Jbifrost Rat For Android

May 29, 2019 Bifrost rat is an advanced FREEWARE remote admin tool for those network administrators who wish to take complete control of all computers on their network, advanced firewall bypass means that you do not need to configure your existing firewalls to connect and with such features as file manager, screen capture, RAS pass manager you can always maintain complete control of the computer no matter. Bifrost RAT Of Evil 0.5Ev By NASeeR Download Doublecodes.blogspot.it - Every single product provided in this blog is clean. Snappy Driver Installer R1904 Driverpacks 19064 Jun 26 (2019) PC. The JBifrost website is not available to anyone anymore, and unlike previous instances where anyone could buy the RAT, users now need an invitation code to register on the JBifrost website. HiddenPirates / AhMyth-Modified-Version. Code Issues Pull requests. AhMyth is an popular open source android rat. But the official AhMyth contains many bugs. For an example, you can't fetch victim's files from the remote server using official AhMyth. So that we have modified the rat and remove all bugs and also added some extra features. The report highlights the use of the JBiFrost RAT, which is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT. MAC OS X and Android, and allows actors to pivot and move.

In this post we will learn how to create Remote Administration Tool(RAT). But before we proceed let’s discus some basic terminologies.

Trojan: Trojan horse or Trojan is a malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user’s computer system. It is harmful software/code that appears legitimate. They come packed with some other piece of code or software and hence users get tricked to run them. The term Trojan has been derived from the Trojan Horse from Greek Mythology.

Types Of Trojan:

2.Proxy

4.Security Disable rs

6.File Sending Trojans(FTP Trojan)

Remote Access Tool(RAT): Remote Administration Tool also known as RAT is used to remotely connect and manage single or multiple computers. RAT is one of the most dangerous Trojan because it compromises features of all types of Trojans. It provides an attacker with nearly unlimited access to host computer along with Screen Capture, File management, shell control and device drivers control. RATs uses reverse connections to connect remote system and hence are more likely to remain undetected. They can hide themselves in process space of legitimate program and hence never appear in task manager or system monitors.

A Trojan generally has two parts Client and Server or Master and Slave. We can say Server is Slave and Client is Master. So a server side is installed on a remote host and the attacker manipulates it with client software. In olden days making a Trojan was a job of master programmer but now a days several Trojan building tools are available. Most of them usually have same kinda interface so its quite easy to use any Trojan client once you have used any one of them . Following is list of some well known Trojans and Trojan Building Tools,

1.Casa RAT

3.Bandook RAT

5.Cerberus

7.Blackshades

9.Schwarze Sonne RAT

11.Team Viewer

13Snoopy

16.NetBus

18.P. Storrie RAT

20.Bifrost

22.Beast

24.Sub7

26.xHacker Pro RAT

28.Optix Pro RAT

30.NetDevil

32.MiniMo RAT

If you think the list is very big then I must tell you it’s not complete nor it covered 25% of RAT building tools.

Demonstration: How to create a RAT:Since there are several tools available and most of them have same kinda interface we can select any RAT building tool for demonstration. So here we select Cerberus Client to demonstrate working of RAT. Please note that using RAT for hacking is crime please take this demonstration for educational purpose only.

Type “Download Cerberus RAT” in Google search and download Cerberus RAT. Execute Cerberus file and launch program. Accept EULA and following interface will be launched in front of you.

To create server press new button.

As you can see there are several options are available in settings but for our demonstration we will use most common settings. In “Basic Option” type your IP address and then press “+”. In identification name of the server from which your client will identify to which server it’s listening, this name is given for your client to identify connection. No need to specify what to put in connection password. Specify the port on which you’ll like to listen. Please keep note of this port since you’ll have to configure client settings to receive information on this port.

The next option is “Server Installation”. From “Directory Installation” you can select where and in which name folder your RAT server will be installed. In “File Name” option you have to specify name and extension of your server. Boot Methods gives you option to start your server as “System Service” or “User Application” take your pick or leave them untouched. “Anti-Debugging” function allows your RAT to bypass Virtualisation and Sandboxing.

From “Misc Options” you can activate key logging feature as well as you can select how your RAT can hide itself in another process.

“Display Message” option gives you power to show custom message on victim’s computer.

“Black List Item” option allows to set logic for execution of your RAT server with respect to specific process and service. Mostly only advanced users use this feature.

“Overview” allows you look of features of your RAT. Now select an icon and press create server to create server.

Now the add file function allows you to bind your RAT with any legitimate file most probable is an executable installation file. To avoid detection don’t use custom message box and UN-check “Run in Visible Mode” option while creating server.

Configuring To Listen On Client: To configure Cerberus to listen on specific port select options and put “Connection Password” and “Connection Ports” that were specified in Server. Wait for victim to execute server and then just right click on listening server and play with options.

Following is video demonstration to above procedures and methods described to create RAT using Cerberus Client.

Now when next time we will discus RAT we will take a look on how you can counter and prevent yourself from RAT attack. Please give us your comments it’ll help us improve. Have a nice time and keep visiting.

This is a post on how to dissect the AdWind / jRAT / jBifrost Java trojan that has been around for quite a while and is still actively distributed in multiple variants. jRAT is nothing new and it has been decrypted before, but it’s still an interesting excercise.

I retreived a more or less recent AdWind variant from late 2016 (SHA256: 5b4a70e51095ca9ee19bbf81ef434d421ee5695474bc7f81e40955359d8afec8) and decided to take a look at it. AdWind is a Java based trojan that is delivered as a jar file. Jar files are basically zip files and so you can extract them easily:

This leaves you with a bunch of files and directories:

There are some interesting things here: Multiple, obviously obfuscated directories NtH, VRL, etc. There are also some files: drop.box, mega.download and sky.drive. Running the file command to determine types results in:

So we have a serialized object in sky.drive and some unknown types of data in drop.box and mega.download.

Let’s have quick glance at sky.drive:

The strings java.secruity.KeyRep and RSA stick out. Having a glance at the data files yields nothing of interested. But since there is a RSA Key in this serialized Java object, we can guess that the other files contain encrypted data. We will see if that is true later. Now let us have a look at the Java classes. Since this JAR has a META-INFdirectory which contains a Manifest file, we open the MANIFEST.MF with a text editor and find:

The main class is operational.JRat. We find this file in the folder operational.

Time for some disassembly and decompilation!

For a first glance at an unknown binary I often use Radare2 since it disassembles nearly everything.

This is the main method of the JRat class:

It simply loads another method with a quite obfuscated and inconvinient long class name consisting of the repeating pattern maninthesky and the letter z.

Since this new class is part of the package w let us have a look at the corresponding folder. Things start to get ugly:

Hm. Time to get a better overview over the structure. I used bytecodeviewer to open up the original JAR. BytecodeViwer contains multiple disassemblers and decompilers that might help here.

Bytecodeviewer is pretty nice: It allows you to browse the JAR looking at different decompilations, bytecode, hexcode or whatever at the same time. Opening the maninthesky class that ends with the letter z we see a first decompilation. This is helpfull but still cumbersome to read. We can make things easier if we convert the classes and files to a more readable format.

So after opening the malicious JAR in BytecodeViewer you can do “File -> Decompile & Save All Classes”. Then chose a disassembler. I chose Krakatau, which gives good results but leaves out some classes since it couldn’t find some imports. We can add these few classes later manually.

Having decompiled (nearly) all classes, we can rename them and replace strings to produce more readable versions. Using rename and sed we can produce more readable versions of the files. E.g. in the w folder, do

and

to rename all files and replace the content. You might have to execute these commands two times to clean up everything and it might ruin some variable names in the sample but we can reconstruct this manually if needed.

After cleaning up, we can finally browse the project files in a more readable manner. The z class now basically looks like this:

It is much more readable. Starting from z we can dive down and see what we find. Most classes are just wrappers for some standard Java stuff, others contain more interesting pieces of code. e.g. in i you can find the filenames sky.drive, drop.box und mega.download, so that might be interesting. As we learn from examining z, these info is fed to an object of class l. Looking at class l we see a decryption routine C:

Basically, method C does this:

It opens the RSAPrivateKey KeyRepository class, which is serialized in sky.drive
It uses the RSA key from this class to decrypt an AES key which is stored in drop.box
It uses the decrypted AES key to decrypt the data in mega.download - which will turn out to be a properties file pointing to more interesting files.

Jbifrost Rat For Android Apk

If we follow the sourcecode a little further, we will find this decryption routine in several places of the malware. Since the decryption is just a chaining of standard routines it is not too hard to write a decrypter for it.

Here is a piece of Java code that decrypts the AdWind files.

Warning: Only execute the decrypter in a seperated environment. It deserializes the object given as RSA KeyRep and might be highjacked from malicious code itself.

Using this decrypter, we can decrypt the files and get the properties file:

Jbifrost Rat For Android Phone

This is the decrypted properties.ini:

Not too interesting at first glance, just a few paths to new files we already had access to before. It also points us to a site where we could buy a jRAT version (no thanks). Since these variable names are tempting, let us try to use the decrypter once again:

Using PASSWORD_CRYPTED as crypted AES key,
PRIVATE_PASSWORD as RSA Key Rep and
SERVER_PATH as something we want to decrypt.

(Looking at the decompiled code more closely we can already figure out that this will work and what we are about to decrypt here.)

After going through the decryption routine once again, we finally get to the core of the malware: The server.jar. This is the file that contains the actual RAT code and that we can use for further analysis. And hey, we don’t have to pay for it!

Without going into too much analysis of the server.jar, we see that its config files in server/ressources are also encrypted. We can try to use the decryptor once again and make an educated guess of how we should provide it with the files. Checking size and type we find:

and

So we conclude:

Key1.json is again a serialized Java Key Rep object, so this is our RSA Key
Key2.json is the smallest of the files with a size of 256 byte, which matches the size of the encrypted AES keys before. So it is very likely the encrypted AES key.
We can guess that config.json is what we want to decrypt.

Using

we decrypt the encrypted config file:

That’s it. We can retreive the malware configuration by using the same decryption routine over and over. And if you are actually a victim of AdWind / jRAT / jBifrost this might be a good starting point to figure out who is attacking you.

Jbifrost Rat For Android Free

For comments / corrections / questions, contact me on Twitter.