当前位置: 文江博客话题详情

“无法从 client.jar 加载主类清单属性”在可能的恶意软件 .jar 文件中?

发布于 2024-12-13 05:40:08 字数 846 浏览 1 评论 0原文

我在客户的计算机上发现了一个 Client.jar 文件,其中包含两个 .class 文件,我可以将它们反编译为这两个文件:

Client.java

I.java

而且还有一个I.gif,一看就知道不是GIF用十六进制编辑器。

他们显然很困惑,而且我对 Java 不太感兴趣。我尝试在虚拟机中运行,但它告诉我“无法从 Client.jar 加载主类清单属性”

可能是主类不在清单中,但如何修复这? 这是否意味着它无法在客户的计算机上运行?

还有一个 META-INF 文件夹,其中包含文件 MANIFEST.MF、ME.DSA、ME.SF。

MANIFEST.MF 看起来像这样:

Manifest-Version: 1.0
Created-By: 1.6.0_20 (Sun Microsystems Inc.)

Name: Client.class
SHA1-Digest: ex7bAth9HYUTIi8EcpeOc1OsVMg=

Name: I/I.class
SHA1-Digest: 0H6A7/XmOCNhayPI9TwC45Mky4s=

Name: I/I.gif
SHA1-Digest: AzzSpXaRFMYvtYJvrnFsHQDvJkE=

我想通过在沙箱或虚拟机中运行它来进一步分析它,该错误意味着什么我该如何运行它?

这显然是某种恶意软件,因此只有专家才能回答这个问题。提前致谢!

原文

I found a Client.jar file on a customer's computer, containing two .class files which I could decompile to this two files:

Client.java

I.java

Moreover there's a I.gif which is obviously no GIF looking at it with a hex editor.

They're obviously obfuscated and I'm not into Java that much. I tried to run in in a VM but it tells me "Failed to load Main-Class manifest attribute from Client.jar"

Might be, that the main class is not in the manifest, but how to fix this? Does this mean, it could not be run on the customer's computer?

There's also a META-INF folder containing the files MANIFEST.MF, ME.DSA, ME.SF.

MANIFEST.MF looks like that:

Manifest-Version: 1.0
Created-By: 1.6.0_20 (Sun Microsystems Inc.)

Name: Client.class
SHA1-Digest: ex7bAth9HYUTIi8EcpeOc1OsVMg=

Name: I/I.class
SHA1-Digest: 0H6A7/XmOCNhayPI9TwC45Mky4s=

Name: I/I.gif
SHA1-Digest: AzzSpXaRFMYvtYJvrnFsHQDvJkE=

I would like to analyse this further by running it in sandboxie or VM, what does the error mean how can I run it?

It's obviously some sort of malware, so only experts should answer this. Thanks in advance!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

妄司 2024-12-20 05:40:08

为了从 jar 文件启动 Java 应用程序,它必须知道哪个类构成入口点。该类需要一个 main 方法。它可以在 jar 的 MANIFEST.MF 文件中指定,也可以在运行时指定(例如,从命令行)。

反编译的类(确实似乎被混淆了)不包含 main 方法。所以这不会是一个可以作为独立应用程序运行的 jar。但是,Client 扩展了 Applet,表明它旨在作为浏览器中的 Web applet 运行。检查此页面以了解如何运行它。

如果您怀疑它是恶意的,最好通过一堆病毒/间谍软件/广告软件扫描程序来运行它。

编辑:更改代码并使用 gif 运行它后(如果您不确定自己在做什么,请不要这样做!),我已经得出这样的结论:

首先,“gif”将以某种迂回的方式进行解码。它的前三个字节决定了 gif 其余部分将被加载到的字节数组的大小。该字节数组的一部分用于构造小程序中使用的字符串。

当小程序初始化时,它将获取小程序参数 AMLMAFOIEA 的值。该参数需要在包含小程序的 HTML 中设置,因此该值将取决于运行小程序的页面。 这里是详细信息

之后,它将获取环境变量TEMP的值。就我而言,它指向我的用户目录中的AppData\Local\Temp。它会将 \JavaLoad.exe 附加到此路径并使用该路径创建一个 FileOutputStream,因此显然它会尝试在临时文件夹中写出 JavaLoad.exe 文件。

然后,它将与 AMLMAFOIEA 小程序参数指定的 URL 建立 HTTP 连接,并将其请求方法设置为 GET。将从连接中打开一个流,并将其内容转储到 JavaLoad.exe 文件中。

代码块的不断重复

  if ((this.b == this.c) && (this.b + I.I(1) == this.c + I.I(1)))
  {
    this.b = I.I(4);
    this.c = I.I(6);
    this.b = this.c;
  }

似乎没有任何作用。它可能是由混淆器添加的,以使您偏离轨道,因为这似乎不会产生任何功能影响。所有重要的事情都是在这些测试之外完成的,并且字段 bc 似乎从未用于任何真正有用的东西,只有字段 a< /code> 用于保存目标 URL 字符串。

所以,总而言之,这看起来确实很可疑。但它真正尝试从哪个 URL 下载内容将取决于小程序的环境。不幸的是,这并没有向我们指出任何真正的来源。也许这是一个通用的特洛伊木马客户端,供任何希望通过带有小程序的站点传递恶意负载的人使用。由于小程序在权限有限的沙箱中运行,因此我不确定这是否有效。我也不知道它最终将如何运行JavaLoad.exe。我想它依赖于一些其他期望该文件存在的进程,也许通常是无害的。

这很有趣。感谢您的资源。如果您不是 Java 开发人员并且不知道如何从代码中删除危险部分,我建议您不要尝试自己运行任何此类内容。

In order to start a Java application from a jar file, it must know which class forms the entry point. That class needs a main method. It can either be specified in the jar's MANIFEST.MF file, or specified when running (for example, from the command line).

The decompiled classes (which do indeed seem to be obfuscated) don't contain a main method. So this wouldn't be a jar that's runnable as a stand-alone app. However, Client extends Applet, indicating this was intended to be run as a web applet in a browser. Check this page to find out how you can run it.

Probably best to run it through a bunch of virus/spyware/adware scanners if you suspect it's malicious.

EDIT: after altering the code and running it with the gif (don't do this if you're not certain about what you're doing!), I've come to the conclusion that this is what happens:

First, the "gif" is gonna be decoded in a somewhat round-about way. Its first three bytes determine the size of a byte array that the rest of the gif is gonna be loaded into. Parts of this byte array are used to construct Strings that are used in the applet.

When the applet is initialized, it's gonna fetch the value of applet parameter AMLMAFOIEA. This parameter needs to be set in the HTML that contains the applet, so the value is going to be dependent on the page that the applet is run from. Here's the details of how this is set.

After that, it's gonna get the value of environment variable TEMP. In my case, this pointed to AppData\Local\Temp in my user directory. It's gonna append \JavaLoad.exe to this and use that path to create a FileOutputStream, so obviously it's trying to write out a JavaLoad.exe file in your temp folder.

It will then establish a HTTP connection to a URL specified by the AMLMAFOIEA applet parameter, setting its request method to GET. A stream will be opened from the connection and its contents dumped into the JavaLoad.exe file.

The constant repetition of the code block

  if ((this.b == this.c) && (this.b + I.I(1) == this.c + I.I(1)))
  {
    this.b = I.I(4);
    this.c = I.I(6);
    this.b = this.c;
  }

seems to do nothing at all. It might have been added by an obfuscator to throw you off track since this doesn't seem to have any functional impact whatsoever. All the important stuff is done outside of those tests and the fields b and c don't ever seem to be used for anything really functional, only field a is used to hold the target URL String.

So, in conclusion, this does seem very suspicious. But what URL it truly tries to download stuff from will depend on the applet's environment. Unfortunately this doesn't point us to any true source. Maybe this is a general trojan client that's intended for use by anyone who wishes to deliver a malicious payload via a site with applets. Since applets run in a sandbox with limited permissions, I'm not certain if this'd work at all. I also don't know how it will eventually run JavaLoad.exe. I suppose it relies on some other process that expects this file to exist, maybe something normally harmless.

This was interesting. Thanks for the resources. I suggest you don't try to run any of this stuff yourself if you're not a Java developer and don't know how to take the dangerous portions out of the code.

回复 原文
萌吟 2024-12-20 05:40:08

正如您在帖子中看到的那样,MANIFEST.MF 不包含主类属性。这可能是一个特洛伊下载器,它肯定会打开一个http连接,下载文件并执行它们。 gif 文件似乎包含 url。

我强烈建议删除这个 jar 并扫描计算机是否有恶意软件!不要尝试执行它。

The MANIFEST.MF does not contain a main class attribute, as you can see in your post. This could be a troyan downloader, it definitly opens a httpconnection, downloads files and executes them. The gif file seems to contain the url.

I would strongly recommend to delete this jar and scan the computer for malware! Do not try to execute it.

回复 原文
~没有更多了~

关于作者

手心的温暖

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Gabu-gabumon

文章 0 评论 0

qq_CgiN62

文章 0 评论 0

荔枝明

文章 0 评论 0

赏烟花じ飞满天

文章 0 评论 0

独守阴晴ぅ圆缺

文章 0 评论 0

¤→小豸慧

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文