied to “AppData\Roaming\Login Data”, and the malware extracts the following fields: “action_url”, “username_value”, and “password_value” (see Figure 90). Figure 90 Firstly, the malware tries to decrypt the “password_value” field using the cryptUnprotectData function. If the operation is unsuccessful, it retrieves and decrypts the master key from the securityscorecard.com | 31 “Local State” file, and the “password_value” field is decrypted using the AES-GCM algorithm: Figure 91 Figure 92 Figure 93 securityscorecard.com | 32 foxmail-pass command The process opens the Registry key corresponding to the FoxMail Email client, and also the file found in “Storage//Accounts/Account.rec0”. It looks for two fields called “Password” and “POP3Password”: Figure 94 Figure 95 The passwords are decoded using a custom algorithm (see Figure 96). securityscorecard.com | 33 https://github.com/StarZHF/Foxmail-Password-Recovery/blob/master/foxDecode/foxDecode/Program.cs Figure 96 outlook-pass command The malicious process performs searches through Registry keys corresponding to Outlook. It tries to locate entries that contain the “password” string and specific passwords: “IMAP Password”, “POP3 Password”, “HTTP Password”, and “SMTP Password”. It obtains the “Email” and “SMTP Server” values and decrypts the passwords using the cryptUnprotectData method: Figure 97 securityscorecard.com | 34 Figure 98 Figure 99 fox-pass command The process locates the following files and archives them in an archive to be exfiltrated called “rpack.zip”: logins.json (encrypted logins), key4.db (decryption key for passwords), and cert9.db (certificates stored in the Certificate Manager). securityscorecard.com | 35 Figure 100 Figure 101 Figure 102 tb-pass command This command is similar to the one presented above, but Thunderbird passwords are extracted: securityscorecard.com | 36 Figure 103 ie-pass command The malware extracts stored credentials from Internet Explorer and Edge using a Powershell script (see Figure 105). Figure 104 Figure 105 chk-priv command The RAT verifies whether it has administrative privileges by trying to create a file called “dummy.log” in the System32 directory and sends the outcome to the C2 server: securityscorecard.com | 37 Figure 106 Figure 107 req-priv command The process tries to launch itself with admin privileges by sending a UAC prompt to the user using the “-verb runAs” Powershell parameters: Figure 108 Figure 109 securityscorecard.com | 38 rw-encrypt command This command implements the ransomware module of the malware. It encrypts the files found in the Downloads, Documents, and Desktop folders located in the user’s profile using AES128. The AES key is derived based on a password specified by the C2 server, and the IV is randomly generated using a SecureRandom object. Finally, the extension of the encrypted files is changed to “.crimson”, as highlighted below: Figure 110 Figure 111 Figure 112 Figure 113 securityscorecard.com | 39 rw-decrypt command The command is the complement of the above and can be utilized to decrypt the files having the “.crimson” extension using the AES128 algorithm. Figure 114 show-msg command The malware creates the ransom note called “crimson_info.txt” and populates it with content received from the C2 server. It is displayed to the user by spawning a notepad process: Figure 115 screen-on command This command is used to move the Mouse using the mouseMove function, keeping the screen on: Figure 116 Figure 117 securityscorecard.com | 40 save-all-pass command The command combines the passwords extracted from Internet Explorer, Edge, Google Chrome, FoxMail, Outlook, Mozilla Firefox, and Thunderbird: Figure 118 The process sends a ping packet to the C2 server containing the STRRAT version 1.5 and the public IP of the host retrieved from ip-api.com: Figure 119 Figure 120 securityscorecard.com | 41 Indicators of Compromise SHA256 0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a C2 servers/URLs http[:]//jbfrost[.]live nneewwllooggzz.mefound[.]com windowsupdatelogz.onedumb[.]com http[:]//wshsoft[.]company/multrdp.jpg ip-api[.]com/json/ User agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Files created C:\Users\\64578lock.file C:\Users\\AppData\Roaming\Mozilla\Firefox\rpack.zip C:\Users\\AppData\strlogs C:\Users\\lib\ jna-5.5.0.jar C:\Users\\lib\ jna-platform-5.5.0.jar C:\Users\\lib\sqlite-jdbc-3.14.2.1.jar C:\Users\\lib\system-hook-3.5.jar Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Scheduled task Skype securityscorecard.com | 42