Wednesday, April 25, 2018

Deep Analysis of Java Archives

Analyzing binaries dynamically is a tricky job. We believe there are 5 major challenges when attempting to do so:

Today's focus is on one problem referred to as “Variety of Input”. Let us assume you have developed a great technology which can deeply analyze malware written in x86 or x64. As great as it may be, it will not get you far if the malware is written in C#, VBS, JS, Powershell, VB, Delphi or Java.

You will have to develop for each of those runtime environments a unique solution. Unfortunately, there is no technique which deeply analyzes any input regardless of its type.

For this reason, we think a Multi-Technology and architecture platform are the means to deeply analyze malware. That is why we have already built unique techniques to analyze the following:

In addition to these, Joe Sandbox also analyzes files on Windows, Linux, macOS, Android and iOS.

To enrich this family of technologies, we have recently added a new one, with the aim the of deeply analyzing Java Archives (JAR).

The Rise of JAR

Malware written in Java has become very popular. This is due to a couple of reasons. First of all, Java is a platform independent product. As an example, a remote access trojan can be easily operated on MacOS, Windows and Linux. Secondly, it is simple to write programs in Java. Thirdly, Java malware is not that well detected by Antivirus programs.

Deep Analysis of Java Archives

Most sandbox vendors are currently able to capture system calls executed by a Java program. However, the information is not provided in too much detail. Incident Responders and Malware Analysts are keen on getting the executed Java APIs and their arguments as well as the decompiled code.

To cover these requirements, we recently added a new JAR tracing functionality to Joe Sandbox:

JAR tracing performs two tasks:

  • Dynamically instrumenting Java bytecode to capture API calls and arguments
  • Java bytecode decompilation to generate Java source code

Extraction of Java API arguments

Let us have a look at the benefits of extracting Java API arguments. Given a JRAT sample we can detect various suspicious behaviors:

Full Analysis Report

To hide code, JRAT uses AbstractScriptEngine.eval. Since Joe Sandbox can trace the API, we get the evaluated String. Java malware is often heavily obfuscated and packed. Thanks to JAR tracing, Joe Sandbox can detect the unpacking process:

Full Analysis Report

Finally, JAR tracing enables the extraction of the RAT configuration:

Full Analysis Report

This is again extracted from API arguments and not statically decrypted from the binary. 

Java Decompilation

In addition to Java API arguments, Joe Sandbox also provides the decompiled source code. Malware Analysts can directly download the source code zip in the analysis detail view:

For instance, in the case of Crossrat you can easily understand the persistence via autostart. 

Final Words

Today's malware samples come in various formats and types. A single technology approach fails to analyze all samples. Joe Sandbox includes a wide array of domain-specific technologies to always get the deepest analysis possible. 

With JAR tracing Incident Responders and Malware Analysts get a powerful tool to extract Java API calls including arguments. This increases vastly the detection capabilities and also helps to understand complex payloads. In addition, one can download the full decompiled Java source code for extensive analysis.

Interested in JAR tracing and willing to try it? Contact us today and we will provide a trial!