Details
To begin today's analysis, we first define what a Java JAR is:A JAR (Java ARchive) is a package file format typically used to aggregate many Java class files and associated metadata and resources (text, images, etc.) into one file for distribution.
Simply put, this is the final "executable" you get when you compile your Java code for distribution. As long as Java is installed on your machine, you will be able to run a JAR file by double clicking it.
To analyze a JAR file we can use JD-GUI (Java Decompiler) and essentially reverse the compiled code back to legible source code. In the case of our file today we see many 'blank' classes. This was most likely coded by the author to be annoying or it is future functionality that has not been implemented yet.
Scrolling down the class tree on the left, we soon come to the "Viante" class and this is where the main functionality of this malware resides.
We can see that this particular code is fairly straightforward and is very lightly obfuscated with randomly named variables. However, we can easily follow the execution path and tell that the malware will reach out to "http://191.252.2.91/0509/" to download "kk.zip". If we manually visit this IP and subdirectory we can see that the malware author has staged many other zips for download:
We downloaded all of the Zips above to check their contents and they were all the same. The only variance is the initial Zip name as seen above. This is indicative of the author distributing different variants which are coded to download each of the different named zips. Since all files contain the same malware it does not look like this JAR is set to distribute different malware campaigns e.g.(one for ransomware, another for banking trojans, another for adware, etc.)
We can see that this particular code is fairly straightforward and is very lightly obfuscated with randomly named variables. However, we can easily follow the execution path and tell that the malware will reach out to "http://191.252.2.91/0509/" to download "kk.zip". If we manually visit this IP and subdirectory we can see that the malware author has staged many other zips for download:
If we traverse back to the IP itself we discover that it is running Apache 2 and is set to defaults. This is...shall we say...amateurish? If we were so inclined to poke around this server a bit, I'm sure we could find quite a few things which were still set to default. But, that is outside the scope of this analysis and I DO NOT recommend doing this as it may violate the law.
Malware hosting server aside, we continue our analysis by extracting the contents of the downloaded zip and discover 5 separate files which are named with incorrect PNG picture extensions.
As we follow the JAR code to the end we see that it will rename all of the PNG files to EXE, DRV, and DB (All three renamed files contain MZ headers which denotes an executable, driver, or dll).
After the renaming we end up with the following files which will then be executed through "VM.exe".