2

I came across a jar that was in a malicious e-mail and did not observed any callbacks with this and decided to take a deeper look into it. First I tried to use jd-gui, but all I would get is this type of structure below.

Name of Jar.jar
(default package) 
  Main.class 
META_INF
plugins
  Server.class
ID - Used as part of Server.class it appears
MANIFEST.MF 40KB Resource File I believe

Main.class

public class Main extends ClassLoader
{
}

Server.class

package plugins;

import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.net.Socket;
import java.util.Properties;

public abstract class Server
{
 public static Properties config;
 public Socket socket;
 public ObjectOutputStream out;
 public ObjectInputStream in;

 public abstract void onLine();

 public abstract void offLine();

 public abstract String getId();

}

Doing some research I came across a crowdstrike article detailing how to setup a eclipse setup to examine external jar files at the byte code level, especially when they are obfuscated, which this appeared to be. http://www.crowdstrike.com/blog/native-java-bytecode-debugging-without-source-code/

Using the Byte Code Visualizer I was able to see a bit more of what was going one, but I still was not able to debug it.

Snippet of Main.class via Byte Code Visualizer

     /* class file format version 50.0 (java 1.6) */

public class Main extends java.lang.ClassLoader {

    /* compiled from y */

    java.io.ByteArrayOutputStream iIiIiiiIii;

    private final java.util.HashMap<java.lang.String, java.lang.Class> iIiiIIIIiI;

    private final java.util.HashMap<java.lang.String, byte[]> ALLATORIxDEMOxASAASDmaDASDriASDASDDASDASDASDADQWDQWlloQWDasdasdasdsd;

    private void IIiIiIIIII(java.util.jar.JarInputStream arg0) throws java.io.IOException {
        /* L100 */
        0 getstatic 1;            /* java.lang.System.out */
        3 ldc_w 284;              /* "\u0018-\u001a+\u001c)\u001e'\u0010/" */
        6 invokestatic 260;       /* java.lang.String Main.ALLATORIxDEMOxASAASDmaDASDriASDASDDASDASDASDADQWDQWlloQWDasdasdasdsd(java.lang.String arg0) */
        9 invokevirtual 2;        /* void println(java.lang.String arg0) */
        /* L653 */
        12 getstatic 1;           /* java.lang.System.out */
        15 ldc_w 284;             /* "\u0018-\u001a+\u001c)\u001e'\u0010/" */
        18 invokestatic 260;      /* java.lang.String Main.ALLATORIxDEMOxASAASDmaDASDriASDASDDASDASDASDADQWDQWlloQWDasdasdasdsd(java.lang.String arg0) */
        21 invokevirtual 2;       /* void println(java.lang.String arg0) */

Instead of being able to debug this, I end up getting a "main type" issue.

Selection does not contain a main type

If anyone is interested, I will e-mail you the sample. I am a Java novice at best, so any insight on how to get this to debug properly is much appreciated.

user2292661
  • 145
  • 1
  • 2
  • 9

2 Answers2

1

I'm probably too late to answer this, however after almost 7 years last night i faced this exactly issue.

So if anyone is in this situation: Have a .jar malware encrypted and is using Eclipse IDE with Bytecode visualizer installed (plugin) and followed (or want to follow) this guide: https://www.crowdstrike.com/blog/native-java-bytecode-debugging-without-source-code/, nothing will work (if you just did it exactly as the guide says and like me have and 0 experience in java).

The problem is that in Eclipse there is no main function defined when you import your .jar, you imported it as an external library and i don't know why (yes even selecting your project folder as your source path) it doesn't load it. The solution is this:

  1. Identify the malware's main class: You can do it by reading the MANIFEST.MF file, it will show you exactly the name of the class.

(In this example i looked at my MANIFEST.MF file and see that the name of the main class is: maldad.Start)

  1. Create a new debug template (Debug -> Debug Configurations -> Double click in Java Application)

  2. Now configure the template, put any name you want, and in the Main class box, set the name of the class you extracted from MANIFEST, in this case is maldad.Start, click Apply and if you already have a breakpoint you can debug you malware now :D

This probably is too easy or basic for an experienced java dev, however for someone who doesn't know anything about java it is useful, also i didn't found this solution in any of the online searches i did.

ShadowBl33d3r
  • 11
  • 3
0

you can look at http://jd.benow.ca/ it also provides IDE plugin that allows to debug byte code

Beyt
  • 43
  • 5