Following on from my last post on Adwind rat i found another Java Based Rat that is freely available to the public. Blue Banana has been around for a couple of years and looks very similar to early versions of frutas.
Here is the pitch from the coder.
My aim was much the same as my last analysis on Adwind Rat. Im not so interested in its capabilities more about how its config is stored and how i can get to it.
Opening up the .Jar file i immediately see the bit i want “config.txt” :)
config.txt contains a long string of chars that look like hex values, could a simple hex decoder be all i need?
No sadly not. Looks like im going to be reading through some Java class files to figure this one out.
Attempting to de-compile the java byte code didn’t work very well, i tried a few different de-compilers with each of them getting part way through the process and spitting errors at me.
Looking through the code that i managed to de-compile and with some Google-foo i was able to figure out why.
Parts of the java had been obfuscated with a Java Obfuscator called allatori which can be found at http://www.allatori.com . The RAT Author had obfuscated specific chunks of his code with the demo version, including the Encryption Scheme and the Key that it uses.
Cipher cipher; a = new SecretKeySpec(a, j.ALLATORI_DEMO("I>[")); cipher = Cipher.getInstance(d("a(sBe.bBp&c>\025=A\tD\004N\n"));
A few more Google searches and i found some references to code that might be able to de-obfuscate some of the content. As i work my way through bad forum posts i started to feel a bit like Alice, tumbling down the rabbit hole.
There must be an approach that doesn’t require me to figure out not only how the config is created but how to read the code that makes it do that in the first place.
Memory. . . . The config has to be placed in to memory in clear at some point and the key must also be in memory so it can to be passed to the decryption routine.
I create my own server jar file this way i know exactly what values i can expect to see and can be sure that Im not going to start beaconing out to some one elses C2.
With my jar file running i fire up process hacker and dump the running java process to a file. With the dump file now sat on the desktop of my VM i throw it in to Bintext to extract the strings. On my VM processing a 90Mb File takes a few seconds, about 21 minutes worth of seconds, but eventually it spits them all out.
Next step was to look for my config in clear by searching for any of the strings i gave it.
Here i can see my config line, just above and out of the scroll is another set of lines that show long string of hex characters that look a lot like my config.txt line. Time for a guess or two, i throw a quick python script together that will process some of these strings against a few different ciphers.
Success i have a successfully decoded config line. AES with a 16 byte key
To prove that this wasn’t just a fluke and to check to see if its a hard coded key or a per server key i create a couple more samples and run them through again. My initial results were not promising. I didn’t see my config lines in any of the new samples, instead i was presented with new lines of hex characters that look a lot like what i started with. After a few minutes going back over my process to make sure i hadn’t missed anything i realized what was happening.
The data string i had put in to the decode script was the one i had copied from the memory dump not, like I had with the other samples, a copy from the config.txt file.
Its encrypted twice! With two different keys! I modify the script to check this double encryption with what i think are different keys and get another eureka moment. From the config.txt file i get a de-crypted config line.
Several more self generated samples later and i am confident that its using fixed keys, I’m waiting to get hold of some ‘Live’ samples to do some more testing.
In the mean time this de-crypter has been added to the expanding list of supported malware on malwareconfig.com.
Thats it for this post, my next post will look at a extracting configs from a couple of .net based Rats. At some point i will also create a post officially launching malwareconfig.com but there are a few more little kinks and some improvements to do before then.
As always questions, queries, comments below.