Sunday, 22 March 2015

AlienSpy Java Rat Overview

AlienSpy is a cross platform Java RAT with support for Windows, Linux and Mac systems. 
The samples I was able to analyze used a demo version of the Allatori Java Obfuscator (v5.3) which can be seen in the obfuscated method naming and Splash page shown when the malware is launched.

Allatori Name Obfuscation

Allatori Splash Screen

I won't dive into the Allatori obfuscation methods or the container in detail other than to understand how the malicious jar is encapsulated within the package.  The container has a simple structure containing two resource files (config.ini & password.ini) and four class files.

Jar Overview
Once executed the container follows a simple path to decrypt and execute the payload.
  • Init LoadStub Thread
  • Load config.ini contents
  • Spawn DecryptStub Thread
  • Create key -- Load password.ini contents and append static_key (set in LoadPassword.class)
  • Decrypt config.ini using created key 
  • Spawn LoadStubDecrypted
  • Initialize JarInputStream object from decoded config data
  • Spawn thread with decoded Jar

Unpacking the Payload

Analyzing the decryption method in the DecryptStub class shows the encryption has changed from previous versions. The payload stored in the config.ini file is encrypted using RC4 and the decrypt key is composed of the sha256 hash of a dynamic key stored in the password.ini file and a static key defined in the LoadPassword.class. 

Looking at the de-obfuscated strings in the LoadPassword class shows the static key as ALSKEOPQLFKJDUSIKSJAUIE. 

Appending Static Key
The sha256 hash is then created from the combined dynamic and static key.

key = sha256(dynamic_key + static_key)

For this sample the key is calculated using the following:


To extract the properties (config.xml) or the entire payload I've put  together a script to decode the latest version of the AlienSpy rat.

Once the rat is decoded we can decompile it and take a look at the layout and functionality. The decoded AlienSpy RAT has a simple layout containing a two resources config.xml & keystore.test and a collection of classes within three packages. 


When the malware is launched it checks the INSTALL property which is populated from the config.xml resource. If the property is set to True the installation method is triggered using the following properties to generate the directory and file on the host system. 

  • JAR_FOLDER       - Name of folder to copy malware into 
  • JAR_NAME          - Name of the file
  • JAR_EXTENSION  - Extension of the file
  • JAR_REGISTRY    - Name of persistence setting


On Windows systems the malware is copied to new directory with %appdata% and a new value under the Run key is created to launch the malware. The value name is the string defined within the JAR_REGISTRY config setting and the value is the command line to launch the malware 'java -jar <path-to-jar>'. The jar path and file name is defined by the JAR_ properties described above. 

Depending if the user is a local administrator or not the value is created under the Run key in HKLM or HKCU to either infect the system or only the current user. To check if the user is an administrator the file tem.txt is created within the Windows directory and deleted. If this succeeds the Administrator Property is set to true. 


On a Linux system the jar file is copied to the hidden directory <JAR_FOLDER>  within the user's home directory and renamed to <JAR_NAME>.<JAR_EXTENSION>. The malware then creates a .desktop file within the users autostart directory ~/.config/autostart/<JAR_REGISTRY>.desktop to launch the RAT when the desktop is started.


Like on Linux systems the malware creates a file under a new directory <JAR_FOLDER> in the user's home. It then creates a new job within the user's Library/LaunchAgents directory com.<JAR_REGISTRY>.plist

The generated configuration file has the optional key RunAtLoad set to true; this instructs launchd to run the job once when it is loaded.  

Once the job file is created, it then runs the command "chflags hidden <JAR_FOLDER>" to set the hidden flag and hide the directory from the UI. 

Sandbox Detection

When executed AlienSpy checks if it is running within either a VirtualBox or VMWare environment. If it detects that it is running within a VM the application exits. The detection technique isn't advanced and is done by detecting files installed as part of the VM host guest tools. 

For VirtualBox this is either the file "/etc/init.d/vboxadd" in Linux or the directory "Oracle\Virtualbox Guest Additions" in Windows. If the RAT is running within a Mac environment it returns false. 

VirtualBox Detection

Similarily for VMware  this is the directory "/etc/vmware-tools" in Linux "/Library/Application Support/VMware Tools" in Mac and "VMware\VMware Tools" in Windows.

VMWare Detection


AlienSpy uses SSL Sockets to communicate with the C2 server. The server and port are both defined within the config.xml file. 
  • DNS   - Hostname or IP address
  • PORT - TCP port 
The jar file contains a keystore resource keystore.test which is used to trust the C2 SSL certificate. Using keytool we can look at the contained certificates. 

Note: The password for the keystore is 'storepass' and is defined in utils\AlienSSLSocket.class

When examining the certificate details I was able to trace it back to a how-to post on SSLSockets and creating a keystore. 

The majority of settings for the certificate have just been directly copied from the examples in the article (keystore name, password and certificate properties). 

C2 Subscription

To subscribe to the C2 server the rat first creates and configures the SSL connection then sends 1 then sends the properties describing the host system. At this point the malware is in listening mode waiting for commands from the C2 server.  


Once connected to the C2 server the RAT waits for a command. Commands have a simple syntax of command_id [1..10] and an optional payload for the command. 

1 [0] - Message Type
[1] - Option Type
[2] - Title
[3] - Message
Display Message Box
2 [0] - URL
[1] - Number of times to open the URL
Open the URL the requested number of times. Hardcoded to sleep 2s every iteration.
3 N/A Shutdown
4 N/A Restart
5 N/A Uninstall
6 N/AUpdate Offline
7 URL for update. Update Online
8 [0] - URL for download.
[1] - Extension to append to file.
Download & Execute
9 Plugin Name Run Plugin
10N/AStart Heartbeat

From what I've observed the first command after subscription is generally '10' which instructs the infected host to begin sending a heartbeat every 60 seconds.  

  • Write 1 
  • Write PINGPONG
  • Sleep 60s

The heartbeat will continue running on a separate user thread while the malware waits for the next command from the server.


There are two commands the C2 server can send for updating infected hosts; an online update or an offline update. 

An offline update instructs the client to make another connection to the C2 server. Once the updated rat is downloaded it will call uninstall to remove the existing version then launch the updated one from the temp file. 

An online update includes a URL as the payload which instructs the RAT where to download the updated version from. A GET request is sent to the URL with the hardcoded UserAgent

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

The same process seen in the update offline is followed, the new version is downloaded into a temporary file and the client uninstalls the existing version and updates to the newly downloaded version.

Download & Execute

The server can issue the command Id 8 which instructs the client to download and execute the downloaded file. The payload for this command includes the URL to download the file from and the extension to append to the file once it is downloaded. 

Requests are made using the UserAgent: 

Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17

Once the file is downloaded the file is passed to an opener function where it determines how to launch the downloaded file. The opener first checks if the downloaded file ends in '.jar' if it does it will generate a string 'java -jar <downloaded jar>' and execute it. 

If the malware is running on MacOS it will also append the argument -Dapple.awt.UIElement=true

If the file doesn't end in .jar the opener will use the preferred method to open files for the host OS. For Windows systems this is cmd, for Linux this is either /usr/bin/open or /usr/bin/xdg-open and for MacOs this is java.awt.Desktop.getDesktop().open

Open URL

The server can instruct clients to open a URL. The payload to this command contains the URL to open and the number of iterations. The client will then open the URL the requested number of times sleeping for 2 seconds between iterations.  

  • For MacOS it will launch the URL using:  open -a Safari <URL>
  • For Windows it will launch the URL using: cmd.exe /c START iexplore.exe <URL>
  • For Linux it will launch the URL using: /usr/bin/xdg-open <URL>  


Incident Responders looking for systems compromised by AlienSpy can extract host and network indicators from the properties defined in the config.xml file. Additionally systems would also be beaconing to the C2 server every 60 seconds.

AlienSpy is used to deliver other malicious payloads to infected systems. Detecting the presence of AlienSpy should be considered to be only part of the compromise.

If you have any samples, would like to collaborate feel free to reach out to me on twitter @seanmw. I'm interested in looking at how AlienSpy is being used in phishing campaigns to deliver malware.


The samples I used for the post can be found using the hashes below:
  • Sample 1: f3366d437f9461f1486406972f52e7aab47174db 
  • Sample 2: c932064fe6a7dfc96fb2a3ffec2b7f4e5b7e048f



  1. great writeup, thanks. Would have been nice if you included the network artifacts as well.

    1. Hi Alexander,

      I'm still looking at how the RAT is used to deliver malware onto infected systems, so I hope to have another post soon which will include packet captures.

  2. Creating "a Run key" for persistence wouldn't necessarily do anything...creating a _value_ beneath the appropriate Run key, with data pointing to the file to be launched, does provide persistence.

    Is there anything known about the value name? Is it consistent, random every time?

    1. Hi Harlan,

      My bad, I should have been more descriptive (dangers of late night posting).

      I've made a update to better explain that a value is created under the run key. The value name is defined in the JAR_REGISTRY config setting which would be random. And the data is a command line to launch the jar file.

  3. Has anyone managed to get this exploit to actually work (execute the .jar, create the subdirectories, go after the payload and drop it into place, and then execute the malware in the payload) in Linux? So far all I've seen is that the source code mentions Linux, OSX, Android, etc. But little evidence of actually working in those platforms.

  4. I don't quite understand the last tips you mentioned. can you explain it more specifically? I was recommended a free data recovery software named MiniTool Power Data Recovery. Have you heard about it? My friend said it was efficient and convenient.

  5. Wonderful post. I like your blog. Thanks for sharing.

    Data recovery centre in chennai

  6. Thank you for the useful content

  7. Tracking is needed to know your daughter is fine, have a peek at this here.

  8. I have read your blog its very attractive and impressive. I like it your blog.

    Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

    Java Online Training Java Online Training JavaEE Training in Chennai Java EE Training in Chennai

  9. You are doing a great job. You inspire me to write for other. Thank you very much. I would like to appreciate your work for good accuracy and got informative knowledge from here. Java Training in Chennai

  10. Not only could they play and compete against each other, but they could do so on a level playing field as everyone, regardless of what type of computer they were using, was seeing and hearing the game in pretty much the same way.

  11. Visit this page if you don't wish to interrupt your kids' privacy but wish to monitor them.

  12. I like highster spy app. Read highster mobile reviews, maybe you'll like it too

  13. Nice Information regarding java rat My sincere thanks for sharing this post Please Continue to share this kind of Post
    Java Training in Chennai

  14. nice blog has been shared by you. before i read this blog i didn't have any knowledge about this but i got some knowledge so keep on sharing such kind of an interesting blogs.
    java training in chennai

  15. you will doing a great job.your writing skill will inspire me.Thanks for sharing.keep sharing more blogs,Anybody want to learn Core java online training

    Core Java Online Training

  16. Hi, I am a big follower of your blog. Really very informative post you shared here. Keep sharing this type of informative blog. Waiting for your next update. If anyone wants to become a Java professional learn Java Training in Bangalore. Nowadays Java has tons of job opportunities for all professionals.

  17. Great articles, first of all Thanks for writing such lovely Post! Earlier I thought that posts are the only most important thing on any blog. Software Testing Training in Bangalore
    Java Training in Chennai

  18. I like this topic.This site has lots of advantage.I found many interesting things from this site. It helps me in many ways.Thanks for posting this again.I really like this topic.
    Python Online Training | Learn Python Online

  19. very nice blog.YOU should clearly explain the different between blog and website.Thanks for sharing.keep sharing more blogs.If anybody want to build your website.
    White Label Website Builder

  20. Excellent…Amazing…. I’m satisfied to find so many helpful information here within the put up,for latest php jobs in hyderabad. we want work out extra strategies in this regard, thanks for sharing.

  21. • Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating. Power Bi Online course

  22. Thanks for sharing, nice post! Post really provice useful information!

    Giaonhan247 chuyên dịch vụ gửi hàng đi nhật giá rẻ và dịch vụ vận chuyển hàng đi campuchiavận chuyển hàng đi lào giá rẻ cũng như bảng giá gửi hàng đi úccước phí gửi hàng đi canada giải đáp gửi hàng đi mỹ bao nhiêu 1kg uy tín.

  23. Best institute for 3d Animation and Multimedia Course training Classes

    Best institute for 3d Animation and Multimedia

    Best institute for 3d Animation Course training Classes in Noida- webtrackker Is providing the 3d Animation and Multimedia training in noida with 100% placement supports. for more call - 8802820025.

    3D Animation Training in Noida

    Company Address:

    Webtrackker Technology

    C- 67, Sector- 63, Noida

    Phone: 01204330760, 8802820025



  24. This information is impressive; I am inspired by your post writing style & how continuously you describe this topic.... Java Training in Chennai | Python Training in Chennai

  25. you have furnished the right information that will be useful to anyone at all time. Thanks for sharing your Ideas.......

    java training in chennai

    selenium training in chennai

  26. Good job in presenting the correct content with the clear explanation. The content looks real with valid information. Good Work

    DevOps is currently a popular model currently organizations all over the world moving towards to it. Your post gave a clear idea about knowing the DevOps model and its importance.

    Good to learn about DevOps at this time.

    devops training in chennai | devops training in chennai with placement | devops training in chennai omr | devops training in velachery | devops training in chennai tambaram | devops institutes in chennai | devops certification in chennai | trending technologies list 2018

  27. Very nice post here thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.

    machine learning Course in chennai

    machine learning with python course in Chennai

  28. Thank you so much for your information,its very useful and helful to me.Keep updating and sharing. Thank you.
    RPA training in chennai | UiPath training in chennai

  29. Such a Great Article!! I learned something new from your blog. Amazing stuff. I would like to follow your blog frequently. Keep Rocking!!
    Blue Prism training in chennai | Best Blue Prism Training Institute in Chennai

  30. Hey, Wow all the posts are very informative for the people who visit this site. Good work! We also have a Website. Please feel free to visit our site. Thank you for sharing. AngularJS Training in Chennai | Best AngularJS Training Institute in Chennai

  31. Given so much info in it, The list of your blogs are very helpful for those who want to learn more interesting facts. Keeps the users interest in the website, and keep on sharing more
    Our Credo Systemz Which is designed to offer you OpenStack Training skills required to kick-start your journey as an OpenStack Cloud Administrator.
    Please free to call us @ +91 9884412301 / 9600112302

    best openstack training in Chennai | openstack certification in chennai | openstack certification training in Chennai | openstack course fees in chennai

  32. Given so much info in it, The list of your blogs are very helpful for those who want to learn more interesting facts. Keeps the users interest in the website, and keep on sharing more

    Please free to call us @ +91 7871012233 else visit our Java Training in Chennai.

  33. Wow!! Really a nice Article. Thank you so much for your efforts. Definitely, it will be helpful for others. I would like to follow your blog. Share more like this. Thanks Again.
    iot training in Chennai | Best iot Training Institute in Chennai

  34. Great post! I am actually getting ready to across this information, It's very helpful for this blog. Also great with all of the valuable information you have Keep up the good work you are doing well.DevOps Training in Chennai | Best DevOps Training Institute in Chennai

  35. Casino is not just a game but a lifestyle, come in, play and be stylish. roulette online The best casino is only on BGAOC and nowhere else.

  36. Sap fico training institute in Noida

    Sap fico training institute in Noida - Webtrackker Technology is IT Company which is providing the web designing, development, mobile application, and sap installation, digital marketing service in Noida, India and out of India. Webtrackker is also providing the sap fico training in Noida with working trainers.

    C - 67, sector- 63, Noida, India.
    F -1 Sector 3 (Near Sector 16 metro station) Noida, India.

    +91 - 8802820025

  37. Wow!! Really a nice Article. Thank you so much for your efforts. Definitely, it will be helpful for others. I would like to follow your blog. Share more like this. Thanks Again.
    React js training in Chennai | Best React js training institute in Chennai | Best React js training near me | React js training online

  38. This comment has been removed by the author.

  39. Online Casino Super Earnings top 10 online casinos here Win online casinos and live like a king in the world.

  40. Nice blog..! I really loved reading through this article. Thanks for sharing such a
    amazing post with us and keep blogging... best angularjs training institute in chennai | angularjs training in omr | angular 4 training in chennai | angularjs training in omr

  41. BSNL Speed Test:- Today the high-speed internet is considered as the most important requirement of an internet connection. It ensure comfort Bsnl speedtest.
    bsnl internet speed test

  42. This comment has been removed by the author.

  43. All the website developers should know, rat is used by threat actors to gain remote access to a system to harvest valuable information. IT teams have similar remote access tools they can use to connect to a computer remotely when attempting to fix a system issue. Random Password Generator Tool

  44. Hey Nice Blog!! Thanks For Sharing!!!Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!
    SEO company in coimbatore
    SEO company
    web design company in coimbatore

  45. Hi! Thank you for the share this information. This is very useful information for online blog review readers. Keep it up such a nice posting like this.
    apple service center in chennai
    apple mobile service centre in chennai
    apple service center near me

  46. Thank you for sharing such great information very useful to us.
    Java Training in Noida

  47. This comment has been removed by the author.

  48. Thank you for sharing such great information very useful to us.
    AngularJS Training institute in Noida

  49. It is very good and very informative. There is a useful information in it.Thanks for posting... DevOps Training In Hyderabad

  50. zombie gunship survival hack Ur editing is next level man. I hv also seen brawl stars by ea. But this is fantastic

  51. mini golf king hack I am a BIG FAN of getting up at 5AM. It's perfect for quiet time, CREATIVE time and connection time. I hope to make videos as GREAT as yours in the near future. (I just created my first 7 day EPIC LIFE challenge

  52. Comfortabl y, the post is really the freshest on that deserving topic. I harmonise with your conclusions and definitely will thirstily look forward to your next updates.

    website builder for reseller

  53. Thank you for the link building list.I am going jot down this because it will help me a lot.Great blog! Please keep on posting such blog.

    private label website builder

  54. Comfortabl y, the post is really the freshest on that deserving topic. I harmonise with your conclusions and definitely will thirstily look forward to your next updates.

    white label website builder

  55. Thank you for this, definitely will try out some of these just to try getting a summer body for our August beach trip!
    war machines hack

  56. After a year, analysing all kinds of diets, finally understood that we should eat normal foods that are grown locally from our native home town... no packed or imported foods. This is the trick but nobody ill like this comment!! factory inc hack

  57. The is imperceptible and can not be found by the iPhone client. It runs covertly out of sight and sends all the data to a PC.