Unveiling the Mysteries of Java Update Shellcode

Unveiling the Mysteries of Java Update Shellcode

Static Analysis & Reverse Engineering of Java Update Shellcode

In a digital landscape filled with hidden threats, Java Update Shellcode is a covert operator, often slipping past our defenses. Armed with file hashes, VirusTotal analysis, and a curious mindset, we're about to expose its inner workings.

File Hash & VT Analysis: Unveiling the Bad Boys

Our adventure begins with a file hash: ea63f7eb9e3716fa620125689cfef1d5fed278ded90810e7c97db3b66b178a89 *Malware.javaupdate.cs. A mere 1/56 detection ratio in VirusTotal raises the stakes. This is no ordinary code; it's a digital enigma.

mere 1/56 detection ratio in VirusTotal raises the stakes

Analyzing Source Code:

Inside the source code, we find a C# class named "Java Update" with a single method: "updatejava()." But what's hidden within this method is the real mystery. A byte array called "rsrc" reveals itself, and a familiar pattern emerges—thread injection.

A byte array called "rsrc" reveals itself, and a familiar pattern emerges—thread injection

Workflow of the Shellcode:

The intricate dance of VirtualAlloc, memory copying, memory protection checks, and CreateThread unfolds. If the resource array contains malicious code, we've just unveiled a malware's secret.

  • It starts with VirtualAlloc and allocates it to a particular size.

  • It then copies the bytes from the resource into the address that's been allocated.

  • It will check to see the memory protections on this section of memory and change them if necessary.

  • And finally, call CreateThread to execute a thread that is pointing to that address space. When a thread executes it will execute whatever is in the byte array of resources.

Analyzing the Resource Array "rsrc":

To decipher the enigmatic shellcode, we copy it into a new file and meticulously carve out the hexadecimal instruction calls. The result is a digital map of instructions.

with open('shellcode.txt', 'r') as f:
    shell_txt = f.read().replace("0x","").replace("byte[] rsrc = new byte[464] {","").replace(",","").replace("};","")
    shell_encode = shell_txt.encode()
with open('out.bin', 'wb') as w:
    w.write(shell_encode)

To decipher the enigmatic shellcode, we copy it into a new file and meticulously carve out the hexadecimal instruction calls.

With bated breath, we use scdbg to scrutinize this code. And the revelations are nothing short of thrilling.

With bated breath, we use scdbg to scrutinize this code.

  • Loading the wininet library: The code reaches into the Windows OS to call various APIs.

  • Contacting a web host on port 443: The plot thickens as it seeks external communication.

  • Downloading and creating a file: The code exhibits actions consistent with a dropper.

  • Executing a file with the winexec API call: The grand finale reveals its true nature—a malicious code.

Summary

Buckle up for an intriguing journey into the realm of Java Update Shellcode. In this article, we'll dissect a mysterious C# class and explore its hidden secrets. With a dash of digital detective work, we aim to demystify the code, uncover its true intentions, and reveal the exciting world of malicious code lurking beneath the surface. Let's dive in!

Conclusion

Our journey through the labyrinth of Java Update Shellcode has shed light on a complex, stealthy digital operator. Armed with file hashes and VirusTotal analysis, we've unveiled its covert actions. In the world of cybersecurity, staying vigilant and unraveling these digital enigmas is the key to safeguarding our digital realm. Stay curious, stay safe, and keep exploring the mysteries that lie beneath the surface!

References