Thursday, September 17, 2015

JAR steals Windows Product Key!

ge.tt - The gett sharing website is used by number of people to share documents and other stuff. Like other file sharing websites ge.tt is also abused to spread malwares. Recently came across one such link from ge.tt site that was responsible for stealing "Windows Product Key" from the infected machine.

It all starts with a link that downloads a JAR file - "http://ge.tt/api/1/files/3EZXQfK2/0/blob?download/REDACTED.jar". On the outset this JAR file looks legitimate and very innocent. Below is a snapshot from JD-GUI.


Looking at the code in JD-GUI closely we can see that there's a non class file - "resources.dat". This looks interesting. Digging deep into the code, we can find that the "resources.dat" file is fetched and decompressed. Below code is responsible for the same,

The above code reads the "resource.dat" file and passes the read data as argument to the "decompress" function. Snapshot of  "decompress" method is below,


The above code deflates the passed data using the "inflate" method. The same can be represented in Python like below


import zlib

def main():
    f = open("C:\\resource.dat", "rb")
    data = f.read()
    f.close()
    data = zlib.decompress(data)
    print data

    f = open("C:\\resource_decompress.dat", "wb")
    f.write(data)
    f.close()

if __name__ == '__main__':
    main() 

Executing the above code decompresses the "resource.dat" file which yields another JAR file. Loading the JAR file into JD-GUI gives the actual malicious code.


This above code from the JAR file responsible for fetching the "Product ID". Later the key is sent to a remote server.


That's all for now!

No comments:

Post a Comment