Dumping COVID-19.jar with Java Instrumentation


There is a generic and easy way to unpack Java malware that is not well-known yet. For demonstration I use a recent JAR malware sample that jumps on the COVID-19 bandwagon.

From the point of view of a threat actor, Java based malware has the advantage that it works regardless of the operating system as long as Java is installed. While the numbers of Java malware have declined in the last 5 years, certain strains are still seen frequently in the wild, e.g., the backdoor Adwind. Malware authors are also still creating new Java based strains like the information stealer Qealler which was first seen in February 2019.

Almost all of those threats are packed, using protection tools like Allatori which makes reverse engineering a bit harder.

In the following video I demonstrate a generic way to unpack Java based malware dynamically. This method uses Java instrumentation, more specifically Java Agents. They are a tool for developers to change the behaviour of their programs without having to modify the original source code. The Java Agent is part of a separate JAR file that is applied to the actual software while running it. That way developers can easily add profiling or logging.

In this instance a Java Agent will dump all Java classes while they are being executed, thus dynamically unpacking the protected payload.

Karsten Hahn
Malware Analyst