Sunday, 22 March 2015

AlienSpy Java Rat Overview

AlienSpy is a cross platform Java RAT with support for Windows, Linux and Mac systems. 
The samples I was able to analyze used a demo version of the Allatori Java Obfuscator (v5.3) which can be seen in the obfuscated method naming and Splash page shown when the malware is launched.

Allatori Name Obfuscation

Allatori Splash Screen

I won't dive into the Allatori obfuscation methods or the container in detail other than to understand how the malicious jar is encapsulated within the package.  The container has a simple structure containing two resource files (config.ini & password.ini) and four class files.

Jar Overview
Once executed the container follows a simple path to decrypt and execute the payload.
  • Init LoadStub Thread
  • Load config.ini contents
  • Spawn DecryptStub Thread
  • Create key -- Load password.ini contents and append static_key (set in LoadPassword.class)
  • Decrypt config.ini using created key 
  • Spawn LoadStubDecrypted
  • Initialize JarInputStream object from decoded config data
  • Spawn thread with decoded Jar

Unpacking the Payload

Analyzing the decryption method in the DecryptStub class shows the encryption has changed from previous versions. The payload stored in the config.ini file is encrypted using RC4 and the decrypt key is composed of the sha256 hash of a dynamic key stored in the password.ini file and a static key defined in the LoadPassword.class. 

Looking at the de-obfuscated strings in the LoadPassword class shows the static key as ALSKEOPQLFKJDUSIKSJAUIE. 

Appending Static Key
The sha256 hash is then created from the combined dynamic and static key.

key = sha256(dynamic_key + static_key)

For this sample the key is calculated using the following:


To extract the properties (config.xml) or the entire payload I've put  together a script to decode the latest version of the AlienSpy rat.

Once the rat is decoded we can decompile it and take a look at the layout and functionality. The decoded AlienSpy RAT has a simple layout containing a two resources config.xml & keystore.test and a collection of classes within three packages. 


When the malware is launched it checks the INSTALL property which is populated from the config.xml resource. If the property is set to True the installation method is triggered using the following properties to generate the directory and file on the host system. 

  • JAR_FOLDER       - Name of folder to copy malware into 
  • JAR_NAME          - Name of the file
  • JAR_EXTENSION  - Extension of the file
  • JAR_REGISTRY    - Name of persistence setting


On Windows systems the malware is copied to new directory with %appdata% and a new value under the Run key is created to launch the malware. The value name is the string defined within the JAR_REGISTRY config setting and the value is the command line to launch the malware 'java -jar <path-to-jar>'. The jar path and file name is defined by the JAR_ properties described above. 

Depending if the user is a local administrator or not the value is created under the Run key in HKLM or HKCU to either infect the system or only the current user. To check if the user is an administrator the file tem.txt is created within the Windows directory and deleted. If this succeeds the Administrator Property is set to true. 


On a Linux system the jar file is copied to the hidden directory <JAR_FOLDER>  within the user's home directory and renamed to <JAR_NAME>.<JAR_EXTENSION>. The malware then creates a .desktop file within the users autostart directory ~/.config/autostart/<JAR_REGISTRY>.desktop to launch the RAT when the desktop is started.


Like on Linux systems the malware creates a file under a new directory <JAR_FOLDER> in the user's home. It then creates a new job within the user's Library/LaunchAgents directory com.<JAR_REGISTRY>.plist

The generated configuration file has the optional key RunAtLoad set to true; this instructs launchd to run the job once when it is loaded.  

Once the job file is created, it then runs the command "chflags hidden <JAR_FOLDER>" to set the hidden flag and hide the directory from the UI. 

Sandbox Detection

When executed AlienSpy checks if it is running within either a VirtualBox or VMWare environment. If it detects that it is running within a VM the application exits. The detection technique isn't advanced and is done by detecting files installed as part of the VM host guest tools. 

For VirtualBox this is either the file "/etc/init.d/vboxadd" in Linux or the directory "Oracle\Virtualbox Guest Additions" in Windows. If the RAT is running within a Mac environment it returns false. 

VirtualBox Detection

Similarily for VMware  this is the directory "/etc/vmware-tools" in Linux "/Library/Application Support/VMware Tools" in Mac and "VMware\VMware Tools" in Windows.

VMWare Detection


AlienSpy uses SSL Sockets to communicate with the C2 server. The server and port are both defined within the config.xml file. 
  • DNS   - Hostname or IP address
  • PORT - TCP port 
The jar file contains a keystore resource keystore.test which is used to trust the C2 SSL certificate. Using keytool we can look at the contained certificates. 

Note: The password for the keystore is 'storepass' and is defined in utils\AlienSSLSocket.class

When examining the certificate details I was able to trace it back to a how-to post on SSLSockets and creating a keystore. 

The majority of settings for the certificate have just been directly copied from the examples in the article (keystore name, password and certificate properties). 

C2 Subscription

To subscribe to the C2 server the rat first creates and configures the SSL connection then sends 1 then sends the properties describing the host system. At this point the malware is in listening mode waiting for commands from the C2 server.  


Once connected to the C2 server the RAT waits for a command. Commands have a simple syntax of command_id [1..10] and an optional payload for the command. 

1 [0] - Message Type
[1] - Option Type
[2] - Title
[3] - Message
Display Message Box
2 [0] - URL
[1] - Number of times to open the URL
Open the URL the requested number of times. Hardcoded to sleep 2s every iteration.
3 N/A Shutdown
4 N/A Restart
5 N/A Uninstall
6 N/AUpdate Offline
7 URL for update. Update Online
8 [0] - URL for download.
[1] - Extension to append to file.
Download & Execute
9 Plugin Name Run Plugin
10N/AStart Heartbeat

From what I've observed the first command after subscription is generally '10' which instructs the infected host to begin sending a heartbeat every 60 seconds.  

  • Write 1 
  • Write PINGPONG
  • Sleep 60s

The heartbeat will continue running on a separate user thread while the malware waits for the next command from the server.


There are two commands the C2 server can send for updating infected hosts; an online update or an offline update. 

An offline update instructs the client to make another connection to the C2 server. Once the updated rat is downloaded it will call uninstall to remove the existing version then launch the updated one from the temp file. 

An online update includes a URL as the payload which instructs the RAT where to download the updated version from. A GET request is sent to the URL with the hardcoded UserAgent

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

The same process seen in the update offline is followed, the new version is downloaded into a temporary file and the client uninstalls the existing version and updates to the newly downloaded version.

Download & Execute

The server can issue the command Id 8 which instructs the client to download and execute the downloaded file. The payload for this command includes the URL to download the file from and the extension to append to the file once it is downloaded. 

Requests are made using the UserAgent: 

Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17

Once the file is downloaded the file is passed to an opener function where it determines how to launch the downloaded file. The opener first checks if the downloaded file ends in '.jar' if it does it will generate a string 'java -jar <downloaded jar>' and execute it. 

If the malware is running on MacOS it will also append the argument -Dapple.awt.UIElement=true

If the file doesn't end in .jar the opener will use the preferred method to open files for the host OS. For Windows systems this is cmd, for Linux this is either /usr/bin/open or /usr/bin/xdg-open and for MacOs this is java.awt.Desktop.getDesktop().open

Open URL

The server can instruct clients to open a URL. The payload to this command contains the URL to open and the number of iterations. The client will then open the URL the requested number of times sleeping for 2 seconds between iterations.  

  • For MacOS it will launch the URL using:  open -a Safari <URL>
  • For Windows it will launch the URL using: cmd.exe /c START iexplore.exe <URL>
  • For Linux it will launch the URL using: /usr/bin/xdg-open <URL>  


Incident Responders looking for systems compromised by AlienSpy can extract host and network indicators from the properties defined in the config.xml file. Additionally systems would also be beaconing to the C2 server every 60 seconds.

AlienSpy is used to deliver other malicious payloads to infected systems. Detecting the presence of AlienSpy should be considered to be only part of the compromise.

If you have any samples, would like to collaborate feel free to reach out to me on twitter @seanmw. I'm interested in looking at how AlienSpy is being used in phishing campaigns to deliver malware.


The samples I used for the post can be found using the hashes below:
  • Sample 1: f3366d437f9461f1486406972f52e7aab47174db 
  • Sample 2: c932064fe6a7dfc96fb2a3ffec2b7f4e5b7e048f



  1. great writeup, thanks. Would have been nice if you included the network artifacts as well.

    1. Hi Alexander,

      I'm still looking at how the RAT is used to deliver malware onto infected systems, so I hope to have another post soon which will include packet captures.

    2. IEEE Final Year projects Project Center in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes, while specialists like the enjoyment in interfering with innovation. For experts, it's an alternate ball game through and through. Smaller than expected IEEE Final Year project centers ground for all fragments of CSE & IT engineers hoping to assemble. <Final Year Projects for CSE It gives you tips and rules that is progressively critical to consider while choosing any final year project point.

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, project projects for cseAngular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. Creating "a Run key" for persistence wouldn't necessarily do anything...creating a _value_ beneath the appropriate Run key, with data pointing to the file to be launched, does provide persistence.

    Is there anything known about the value name? Is it consistent, random every time?

    1. Hi Harlan,

      My bad, I should have been more descriptive (dangers of late night posting).

      I've made a update to better explain that a value is created under the run key. The value name is defined in the JAR_REGISTRY config setting which would be random. And the data is a command line to launch the jar file.

  3. Has anyone managed to get this exploit to actually work (execute the .jar, create the subdirectories, go after the payload and drop it into place, and then execute the malware in the payload) in Linux? So far all I've seen is that the source code mentions Linux, OSX, Android, etc. But little evidence of actually working in those platforms.

  4. I think this is an informative post and knowledgeable. Thank you for sharing this wonderful post! I’m glad that I came across your article. Java Training in Chennai

  5. This comment has been removed by the author.

  6. Your info is really amazing with impressive content..Excellent blog with informative concept. Really I feel happy to see this useful blog, Thanks for sharing such a nice blog..
    If you are looking for any Data science Related information please visit our website Data science courses in Pune page!

  7. You are the smartest, you are much louder and I hope you give me a heart zero city zombie shelter survival hack

  8. Such A nice post... thanks For Sharing !!Great information for new guy like Hanuman Chalisa Lyrics

  9. it's working fine for me! Thank you for sharing this with us dominations hack

  10. Oh my goodness! Impressive article dude! Thank you, However I am going through problems with your RSS. I don’t know the reason why I cannot join it. Is there anybody getting the same RSS issues? Anyone that knows the solution will you kindly respond? Thanks!! asus display replacement An outstanding share! I've just forwarded this onto a colleague who has been conducting a little research on this. And he in fact bought me breakfast simply because I stumbled upon it for him... lol. So allow me to reword this.... Thank YOU for the meal!! But yeah, thanks for spending some time to talk about this matter here on your web page. onsite mobile repair bangalore After going over a few of the articles on your web page, I truly like your way of writing a blog. I saved as a favorite it to my bookmark site list and will be checking back in the near future. Please check out my web site as well and let me know what you think. huawei display repair bangalore

  11. Greetings! Very helpful advice in this particular post! It is the little changes that produce the largest changes. Many thanks for sharing! motorola display repair bangalore Hi there! This blog post couldn’t be written much better! Looking at this post reminds me of my previous roommate! He always kept talking about this. I most certainly will send this post to him. Fairly certain he's going to have a great read. Thanks for sharing! vivo charging port replacement Howdy, I believe your web site could possibly be having web browser compatibility problems. Whenever I look at your web site in Safari, it looks fine however, when opening in I.E., it has some overlapping issues. I just wanted to give you a quick heads up! Aside from that, great blog! lg service center Bangalore

  12. This has been discussed by many Android users, where they have found an Android Keylogger: which suitable for the device they are using. With it, you can then know every keyboard stroke input that the victim apply, thus making you know the password they are using.

  13. I am inspired with your post writing style & how continuously you describe this topic on cyber security training . After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.


  14. Excellent trick this great friend, this was what I was looking for a long time and finally something that works. I recommend them all if it is real is not a lie. Thanks friend. Keep it up mini golf king hack

  15. Thank you for this article. I am sure alienspy has many benefit. Although I want to talk about this free gps phone tracker to track a cell phone location without them knowing on Clickfree. Similar to your software, this is great!

  16. Technology has given us everything. With the help of technology anyone can steal your important data from your phone. Do you know that? But if you have best keylogger for android set up in your device. Therefore, you are secure enough. Anyone can't easily steal your data now. It's best to use a keylogger.

  17. I feel so blessed with this article which able to let me learn on how to track my child's phone without them knowing: Thank you for this guide I am able to monitor his behavior and knowing who he is messaging with as I am so worry for his well being.

  18. Have you ever used a keylogger for your Android device? If yes, which one? Is that one for free or paid? I would like to inform you guys about a best keylogger for android try here This will help you to keep your mobile data more secure.

  19. Hey everyone I am so excited about this tutorial because it has helped me to I really appreciate thanks for sharing horse riding tales hack

  20. It would have been the happiest moment for you,I mean if we have been waiting for something to happen and when it happens we forgot all hardwork and wait for getting that happened.
    AWS training in chennai | AWS training in annanagar | AWS training in omr | AWS training in porur | AWS training in tambaram | AWS training in velachery

  21. Great to come accross something that actually works, and at the same time is not hopelessly complicated. i really enjoy to read this content
    Ai & Artificial Intelligence Course in Chennai
    PHP Training in Chennai
    Ethical Hacking Course in Chennai Blue Prism Training in Chennai
    UiPath Training in Chennai

  22. Thanks a lot for sharing such a good source with all, i appreciate your efforts taken for the same. I found this worth sharing and must share this with all.

    Dot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery

  23. The development of artificial intelligence (AI) has propelled more programming architects, information scientists, and different experts to investigate the plausibility of a vocation in machine learning. Notwithstanding, a few newcomers will in general spotlight a lot on hypothesis and insufficient on commonsense application. machine learning projects for final year In case you will succeed, you have to begin building machine learning projects in the near future.

    Projects assist you with improving your applied ML skills rapidly while allowing you to investigate an intriguing point. Furthermore, you can include projects into your portfolio, making it simpler to get a vocation, discover cool profession openings, and Final Year Project Centers in Chennai even arrange a more significant compensation.

    Data analytics is the study of dissecting crude data so as to make decisions about that data. Data analytics advances and procedures are generally utilized in business ventures to empower associations to settle on progressively Python Training in Chennai educated business choices. In the present worldwide commercial center, it isn't sufficient to assemble data and do the math; you should realize how to apply that data to genuine situations such that will affect conduct. In the program you will initially gain proficiency with the specialized skills, including R and Python dialects most usually utilized in data analytics programming and usage; Python Training in Chennai at that point center around the commonsense application, in view of genuine business issues in a scope of industry segments, for example, wellbeing, promoting and account.

  24. it is really a great and helpful piece of info. I am glad that you shared this helpful information with
    malaysian embassy singapore

  25. Amazing Article,Really useful information to all So, I hope you will share more information to be check and share here.thanks for sharing .
    Website: Trip to Vietnam

  26. I enjoyed over read your blog post. This was actually what i was looking for and i am glad to came here!
    Website: Imitation jewellery manufacturers

  27. I see that this article has been talking about how to protect the phone itself. But this guide about Android spy app by redirect to FoneMonitor on how to hack a phone which can be done easily. How can we prevent this leak of information from happening?

  28. Just read check it out article if you want to hack Android spy app by phone number. I have tried it myself and it works brilliant. Although it can not be done in single day sometimes, you will need time for the messages to be delivered to target users.