For a more in-depth tutorial on Java deobfuscation check out this great video from MalwareAnalysisForHedgehogs th-cam.com/video/SFaDTQiiiww/w-d-xo.html
Great video!!! :) Another even quicker way I use: 1. run process hacker tool 2. run the malware 3. open the javaw.exe / java.exe in process hacker and go into Memory tab 4. search for DNS, or whatever string common to the config 5. read the config file :) It's not analysis but more IOC extraction... anyway still a pretty quick way to dump the config Cheers!
Is it open source? Are you on GitHub? I can contribute to your code to make it less ugly, lol. JK. But truly, if you are willing to share, I am open to contributions. :)
I'm small time malware analyst :) no github, pastebin etc. May be it's time to get one. Sharing is no problem, but may it's better not to have the internals of security tools visible to malware devs.
Belial Black i agree. Very true. Well GitLab might be good idea for malware analysts because one can host private repositories for free. In GitHub no freenprivate repos. :) Forgot to mention, @OALabs great video like always ;)
The java keywords as var names is allowed in the JVM, It's just that javac (Java compiler) Dous not allow thos names to be used, But there are alternative compilers that do allow those names
I think when decompiling Java classes, it's worth your time to use as many decompilers as you have available. Some may not support lambda expressions, some might, some may not decompile flow obfuscation effectively, some might, etc.
Hey thanks for the video. I was also analyzing this sample on my own and I have to admin that your video was really helpful for me, however I'm trying to see what's the sample sending to the C&C but the only clue I've got so far is that is trying to establish an SSL connection on any of the 3 ports of the config file. Analyzing the source code is kinda a pain because the source in the second stage is either obfuscated or encrypted... have you had any luck on that? Cheers and keep up the good fight against malware!
Hey glad you found the video helpful! I haven't looked at the C2 communication for Adwind very closely. I think where I would start is looking at the unpacked decoy version that is dropped since it is much easier to deobfuscate that than trying to extract the real Adwind classes directly from memory. The decoy version may have some hints about how the C2 messages are built and sent? If you post a blog on your findings I would be very interested to read it! Good luck!
Hi. I have subscribed to your channel for a while and you have really great content. I really love the videos. For the renaming of variables and class names of java files, I am not sure if you have used IDEA Intellij or not. It's essentially just a java IDE but you are able to refactor the class and field names pretty easy and you don't have to rename them manually whenever you encountered a variable that you'd changed the name before. I think that would speed up the deobfuscation. But anyway, great video as always!
Hey that's a great idea! With the IDE when you rename a variable in one spot it will rename it throughout the code right? If that's the case it would really speed this up. Thanks again, and awesome to hear that you enjoy the videos : )
Yes. That's exactly what I am talking about. I have used it in some of my programming projects and they are really useful when you want to rename something but throughout the whole project!
Great video. Can you please make a video instruction how to locate the main() of an executable? (preferably for windows EXE, but if time allowed, including ELF even better)
The entry point for an exe will be listed in the exports table in the PE. Most disassemblers will automatically identify this for you but you can always find it by looking in the exports. If the PE was compiled with VisualStudio (and is windowed app) then the export address will contain some setup code before calling WinMain but you should be able to spot the call pretty easily.
@@OALABS Thanks for your reply. I know that entry point is listed in export table. However, compilers often add their code before making a jmp or call to the applications' code.I find it difficult to determine where the real "interesting code is. Appreciate if you can provide hints/tips for it. thanks
Ah ok, this is a great question! So I remember when I was first starting out this was a big issue for me too, especially with malware that had been compiled with Visual Studio (as mentioned above). The compiler inserts a bunch of exception handling stuff and setup code as you have pointed out. One of the tricks I used starting out was to compile some simple code (opening and setting a registry key) with the free version of Visual Studio then I disassembled it in IDA and looked at the extra stuff that VS had added. I tried this for a few different compiler settings and project types to see the difference. After a while you can start to see a pattern of the VS code so you can mentally ignore it when you have to deal with real malware. This is a really good idea for a video and something we will probably cover this year, thanks!
Great videos brother. But a small problem, i do watch it intuitively but i really dont know what s going on as i am trying to learn malware reverse engineering. Any tips for people like me who are stepping into this world and eager to learn but dont know from where to start. Your advice will be a great help. If you can please make a video on this topic and tell the learning path one should follow.
Hey this is a great question and something that we get asked about a lot. I'm not sure it would make a great video since a lot of the suggestions are just pointers to other resources but I can do my best to provide an outline here. I think this is going to be a long response so apologies in advance ... As far as the actual learning path there are so many different ways to approach this depending on what you are interested in and what motivates you. Personally I find that I learn a lot faster if that learning is tied to completing a specific task... it just seems to motivate me more, but it may not be the same for everyone. For me picking a single piece of malware and then working through it step by step until I could understand each component was how I learned most of the skills I use today. As for actually learning these skills there are some resources I can point you to (as well as some shameless plugs for our own videos). These are ordered to reflect the natural progression of learning from the basics up to full-on reverse engineering. Getting Malware Samples To Analyze th-cam.com/video/SCJVW1E8dFA/w-d-xo.html Setting up a VM for analysis: oalabs.openanalysis.net/2018/07/16/oalabs_malware_analysis_virtual_machine/ or th-cam.com/video/qW-LzlVQyCg/w-d-xo.html Setting up Network Analysis For Your VM th-cam.com/video/DjKr-MYIqxo/w-d-xo.html Getting Started With Behavioural Analysis th-cam.com/video/noErOEHcAj8/w-d-xo.html Detecting Packed Malware th-cam.com/video/8AyM2loz3AU/w-d-xo.html th-cam.com/video/txnaqJETT2g/w-d-xo.html What is a Packer th-cam.com/video/uxlpRof1QWs/w-d-xo.html How To Use a Sandbox th-cam.com/video/rDQmh1yFWGU/w-d-xo.html Understanding PE Files th-cam.com/video/l6GjU8fm8sM/w-d-xo.html th-cam.com/video/3PcgwKffytI/w-d-xo.html th-cam.com/video/cc1tX1t_bLg/w-d-xo.html Getting Started With IDA th-cam.com/video/qCQRKLaz2nQ/w-d-xo.html Windows APIs th-cam.com/video/FgJpNspdQP0/w-d-xo.html th-cam.com/video/e1ejxu9B0dc/w-d-xo.html x86 ASM Intro th-cam.com/video/98p_6L442Tk/w-d-xo.html th-cam.com/video/UMXwT7w7HOs/w-d-xo.html th-cam.com/video/WaH-aqQ15Xg/w-d-xo.html th-cam.com/video/im09tdVnYwQ/w-d-xo.html In addition to these videos there are also more formal recorded lectures here opensecuritytraining.info/Training.html. Personally I found them too dry to just sit through but that's probably more a reflection of my learning style and not the content. At some point I think Sean and I are going to create some proper online paid training workshops to cover the basics but until then this should get you started. I know I am missing a ton of other good resources so I would encourage everyone to leave a comment with their own favourite learning resources.
OALabs Thank you so much for your guidance. It really looks like that is what i needed, plus i do also see the correlation between topics above and the pathway to learn reverse engineering. I certainly appreciated it.
Hello! Following your video, I got stuck with running bash commands on windows 7. This part was not explained. I'd love to get some reference to that! Thanks
Ah sorry I must have missed explaining that my host host is OSX and the VM I am using is Windows7. When I need to run tools in a unix-type environment I switch back to my host. For example, running the bash commands. If you don't have an OSX or Linux host you can simply create a second Linux VM using a free copy of Ubuntu releases.ubuntu.com/16.04/ and use that VM for the bash commands etc.
Your tutorial is awesome. And I learned a lot from your channel. Btw, I am trying to replicate the part where you used x64dbg to unpack the adwind file and set a bp on CreateProcessInternalW. i follow everything but when I debugged the malware, it doesn't stop on the CreateProcessInternalW API. I'm still wondering why it didn't stop to my BP in my environment (status: Running, LastError: ERROR_SUCCESS, LastStatus: STATUS_NO_SUCH_FILE -> but im 100% that my file exists and put it in the Commandline like this: /java.exe -jar /adwind.jar). And when i looked at the console of java it showed ALLATORI (ascii-art). I've waited for about 10mins and nothing happened. same problem. Here's my VM setup: - Windows 7 64bit - using the latest x64dbg - java version 8 update 171 x64bit Do i really need to debug this in 32bit OS with a 32bit java? Thanks for the help;)
I'm not sure I'll be of much help here as there could be a lot of things that are changed between the environments ... I guess the first thing to check is use ProcessMonitor to see if there is a second process created at all... If there is no process created at all then that might indicate some other issue. If there is a process created but your breakpoint is simply not hit you could try breakpoints on other create process calls farther up the chain (this shouldn't be the issue though). And you could just double check that you are in 64bit mode and not hooking wow64 stuff by accident. Off the top of my head I can't think of anything else obvious though... maybe someone reading this has some suggestions?
Hey, do you know any good crackme sites? I can't find any good ones available anymore but people say you learn more if you crack commercial software. If you know some good crackme sites can you please reply back? Thanks.
For a more in-depth tutorial on Java deobfuscation check out this great video from MalwareAnalysisForHedgehogs th-cam.com/video/SFaDTQiiiww/w-d-xo.html
Great video!!! :) Another even quicker way I use:
1. run process hacker tool
2. run the malware
3. open the javaw.exe / java.exe in process hacker and go into Memory tab
4. search for DNS, or whatever string common to the config
5. read the config file :)
It's not analysis but more IOC extraction... anyway still a pretty quick way to dump the config
Cheers!
That's a great tip! Definitely the fastest way to do it if you just want the config... also something that could potentially be automated : )
Already automated but my python code is too ugly to show :D
Is it open source? Are you on GitHub? I can contribute to your code to make it less ugly, lol. JK.
But truly, if you are willing to share, I am open to contributions. :)
I'm small time malware analyst :) no github, pastebin etc. May be it's time to get one. Sharing is no problem, but may it's better not to have the internals of security tools visible to malware devs.
Belial Black i agree. Very true. Well GitLab might be good idea for malware analysts because one can host private repositories for free. In GitHub no freenprivate repos. :)
Forgot to mention, @OALabs great video like always ;)
The java keywords as var names is allowed in the JVM,
It's just that javac (Java compiler) Dous not allow thos names to be used, But there are alternative compilers that do allow those names
I think when decompiling Java classes, it's worth your time to use as many decompilers as you have available. Some may not support lambda expressions, some might, some may not decompile flow obfuscation effectively, some might, etc.
Hey thanks for the video. I was also analyzing this sample on my own and I have to admin that your video was really helpful for me, however I'm trying to see what's the sample sending to the C&C but the only clue I've got so far is that is trying to establish an SSL connection on any of the 3 ports of the config file. Analyzing the source code is kinda a pain because the source in the second stage is either obfuscated or encrypted... have you had any luck on that?
Cheers and keep up the good fight against malware!
Hey glad you found the video helpful! I haven't looked at the C2 communication for Adwind very closely. I think where I would start is looking at the unpacked decoy version that is dropped since it is much easier to deobfuscate that than trying to extract the real Adwind classes directly from memory. The decoy version may have some hints about how the C2 messages are built and sent? If you post a blog on your findings I would be very interested to read it! Good luck!
Hi. I have subscribed to your channel for a while and you have really great content. I really love the videos. For the renaming of variables and class names of java files, I am not sure if you have used IDEA Intellij or not. It's essentially just a java IDE but you are able to refactor the class and field names pretty easy and you don't have to rename them manually whenever you encountered a variable that you'd changed the name before. I think that would speed up the deobfuscation. But anyway, great video as always!
Hey that's a great idea! With the IDE when you rename a variable in one spot it will rename it throughout the code right? If that's the case it would really speed this up. Thanks again, and awesome to hear that you enjoy the videos : )
Yes. That's exactly what I am talking about. I have used it in some of my programming projects and they are really useful when you want to rename something but throughout the whole project!
Great video. Can you please make a video instruction how to locate the main() of an executable? (preferably for windows EXE, but if time allowed, including ELF even better)
The entry point for an exe will be listed in the exports table in the PE. Most disassemblers will automatically identify this for you but you can always find it by looking in the exports. If the PE was compiled with VisualStudio (and is windowed app) then the export address will contain some setup code before calling WinMain but you should be able to spot the call pretty easily.
@@OALABS Thanks for your reply. I know that entry point is listed in export table. However, compilers often add their code before making a jmp or call to the applications' code.I find it difficult to determine where the real "interesting code is. Appreciate if you can provide hints/tips for it. thanks
Ah ok, this is a great question! So I remember when I was first starting out this was a big issue for me too, especially with malware that had been compiled with Visual Studio (as mentioned above). The compiler inserts a bunch of exception handling stuff and setup code as you have pointed out. One of the tricks I used starting out was to compile some simple code (opening and setting a registry key) with the free version of Visual Studio then I disassembled it in IDA and looked at the extra stuff that VS had added. I tried this for a few different compiler settings and project types to see the difference. After a while you can start to see a pattern of the VS code so you can mentally ignore it when you have to deal with real malware. This is a really good idea for a video and something we will probably cover this year, thanks!
Great videos brother. But a small problem, i do watch it intuitively but i really dont know what s going on as i am trying to learn malware reverse engineering. Any tips for people like me who are stepping into this world and eager to learn but dont know from where to start. Your advice will be a great help. If you can please make a video on this topic and tell the learning path one should follow.
Hey this is a great question and something that we get asked about a lot. I'm not sure it would make a great video since a lot of the suggestions are just pointers to other resources but I can do my best to provide an outline here. I think this is going to be a long response so apologies in advance ...
As far as the actual learning path there are so many different ways to approach this depending on what you are interested in and what motivates you. Personally I find that I learn a lot faster if that learning is tied to completing a specific task... it just seems to motivate me more, but it may not be the same for everyone. For me picking a single piece of malware and then working through it step by step until I could understand each component was how I learned most of the skills I use today.
As for actually learning these skills there are some resources I can point you to (as well as some shameless plugs for our own videos). These are ordered to reflect the natural progression of learning from the basics up to full-on reverse engineering.
Getting Malware Samples To Analyze
th-cam.com/video/SCJVW1E8dFA/w-d-xo.html
Setting up a VM for analysis:
oalabs.openanalysis.net/2018/07/16/oalabs_malware_analysis_virtual_machine/ or
th-cam.com/video/qW-LzlVQyCg/w-d-xo.html
Setting up Network Analysis For Your VM
th-cam.com/video/DjKr-MYIqxo/w-d-xo.html
Getting Started With Behavioural Analysis
th-cam.com/video/noErOEHcAj8/w-d-xo.html
Detecting Packed Malware
th-cam.com/video/8AyM2loz3AU/w-d-xo.html
th-cam.com/video/txnaqJETT2g/w-d-xo.html
What is a Packer
th-cam.com/video/uxlpRof1QWs/w-d-xo.html
How To Use a Sandbox
th-cam.com/video/rDQmh1yFWGU/w-d-xo.html
Understanding PE Files
th-cam.com/video/l6GjU8fm8sM/w-d-xo.html
th-cam.com/video/3PcgwKffytI/w-d-xo.html
th-cam.com/video/cc1tX1t_bLg/w-d-xo.html
Getting Started With IDA
th-cam.com/video/qCQRKLaz2nQ/w-d-xo.html
Windows APIs
th-cam.com/video/FgJpNspdQP0/w-d-xo.html
th-cam.com/video/e1ejxu9B0dc/w-d-xo.html
x86 ASM Intro
th-cam.com/video/98p_6L442Tk/w-d-xo.html
th-cam.com/video/UMXwT7w7HOs/w-d-xo.html
th-cam.com/video/WaH-aqQ15Xg/w-d-xo.html
th-cam.com/video/im09tdVnYwQ/w-d-xo.html
In addition to these videos there are also more formal recorded lectures here opensecuritytraining.info/Training.html. Personally I found them too dry to just sit through but that's probably more a reflection of my learning style and not the content.
At some point I think Sean and I are going to create some proper online paid training workshops to cover the basics but until then this should get you started. I know I am missing a ton of other good resources so I would encourage everyone to leave a comment with their own favourite learning resources.
OALabs Thank you so much for your guidance. It really looks like that is what i needed, plus i do also see the correlation between topics above and the pathway to learn reverse engineering. I certainly appreciated it.
very helpful sir. Thanks a lot.
Thanks for the feedback, glad you found it helpful : )
13:50 in java bytecode you can acctualy give varible a name what is keyword, it is used to mess up decompiled code, somethink like IIlllIIllllII
what is the difference between CreateProcessInternalW and CreateProcess()
We actually made a whole video about this : )) th-cam.com/video/CiZ5D6wlIrw/w-d-xo.html
Hello!
Following your video, I got stuck with running bash commands on windows 7.
This part was not explained. I'd love to get some reference to that!
Thanks
Ah sorry I must have missed explaining that my host host is OSX and the VM I am using is Windows7. When I need to run tools in a unix-type environment I switch back to my host. For example, running the bash commands. If you don't have an OSX or Linux host you can simply create a second Linux VM using a free copy of Ubuntu releases.ubuntu.com/16.04/ and use that VM for the bash commands etc.
Thank you for your reply!
Your tutorial is awesome. And I learned a lot from your channel.
Btw, I am trying to replicate the part where you used x64dbg to unpack the adwind file and set a bp on CreateProcessInternalW. i follow everything but when I debugged the malware, it doesn't stop on the CreateProcessInternalW API. I'm still wondering why it didn't stop to my BP in my environment (status: Running, LastError: ERROR_SUCCESS, LastStatus: STATUS_NO_SUCH_FILE -> but im 100% that my file exists and put it in the Commandline like this: /java.exe -jar /adwind.jar). And when i looked at the console of java it showed ALLATORI (ascii-art). I've waited for about 10mins and nothing happened. same problem.
Here's my VM setup:
- Windows 7 64bit
- using the latest x64dbg
- java version 8 update 171 x64bit
Do i really need to debug this in 32bit OS with a 32bit java? Thanks for the help;)
I'm not sure I'll be of much help here as there could be a lot of things that are changed between the environments ... I guess the first thing to check is use ProcessMonitor to see if there is a second process created at all... If there is no process created at all then that might indicate some other issue. If there is a process created but your breakpoint is simply not hit you could try breakpoints on other create process calls farther up the chain (this shouldn't be the issue though). And you could just double check that you are in 64bit mode and not hooking wow64 stuff by accident. Off the top of my head I can't think of anything else obvious though... maybe someone reading this has some suggestions?
Thanks for replying:) I really appreciate your suggestions. long live to you and to your channel my friend:)
Thank u !!
Thanks for the interesting sample to look at!
Can you do python malware next? Hopefully something with .pyd files that is hard to reverse
This is actually fairly uncommon for malware but if you have a sample that you can send us the hash for we will definitely add it to the list.
Hi I really enjoyed this Java debugging. I can help you with some tips.
Awesome! Post any tips you have in the comments, this is the best place for them to help others!
Hey, do you know any good crackme sites? I can't find any good ones available anymore but people say you learn more if you crack commercial software. If you know some good crackme sites can you please reply back? Thanks.
crackmes.one/ : )