JEB2 plugins for document formats

As explained in our June 18 blog, JEB2 architecture and back-end API allows the development of third-party code: Plugins such as disassemblers, decompilers, parsers, or else, can be easily integrated to provide analysis capability for virtually any type of data.

We have been working on proof-of-concepts plugins for various file formats internally, such as:

An Adobe PDF file format plugin. The plugin provides deep PDF view and navigation, anomaly detection, binary correspondence, and more. Coupled with other JEB2 analysis plugins (such as a JavaScript beautifier plugin), that makes for a powerful PDF reverse-engineering tool:

jeb2-pdf-2 jeb2-pdf-1

jeb2-pdf-0

A Microsoft Compound File / OLE file, for various document types, such as Excel in the pictures below:

jeb2-ole-4 jeb2-ole-1

 

jeb2-ole-3 jeb2-ole-2

We also have plugins for ELF object files, MIPS machine code, Android OAT resource extraction, ETC1 image reconstruction, etc.

Plugins can work on several types of input, including the output of other plugins, for recursive and deep analysis in artifact data. We are planning to open up the back-end API shortly after the full versions release, which will happen in mid July.

Some of those plugins will be open-source, we hope they provide  great tutorials and insights into plugins writing for the JEB2 back-end API.

What is changing with JEB2

As we announced yesterday, the demo version of JEB2 beta is now available for download! We are very excited about this new product, and here is why:

New features and improvements

  • A complete separation of the front- and back-end

This enables the creation of various front-ends: high-end customers can craft their own clients. They may be graphical, command-line based, or integrated within an automation pipeline.

Connected to that design point is the new, rich UI desktop platform, which had been on our road-map for quite some time. Our customers will now enjoy the power of Eclipse RCP as their primary official front-end.

  • A modular, plugin-based back-end architecture

This allows JEB2 to go beyond Android-only files. Although our primary focus stays on mobile, JEB2 is now able to support any type of binary parser, text beautifier, code disassembler, decompiler, or more generally, input transformer.

JEB2 ships with various modules designed to enable Android static analysis. Other modules will be shipped in the medium-term. Our customers will receive those modules via the traditional update channels. Some will be open-source. and available on our GitHub repository.

Application Programming Interfaces (APIs) will allow developers to write their own back-end plugins, back-end transformers, and, in the case of the official RCP front-end, client scripts. Our Full versions will ship with plugins to demonstrate what can be done with the back-end API: we will provide proof-of-concept plugins to support files such as Android OAT, Android JOBB expansion pack, Linux ELF, or MIPS binary code, to name a few.

From an immediate features perspective, JEB2 offers advanced capabilities such as virtual hierarchies and package renaming, optimized memory and computing usage when dealing with big files, multiple views and complete code hierarchies, side-by-side disassembly and decompiled code, the ability to analyze multiple artifacts within a single session.

JEB2 also supports artifact re-parsing. Recursive processing and artifact analysis delegation, manual or automatic, was a crucial design goal. We will demonstrate those capabilities in future blogs, the user manual, as well as YouTube videos.

A technical note regarding JEB 1.x to JEB2 migration:

  • JEB 1.x database files (“JDB”) files are not compatible with their JEB2 counterparts. We may provide a tool to convert or extract the information out of JDB files. However, it is unlikely that it ships with the initial release of JEB2;
  • JEB 1.x API is not compatible with the back-end API of JEB2.

A new subscription model

JEB2 is moving away from the traditional “perpetual license” model. JEB2 remains a desktop software, but is now subscription-based. This allows us to:

  • make sure all customers are using the most recent software release, a condition required to provide efficient and timely support;
  • offer flexible plans, ranging from a monthly standard package for one-off consulting tasks, to complete packages with API access, floating seats, and more.

Here are some additional details. We are currently planning to offer three plans: Standard, Business and Enterprise. The Standard package – just like the public demo build – does require an Internet connection to operate. Professional packages (Business and Enterprise) do not: they are fully-functional in air-gaps, a common industry practice when analyzing malicious code. The professional packages also offer APIs and support levels. Please refer to the pricing page for details.

Customers with a valid JEB 1.x license will receive an equivalent JEB2 subscription till the end of their current support period.

  • JEB 1.x Full → JEB2 Business
  • JEB 1.x Floating → JEB2 Enterprise

All JEB 1.x quotes that were issued before June 17, 2015, will be honored. JEB 1.x will receive fixes for major issues. We may also consult on special requests for JEB 1.x.

Finally, users with a valid JEB 1.x license will be able to use it according to the terms of the original user agreement.

More to come

The official release of JEB2 is being finalized as we speak. Most of the final tweaks will based on further internal testing and your feedback during this demo period. Give a try to the demo version of our latest beta build and let us know your comments via email, forum, or Twitter. We will continue to post on this blog to address questions and provide additional details over the coming weeks. Thank you.

Red October Malware for Android

Blue Coat Systems recently released a paper about the Inception APT (also dubbed Cloud Atlas, it may be connected to the Red October APT). One component of this APT is an Android trojan, masquerading as a Whatsapp update package. It is able to record audio calls, as well as gather, encrypt and exfiltrate user information.

The 4 strings partially written in Hindi that have been speculated on are those:

redoctober-android-img1

redoctober-android-img2

redoctober-android-img3

For researchers wanting to have a peak inside the APK, we are providing JEB decompiled Java code for one such sample.

Download is here: cloudatlas-android-malware-decompiled.zip

FinFisher FinSpy Mobile app for Android decompiled

The fully decompiled code and assets of 421and.apk can be found here: FinSpyMobileAndroid-decompiled.zip (no password).

This particular APK, although not the latest, is not obfuscated and easily reveals most capabilities of the malware:

  • Location tracker
  • Information stealer (calendar, contact list, text messages, Whatsapp databases, etc.)
  • Remotely controlled through encrypted communication over SMS and data

A great recap of the full story can be read on Netzpolitik. Real time updates are on Twitter.

JEB Jar Plugins

Maintenance release 1.5.201408040 introduces support for Java Archive (Jar) plugins. Unlike Java scripts/plugins, running JEB using a JDK is not required, as the Jar plugin already contains compiled code.

Jar plugins allow for complex, multi-class plugins, and referencing external libraries is easy via Manifest entries.

The plugins/ sub-directory of your JEB installation directory contains a sample JAR plugin (SamplePluginJar.jar) as well as the associated source code (SamplePluginJar-src.zip). You can use this plugin’s source code as a template for your own Jar plugins. The build.xml file is a simple Apache Ant build file used to compile source files (located in src/) and package the generated *.class files into a single Jar, with appropriate JEB-specific Manifest entries set up.

About JEB-specific Manifest entries: unlike single source (Python, Java source) plugins, that define plugin metadata with a special comment line (#? for Python, //? for Java), Jar plugins use Manifest entries prefixed by JebPlugin- to define those entries:

  • JebPlugin-entryclass: (mandatory) set to the class that contains the plugin entry-point
  • JebPlugin-name: (optional) plugin name (as it will appear in “Action / Custom Actions…” menu)
  • Jeb-Plugin-shortcut: (optional) keyboard shortcut
  • JebPlugin-help: (optional) help information
  • JebPlugin-author: (optional) plugin’s author information

The above values can be set up by customizing the build.xml Ant file. Also, just like stand-alone Jar files loaded by the Java VM executable, the Manifest entry Class-Path can be set to reference external Jar files or repository of *.class files. Those entries will be added to the class path when JEB loads the plugin.

Please let us know on the forum if you have any question.

Using the AST Tagging API

JEB version 1.5.201404100 introduces new methods to the AST IElement objects, attachTag() and retrieveTag(). These methods allow an API user to tag elements of Abstract Syntax Trees. When a tagged tree is rendered (that is, when decompiled Java code is being generated), tags are processed and provided to the user alongside the decompiled code, with associated text coordinates (line, column). Within the API documentation, a “located tag” is referred to as a mark.

One example use case: Tagging nodes of an AST can be useful if the yielded source code is of specific interest, and potentially require follow-up human analysis.

The example below shows how one can navigate a Class tree, looking for specific calls to findViewById:

def processTree(e):
  if isinstance(e, Call) and e.getMethod().getName() == 'findViewById' and ... :
    print 'Tagging Call element:', e #e.getMethod().getName()
    e.attachTag('testTag', 'Calling interesting findViewById')
  if e:
    # recursively process sub-elements
    for e1 in e.getSubElements():
      processTree(e1)

sig = ...
ast = self.jeb.getDecompiledClassTree(sig)  # assume the class was decompiled
processTree(e)

The Class tree can be rendered by calling the newly introduced overloaded decompile(sig, is_class, regenerate, marks) method:

marks = []
decompiled_class = self.jeb.decompile(sig, True, False, marks)
print marks

Remember to set regenerate to False since you want to avoid re-decompilation (doing so would generate a new, tag-less AST).

The marks array will contain the precise locations (lines and columns) of each tag within the decompiled_class text buffer.

Hopefully, this simplistic example showed you how to use the new AST tagging methods. Happy reversing and code analysis.

Developing JEB plugins in Java with Eclipse

This tutorial explains how to configure an Eclipse IDE project to develop JEB plugins efficiently.

1 – Create a regular Java project. In this example, the project is named JEBPlugin.

2 – Add jeb.jar to the Build path. Edit the project Build path (right-click, Build Path, Configure Build Path…).

Select “Add External JARs…“, add select jeb.jar located in your JEB/bin installation folder.

3 – Attach the API docs to the JEB jar file. Unfold the newly added “jeb.jar” entry, click Javadoc location, then Edit.

Point to either the online Java doc at https://www.pnfsoftware.com/jeb1/apidoc or use an offline Javadoc archive, either present in your JEB installation folder (typically, doc/apidoc.zip), or downloaded from https://www.pnfsoftware.com/jeb1/downloads.

4 – You’re done! You can now develop native Java JEB plugins. Remember that the main plugin class must be in the default package (ie, no package), and implement jeb.api.IScript. This blog contains several How-to’s on plugin development. You will find even more examples on our Download section on the main website.

Decompiled Java code for Android MisoSMS

Yesterday was eventful on the Android malware front. After Mouabad reported by Lookout, FireEye reported MisoSMS. It might also have been reported by Sophos at roughly the same time.

The malicious application is used in several campaigns to steal SMS and send them to China, according to FireEye’s blog post.

Many of you would like to examine and study its code, that’s why I uploaded an archive with the source code decompiled by JEB 1.4, as well as a cleaned-up manifest. Link: MisoSMS_JEB_decomp_20131217

misosms_mainact

Decompiling Android Mouabad

Lookout has an interesting article about Android Mouabad. Yet another Korean SMS malware!

The APK fully decompiled by JEB 1.4 can be found here: mouabad_JEB_decomp_20131217.zip. I haven’t refactored or commented the code, these are raw decompiled classes.

mouabad_sms_receiver

Sample MD5 68DF97CD5FB2A54B135B5A5071AE11CF is available on Contagio.