the uh, arg continues

[Skip]

Congrats Markey, you just executed a RAT.

And nothing of value was lost.

[Ad Bot]

[QuadStorm]

it's more than likely the .jar file is malicious, not really much of a reason for someone to send a .jar in a email anyways.

also, the site is some random arabic political site of some sort

i opened it using command prompt and nothing happened. not too sure what to say about this, it could be malicious.

run the scans, you're probably forgeted unless you used a VM or sandbox

also why would you open it using command prompt; might as well have executed it iirc. it's a far safer bet to open it via notepad or something then to pretty much execute it.

[Rockinboy2000]

Send it to malwarebytes or avast to look at so they can start classifying it as a rat/malware

[Ipquarx]

I can't believe I'm saying this but... it looks like it does nothing at all.





Those are the only two class files. The ID file just contains the text "9OXe9a3WswY" and I'm not sure what it's used for. Manifest.MF does literally nothing in terms of code.

There is more in the class files to indicate it does do something but so far none of the decompilers i've used have been able to show any more code than what you see in the first screenshot. I'll be trying further.

[AutoBahn]

IT'S AN ARG

[ResonKinetic]

IT'S HAPPENING

AGAIN

[Rockinboy2000]

uh...arg?

[Ipquarx]

I just finished decompiling JarMain for real this time, i'll be posting in a minute

[DrenDran]

I can't believe I'm saying this but... it looks like it does nothing at all.





Those are the only two class files. The ID file just contains the text "9OXe9a3WswY" and I'm not sure what it's used for. Manifest.MF does literally nothing in terms of code.

There is more in the class files to indicate it does do something but so far none of the decompilers i've used have been able to show any more code than what you see in the first screenshot. I'll be trying further.

I see sockets in there. It must have some sort of networking functionality. Definitely supports the idea of a rat. It's 45kb so there's got to be more than just a few lines (yeah i realize the actual jar is a binary file) to it.

I sent a reply email but don't expect anything in return.
Also I was sent this at 19:09 today EST, and gmail says it was "over smtp.com"

[Steve5451²]

I ran it in Sandboxie and I couldn't find any dropped files, but it ran without an error so it's not a minecraft mod. If it's a RAT then it has Sandboxie detection, which would explain the lack of dropped files.
Ipquarx hopefully will figure something out.

[Markey]

Uh... Well. I should probably put a gun to my head.

[Ipquarx]

Decompilation of the main function failed for whatever reason which is really unfortunate because it means I can't manually trace through the code to see what it would do, but here's the source for JarMain.class: http://pastebin.com/7dGeeh7J

EDIT: it's a rat. http://www.reddit.com/r/ReverseEngineering/comments/2291z8/how_badly_did_i_get_owned/

[Blockzillahead]

its not a rat. do you think anti virus companies are so clueless not to detect rats in .jar files? this is 2014 not 1995

[Champion]

EDIT: it's a rat. http://www.reddit.com/r/ReverseEngineering/comments/2291z8/how_badly_did_i_get_owned/

rip markey

[Ipquarx]

its not a rat. do you think anti virus companies are so clueless not to detect rats in .jar files? this is 2014 not 1995

Do you see the hilighted text? it says ALLATORIxDEMOx UnrecomClassLoader

First part is Allatori demo, and a quick google search reveals that Allatori is a java obsfucator.

Second part is Unrecom Class Loader. Again, a quick google search reveals that's a Java RAT.


So in other words, RIP markey