Full Report
AhnLab SEcurity intelligence Center (ASEC) recently discovered malware created using the aforementioned JPHP. JPHP is a PHP interpreter that runs on the Java Virtual Machine (JVM), and it was designed to allow PHP code to be used in a Java environment. It can convert PHP code into Java bytecode for execution, enabling direct calls to […]
Analysis Summary
# Tool/Technique: JPHP-based Downloader Malware
## Overview
This entry describes malware deployed using JPHP, a PHP interpreter that runs on the Java Virtual Machine (JVM). This mechanism allows threat actors to execute PHP code (converted into Java bytecode via `.phb` files) within a Java environment, enabling the execution of functionality designed to download and deploy secondary malware payloads.
## Technical Details
- Type: Malware (Downloader) utilizing a custom execution framework (JPHP)
- Platform: Windows (Inferred by use of `.exe` runner and `javaw.exe`)
- Capabilities: Executes PHP code on the JVM, downloads and executes additional malware (e.g., Strrat, Danabot), disables Windows Defender monitoring.
- First Seen: Not explicitly stated, but recently discovered by ASEC.
## MITRE ATT&CK Mapping
*Note: Specific detailed mappings for the execution stage are provided based on observed behavior.*
- **TA0002 - Execution**
- T1218 - Signed Binary Proxy Execution
- T1218.011 - Signed Binary Proxy Execution: Rundll32 (Inferred similarity in using legitimate system executables like `javaw.exe` to launch malicious code)
- **TA0003 - Persistence** (If additional malware establishes persistence)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Use of non-standard `.phb` bytecode format)
- T1562 - Impair Defenses
- T1562.001 - Impair Defenses: Disable or Modify Tools (Disabling Windows Defender monitoring)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Use of standard HTTP/S traffic for C2)
## Functionality
### Core Capabilities
- **JPHP Execution:** Uses JPHP to convert PHP code (contained in `.phb` files within a JAR package) into runnable Java bytecode for execution on the JVM.
- **Self-Contained Distribution:** Distributed within a ZIP file containing a complete Java Runtime Environment (JRE) package, ensuring execution independent of a pre-installed Java environment.
- **Runner Mechanism:** An accompanying `.exe` file acts as a runner, executing `javaw.exe` with numerous JPHP and utility libraries specified via the classpath argument.
- **Downloader:** Capable of fetching and executing secondary malware payloads from remote locations.
### Advanced Features
- **Dynamic C2 Retrieval via Telegram:** The malware uses a sophisticated method to obtain an updated Command and Control (C2) IP address. It directs the user (or connects automatically) to a Telegram short URL (`t.me`), retrieves an IP address embedded within specific string markers ("i1il") in the channel profile, and uses this dynamically updated IP as the secondary C2. This allows actors to change the C2 address easily without needing to restart malware execution on compromised hosts.
- **Defense Evasion:** Specifically observed disabling the behavior monitoring feature of Windows Defender.
## Indicators of Compromise
- File Hashes:
- MD5: `1b5548083e151b54a63cb933d5cbe274`, `230c1d520f88a66698d522805bafe883`, `4a54c8367d6cf067fbad8ce3da50b65e`, `c2d457714e7079fa6b423156071a3860`, `d87a34d70a672339d6b8c7b563eb8e7d`
- File Names:
- Initial delivery in ZIP format.
- Runner executable (.exe).
- Core payload stored in JAR containing `.phb` files.
- Registry Keys: [Not explicitly mentioned]
- Network Indicators:
- Initial C2 IP: `49[.]13[.]143[.]126`
- Secondary C2 IPs: `5[.]75[.]208[.]125`, `89[.]23[.]96[.]126`
- C2 Signaling Domain: `t[.]me` (used for retrieving secondary C2 IP from channel profiles)
- Behavioral Indicators:
- Execution of `javaw.exe` with extensive library arguments pointing to a packaged JRE/lib directory.
- Attempting to disable Windows Defender monitoring features.
- Communicating with hardcoded IPs followed by dynamic IP retrieval via Telegram URLs.
## Associated Threat Actors
- Not explicitly named, but associated with threat actors distributing data breach-type malware such as Strrat and Danabot.
## Detection Methods
- Signature-based detection: Based on known file hashes (provided above).
- Behavioral detection: Monitoring for unusual execution chains involving `javaw.exe` being launched with a large, customized classpath pointing to local libraries, especially when combined with attempts to disable security products.
- YARA rules: Specific detections could target the unique signature of the JPHP bytecode files (`.phb`) which differ structurally from standard Java `.class` files (i.e., lacking the `0xCA 0xFE` magic number).
## Mitigation Strategies
- Careful review of the source of executable files and scripts, even those utilizing less common technologies.
- Monitoring for processes initiating substantial network beaconing shortly after execution of Java-based applications.
- Implementing robust endpoint detection/response capable of monitoring and alerting on changes to Windows Defender settings or behavioral monitoring state.
- Network filtering for connections to known C2 infrastructure (though dynamic C2 makes this challenging).
## Related Tools/Techniques
- JPHP (The interpreter framework used).
- Strrat (Potential secondary payload).
- Danabot (Potential secondary payload).