• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Security  /  Evolution of jRAT JAVA Malware
03 October 2017

Evolution of jRAT JAVA Malware

Written by Pavankumar Chaudhari
Pavankumar Chaudhari
Security
Estimated reading time: 4 minutes

jRAT (Java Based Remote Access Trojans) malware is not new but its activity has increased recently in the last few months and they are targeting various organizations. Per day, Quick Heal Security Labs identifies thousands of spam emails carrying weaponized JAR as attachments targeting users. These malicious JAR i.e., jRAT malware upon execution, result in infecting users. Let’s take a look at a detailed analysis of this malware.

Infection chain

Fig 1: jRat Infection Chain
Fig 1: jRat Infection Chain

Here is an initial infection vector which is a spam email. As it looks legitimate, the user is tempted to download and open the attachment.

Fig 2: Spam Email
Fig 2: Spam Email

 

Below is a list of attachment names observed in these spam emails:

  • ITD_EFILING_FORM15CB_PR3.2.jar
  • MVD_SHPMNT_VSL_0004048_pdf.jar
  • Payment Swift Scan Copy 682017.pdf.jar
  • SHIPPING DOCUMENTS PDF.jar
  • SCAN DOC- 53862100.jar
  • FINAL COMPLETE SET OF SHIPPING DOCS.jar
  • PAYMENT_ADVISE_PDF.jar
  • PAYMENT_APLICATION_PDF.jar

After extracting the parent JAR file, it shows some java packages containing some long random filenames which contain raw data and class files. We have observed that malware actors are evolving malicious JARs with numerous obfuscations patterns. Some of the patterns are as follows:

Fig 3: Different Obfuscation Patterns
Fig 3: Different Obfuscation Patterns

 

Well-known decompilers failed to decompile the parent JAR file. Due to variation in obfuscation and encryption, (RSA, AES) makes static analysis more complex. Let’s see how malware behaves when it gets executed.

Execution of the parent JAR file drops two “.vbs”, two “.Class”, one “.Reg” and one “.dll” file at “%TEMP%” location. Every dropped file has a unique role in the infection cycle. Also, the parent JAR checks for a virtual machine using GlobalMemoryStatusEx() api which checks for the total physical and virtual memory available.

The parent JAR drops VBS files at %Temp% location with some random names. Also, it drops a JAR file with extension ‘.class’ at %Temp%. The parent JAR executes dropped the JAR file. The dropped JAR file is a jRAT malware.

The below images shows dropped vbs files:

Fig 4: VBS File to list down AV’s
Fig 4: VBS File to list down AV’s

 

Fig 5: VBS File to list down Firewall Products
Fig 5: VBS File to list down Firewall Products

Then jRAT malware executes VBS files using cscript.exe.

Fig 6 - 1

Fig 6: VBS File Execution by JAR
Fig 6: VBS File Execution by JAR

 

One of the VBS files enumerates a list of different firewall installed using WMI (Windows Management Instrumentation) functionality and the other one enumerates a list of third-party antivirus products using the same functionality upon execution.

The parent JAR also drops the “.Reg File” at %Temp% location and executes it using ‘reg.exe’. It creates registry entries of frequently used analysis tools such as ‘Procexp.exe’ ,’wireshark.exe’, ‘dumppcap.exe’ and some security products processes under “Image File Execution”. So, if any process started and if it has an entry under that key then the process gets killed.

Some registry entries are shown below:

Fig 7-1

Fig 7: Registry Entry under Image File Execution
Fig 7: Registry Entry under Image File Execution

 

The parent JAR executes actual jRat JAR file using java.exe. This jRat file is capable of communicating with a C&C server and can download executable payload.

To achieve persistence, it makes an entry into an auto-run registry so it can launch itself when the system reboots.

Fig 8: Persistence Entry in Registry
Fig 8: Persistence Entry in Registry

 

jRat connects with CnC IP “213.183.58[.]42 ”. The below image shows the TLS-encrypted SSL traffic after infection. After decoding the TCP stream on port 3012, we found the blacklisted certificate which is associated with jRAT JAR.

Fig 9: TLS-Encrypted SSL Traffic
Fig 9: TLS-Encrypted SSL Traffic

 

Below image shows the SSL certificate information and it has an entry in the SSL Blacklist:

Fig 10: SSL Certificate Information
Fig 10: SSL Certificate Information

 

Seqrite detection stats

Seqrite Email Security generically detects such malicious attachments.

Detection Name: JAR.Suspicious.A

Fig 11: Quick Heal Lab detection stats
Fig 11: Quick Heal Lab detection stats

 

After analysing the entire jRAT JAR infection chain, we noticed that the malware authors have been consistently changing the obfuscators to evade signature-based detection and using anti-debugging and anti-VM’s techniques. Furthermore, finding and disabling security solutions using numerous ways show how it got evolved.

Indicators of compromise

  • 213.183.58.42
  • 781FB531354D6F291F1CCAB48DA6D39F
  • 0B7B52302C8C5DF59D960DD97E3ABDAF
  • 938CF1BA5F8BDB516B5617826E0B08A1
  • 76985223E94342D0FAB80D8A4DB1707C

 

Subject Matter Expert

Prashant Kadam, Pawan Chaudhari | Quick Heal Security Labs

 Previous PostAttacks on SSL are on the rise: Know more who is hiding in your e...
Next Post  Cybersecurity: New threats taking off in the Aviation Industry
Pavankumar Chaudhari
About Pavankumar Chaudhari

Pavankumar is associated with Quick Heal Technologies as a Technical Lead (Research and Development) and is also a part of Vulnerability Research and Analysis Team....

Articles by Pavankumar Chaudhari »

Related Posts

  • Is your Router exposed to cyber threats

    Is your router exposed to cyber threats? Here is how to safeguard it.

    July 30, 2020
  • Snake ransomware stings to spread its venom in the veins of enterprise networks.

    Snake Ransomware brings impending doom to enterprise networks

    July 10, 2020
  • APT harbingers are using Honey Traps to attack Indian Defence.

    Operation ‘Honey Trap’: APT36 Targets Defence Organizations in India

    July 8, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • Are we prepared against risks generating from the IoT revolution? Are we prepared against risks generating from the IoT revolution? January 15, 2021
  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.