Qealler+QaZaqne ● Part 1

The intelligence suggested around 14 thOctober 2018, a phishing campaign distributing a Java malicious program named Remittance_Advice_101418_pdf.jar ( https://www.virustotal.com/#/file/880986e986112b1b2d1dc9e04085b7a0b8f7879b07592a39c06a592db376d4de/detection) was observed. A few antivirus engines indicated this malware was an Adwind RAT. However, my initial analysis suggested this sample didn’t contain Adwind’s usual behaviour.

Further analysis was performed and revealed this malware contained multiple layers obfuscation. Shortly afterwards, this malware was confirmed to be Qealler.

Qealler is a malware loader written in Java, which will attempt to download and load QaZaque password stealer written in Python. The open source intelligence suggested Qealler was discovered around 13 thJune 2018. ( https://www.hybrid-analysis.com/sample/d730a8d0ee52ab14961a48c0eb04bb694df3475a345d35b8a16244909b91ea31?environmentId=100) Since then, the code was continuously modified.

● Analysis

The analysis discovered that when Remittance_Advice_101418_pdf.jar(Qealler) was executed, it would attempt to load a obfuscated JavaScript script.

After decoding the script, it became more human readable, shown as below.

The code revealed it would decrypt the “com/two/utu/Dualized.gog” file with AES algorithm. The decryption key was “fjAGlj7mOcxQzvKe”. This file appeared to be a Java class file whose Java class path was “qua.enterprise.reaqtor.reaqtions.standartbootstrap.Header”. The JavaScript script would launch it after it was decrypted.

When “qua.enterprise.reaqtor.reaqtions.standartbootstrap.Header” was analysed, its code revealed its main function was to load the decryption information, shown as below, to decrypt and execute the loader and the loader could use it to decrypt the rest of obfuscated Java class files.

The decryption algorithm is provided as below.

After the rest of Java class filese were de-obfuscated/decrypted, “qua.enterprise.reaqtor.reaqtions.standartbootstrap.Header” would execute “q.Head”. Although the variable names in “q.Head” were obfuscated, the code suggested Qealler had two modes, Developer mode (“-dev”) and Dump mode (“-dump”). Both modes were confirmed later on during the analysis.

Subsequently, “q.Head” would load the config from “q.lIIllIIllIllIlllIIIlIIlIIIlIIllIlIIllIlllIlIIIllIIIlIIIllIIIlIlIllIIllIlIll.lIIllIIllIllIlllIIIlIIlIIIlIIllIlIIllIlllIlIIIllIIIlIIIllIIIlIlIllIIllIlIll”, whose content is shown as below.

The decrypted config is provided as below.

UUID= LUW_U5nQWS6105UbK-AK74u48tVTm7RY8es4cZ37CgJo1QnenY9zPlvA_jK8Ro2J61Om_XHEU6WKQpHSn6qXEQ0uD6DrkEQZbRyOIkWG5OzzQpCEALSYTEiRJpuXn3UU
REPORT_URL= hxxp://159.65.84[.]42:9489/qealler-reloaded/ping
LIB_7Z_URL= hxxp://159.65.84[.]42:12589/lib/7z
LIB_QEALLER_URL=hxxp://159.65.84[.]42:12885/lib/qealler

“q.Head” would follow the config to download a 7z program and a password-protected 7z file, containing QaZaqne. Then, it would use the 7z program to de-compress the 7z file with the password, “bbb6fec5ebef0d936db0b031b7ab19b6 “ and then execute QaZaqne.

This password was also discovered and disclosed by Jeff Archer ( https://www.scribd.com/document/389597149/Qealler-Unloaded) from the sample that was found around 17 September 2018. Compared to the sample Jeff worked on, it appeared the code was modified and contained more obfuscation since then, which became more difficult to be analysed, but several keys remained the same.

QaZaqne will be discussed in Part 2.

Originally published at https://www.tumblr.com on October 20, 2018.