Please propose all changes regarding references on the Malpedia library page. Your suggestion will be reviewed before being published. Thank you for contributing!
Please enable JavaScript to use all features of this site. Propose Change for jar. In which category would you like to suggest a change? What would you like to do? Please select an option Suggest an alias Change the common name. New Alias for jar.
Create a new account. Log In. Know what is JRAT? Got another good explanation for JRAT? Don't keep it to yourself! Add it HERE! Still can't find the acronym definition you were looking for?
Use our Power Search technology to look for more unique definitions from across the web! Search the web. Citation Use the citation options below to add these abbreviations to your bibliography. Below are two code snippets displaying how the split strings are defined, and how one split string is concatenated. Part of the split strings will be combined as Java code to be executed later by a ScriptEngine object by calling its eval function.
It also attempts to hide the keyword code. Below is an example of calling eval function:. The result is an AES key used to decrypt other classes, so the key is saved in the variable com. This variant also contains a lot of resource files see the file list in Figure 3 , which are encrypted.
The parent-jar reads and decrypts them, and then some of them will be combined as Java class files, constant strings, or URL strings. When started with Java. Jrat" and "q. It then loads data from a resource file and decrypts it using the AES algorithm to get a class file. I added comments to the code for better understanding. It contains four methods: bytes, criminal, go and resource.
The go method is the entry method of this class. I dumped the class to a local file and then decompiled it, so in the snippet below you can see how the class qeaqtor. Loader and its member variables are declared, as well as the code of method go. As I said above, this is the first element in a resource chain.
It is a path to the AES encrypted resource file. Figure 6 is the screenshot of the partially decrypted data. In this way, it can load all resources in the resource chain and then put the decrypted data together into a mainBaos object.
This class contains two members, Key and Value. You get the Value by Key calling its get function. In this case, the Value consists of the resource path and AES decryption key.
In the following steps, using this LinkedHashMap object, the malware can read and decrypt a number of resource files, including URL, more dynamic class files, and the dropped working jar file. Figure 7 shows one pair of K and V from the object paths.
It contains pairs of K and V. The next step in the go method is to load all of these classes except for the first one it has already been loaded. Th rough paths.
It calls the Loader. It then accesses this URL and downloads a new file to replace the current parent-jar and run it. In short, it upgrades itself every time it starts. Figure 8, below, contains the code snippet.
The Header.
0コメント