# fractureiser/nekoclient reverse engineering notes *(As of June 7, 2023 1:38 PM UTC, this is basically a final report. I will date any major future edits to this document.)* *(Update June 7, 2:17 PM UTC - [Click here if you're having lag issues.](https://hackmd.io/@AiNoAino/Hke9ohaLn) I want to put this up preemptively.)* Nia's notes on her reverse engineering of `client.jar`. Expect this to be a little messy. The `client.jar` this reverse engineering is based off has the following SHA256 hash: `507cd3f6b701dbdbba86b1cb9bf3ac2e80b8176d60e116970c372caeb7e39eba`. The initial file I worked with is a version with the string obfusciation removed produced by aurelium. It has the SHA256 hash: `2687b5e46d061e79952f10e96651fe9955d6b4aebad399a01b73d0b9fd31fd01`. I haven't verified it corresponds fully to client.jar, but I see no reason this person wouldn't be working with us. Please ask someone else if you want these files. A copy of the decompiled/deobfuscated source code can be found [here](https://upload.disroot.org/r/Aobv39YU#HKRSAML1Q+jtKJzffmZde35BOM7M9fY+6nWerHSR96c=). For safety purposes, this version of the source code contains no binaries and will not compile. It is only good enough for analysis of the malware. This link will expire at June 14, 2023 1:31 PM UTC. **UPDATE - June 7, 2:39 PM UTC:** A new version of the stage3 has been found with hash `611267eb6049f8450021da5dd4b38bebdbd04e9091be090ab10f152732d94bab`. It is not obfuscated. It seems mostly identical to this version, except the crypto address interception code has been disabled and it can properly steal credentials from Mozilla-based browsers due to the issues caused by obfuscation being fixed. **UPDATE - June 7, 3:18 PM UTC:** A decompiled version of the `client.jar` previously mentioned has been [posted publically on Github](https://github.com/clrxbl/NekoClient). The information in this document remains accurate, and is being updated to note the names of files in the actual original code. **UPDATE - June 7, 3:39 PM UTC:** Finished updating deobfed names into the document. **UPDATE - June 8, 4:06 AM UTC:** I seem to have misread the spreading code somewhat. The code will try to infect the main class of any .jar that isn't detected as a Minecraft mod. ## General notes - `client.jar` seems to mostly target Windows - a lot of stuff just doesn't work on Linux or MacOS. It will still run, but most of the payloads to steal data only has code implemented for working on Windows. You aren't *safe*, still, as it still has functionality that can run arbitary code. ## Exact infection method - The infection code tries to traverse the entire filesystem of the host system, skipping the following files: - Any recycle bin. - The Java home path. - The `client.jar` file itself. - The code performs several checks to see if a file with an extension of `.jar` is a viable candidate for infection. If any of these conditions are met, it proceeds to the next step: - It is a Minecraft .jar containing the class `net/minecraft/client/main/Main`. The `net/minecraft/client/gui/GuiMultiplayer` class will be infected as well, but that class alone alone isn't enough to cause it to attempt an infection. - It is a Forge mod containing any class marked with an annotation of the type `net/minecraftforge/fml/common/Mod` - It is a Fabric mod containing any class that implements the interface `net/fabricmc/api/ModInitializer`. - It is a Bungee plugin containing any class that extends `net/md_5/bungee/api/plugin/Plugin`. - It is a Bukkit plugin containing any class that extends `org/bukkit/plugin/java/JavaPlugin`. - (**Update June 8, 4:06 AM UTC**) If is none of the above, and contains a main class, the main class will be marked for infection. - Any class that contains a constant string containing the IP address of the control & command server is excluded. - The infection code attempts to override the .jar file with a new one. It contains all files from the source file except with the following modifications: - The files `META-INF/CERTIFIC.RSA`, `META-INF/CERTIFIC.EC`, `META-INF/CERT.SF` and `META-INF/CERTIFIC.SF` are excluded from the jar file. effectively disabling code signing. - The manifest `META-INF/MANIFEST.MF` is cleared using `manifest.getEntries().clear()`. I'm not clear on what exactly this does, considering that the manifest files generated are not empty. - Any class files marked in the previous step are modified as following: - If it contains a `<clinit>` method: - A new method is created with a name consisting of an underscore followed by a random UUID with the dashes removed. (e.g. `_c3b73e691d7f40f1b47d800b0dc8238d`). This method's body is the same as the body of the method in `dev.neko.nekoinjector.Loader` in the `client.jar` file. - An `invokestatic` instruction that calls the new function is inserted at the beginning of the `<clinit>` method. - If the class does not contain a `<clinit>` method, then instead the new function is directly created at `<clinit>`. - The metadata of the new `.jar` file is modified to match the old one. (references: the class `dev.neko.nekoclient.c` and the package `dev.neko.e`) (deobf: class `dev.neko.nekoclient.Client` and package `dev.neko.nekoinjector`) ## Other nasty stuff this is known to do - Attempts to replace cryptocurrency addresses on the clipboard with the attacker's (`dev.neko.nekoclient.o.e.*`) - Has botnet functionality to DDOS a target. (`dev.neko.nekoclient.q.e.e.j` / deobf: `dev.neko.nekoclient.packet.listener.impl.DDoSPacketListener`) - Can run arbitrary shell commands on the system. (`dev.neko.nekoclient.q.e.e.h` / deobf: `dev.neko.nekoclient.packet.listener.impl.CommandPacketListener`) - Apparently can be used as a proxy by the C&C server. Not too sure on how exactly this works. (`dev.neko.nekoclient.q.e.e.m` / deobf: `dev.neko.nekoclient.packet.listener.impl.ProxyPacketListener`) ## Data known to be stolen - Basic information about the system (`dev.neko.nekoclient.e.m` / deobf: `dev.neko.nekoclient.utils.HardwareIDUtil`): - Things like the operating system, user name, user directory name, language, CPU, hostname, memory size, etc. Includes the IP address, and MAC addresses of all network interfaces. - Microsoft Live/XBox Live login information (`dev.neko.nekoclient.api.e.y.*` / deobf: `dev.neko.nekoclient.api.stealer.msa.*`): - ~~This *appears* to only be used to try to get at the Minecraft login information, but I could be wrong here. It's safer to consider your Live account to be compromised.~~ - **Update June 7, 3:34 PM UTC**: I seem to be wrong here. - Minecraft logins from several sources (`dev.neko.nekoclient.api.e.y.*` / deobf: `dev.neko.nekoclient.api.stealer.msa.*`): - Official Minecraft Launcher - LabyMod - PrismLauncher - Technic Launcher - Feather Client - PolyMC - (Possibly other launchers I've missed. These were all I could find.) - Discord user information: - Login information and tokens (`dev.neko.nekoclient.api.e.q.*` / deobf: `dev.neko.nekoclient.api.stealer.discord.*`) - Collects billing information from `https://discord.com/api/v9/users/@me/billing/payment-sources`. I'm not sure what can be retrieved from here. (`dev.neko.nekoclient.q.e.e.i` / deobf: `dev.neko.nekoclient.packet.listener.impl.RequestDiscordPacketListener`) - Cookies and Login data for the following browsers (`dev.neko.nekoclient.api.e.e.*` / deobf: `dev.neko.nekoclient.api.stealer.browser.*`): - Mozilla Firefox ~~(*A bug prevents client.jar from decrypting login credentials.*)~~ - Google Chrome - Microsoft Edge - Opera (including Opera GX and Opera Crypto) - Waterfox ~~(*A bug prevents client.jar from decrypting login credentials.*)~~ - Pale Moon ~~(*A bug prevents client.jar from decrypting login credentials.*)~~ - Seamonkey ~~(*A bug prevents client.jar from decrypting login credentials.*)~~ - Brave Browser - Vivaldi - Yandex - Slimjet - Cent Browser - Comodo - Iridium - UCBrowser - CryptoTab Browser - Cryptocurrency wallets - From Exodus wallet (`dev.neko.nekoclient.q.e.e.A` / deobf: `dev.neko.nekoclient.packet.listener.impl.RequestExodusPacketListener`) - nothing else. specficially Exodus wallet. yep. :D ## Mysteries - What the heck is going on in **dev.neko.nekoclient.api.windows.e.A**. It does something with shortcuts and the clipboard when it detects it's running under the user account `WDAGUtilityAccount`, and claims it's "escaping" a sandbox. No idea if it works or what it's achieving. - This appears intended to escape a very specific Windows feature: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview. Thx @coehlrich. - No idea how it works; probably not worth looking too deeply into. ## Misc Information * Cryptocurrency addresses found. These are what the bot replaces addresses it finds on the clipboard with: * **BTC**: `bc1q75kyl5s9l8kmtuhspkr7e8cen9r5dx78fxfe8h` * **LTC**: `LQzR1f6b3ztnSqxGZs1wtXnkwin4MeBfPc` * **ETH**: `0x31683c675a3677E226496CC3F4E028c8577d30FA` * **XRP**: `rGGzBfSXy7C8Wcg3HE4ff7rchzTfoamZy3` * **XMR**: `49GsAVEgVt72YA59Ns5gvp2w6yq8GiV9dcHawwt6GEEjK3AxPaQie5TUvLyGULSixg44fiu8RnBcUQ6bENATixZYLXVbLq8` * **BCH**: `qrp6alx43p0y59j7nd8cql24twk2hdk6hy4ecsv32h` * **DOGE**: `DSL7DgnebZ6D5qssKKWfG5VV2PeMd7qZQw` * The initial decompilation was done as following: * I started with a `.jar` with the string obfuscation stripped, thanks to aurelium. * I ran this file through proguard to rename all the methods into something broadly reasonable. This made the output a lot cleaner. * I ran QuiltFlower with the following flags: `-rbr=false -rsy=false -udv=false -lac=true`. Most important of these flags are the ones to not ignore synthetic methods - the obfuscator seems to have marked methods/fields as synthetic to hide them from the output of most decompilers. * Afterwards, I mostly used refactoring tools for a normal IDE to make sense of the code, and fix up remaining issues. * As for `hook.dll`, I can confirm NotNite's analysis of it: * It contains a method `Java_dev_neko_nekoclient_api_windows_WindowsHook_retrieveClipboardFiles` that is used to download data relating to the clipboard. This does *not* seem to be used to send to the server, but only as part of the Windows Sandbox escape code? * It contains a second method `Java_dev_neko_nekoclient_api_windows_WindowsHook_retrieveMSACredentials` that is used to retreive Microsoft Live credentials. This only seems to be used to log into Minecraft, and is not directly delivered to the command&control server, strangely, at least in the version I have. * If you want to poke at this yourself in IDA or Ghidra, this may be useful to you: [jni-all.h](https://gist.githubusercontent.com/Jinmo/048776db75067dcd6c57f1154e65b868/raw/89af26807eaa8bb31e35da63e102b0abfa311580/jni_all.h) * The sqlite-jdbc and JNA native libraries appear unmodified from a stock version, and don't likely contain extra backdoors. ## Reverse engineering notes I wrote these notes while I was reverse engineering the malware and cleaned them up after. These are probably still messy. - **dev.neko.nekoclient.q** (deobf: `dev.neko.nekoclient.packet`) - This package implements the communication between `client.jar` and the command & control server. Notable classes are: - **PacketType** / **dev.neko.nekoclient.q.C** / (deobf: `dev.neko.nekoclient.packet.Packet`) - encodes/decodes the data sent to/from the server - **PacketHandler** / **dev.neko.nekoclient.q.e.C** (deobf: `dev.neko.nekoclient.packet.listener.PacketListener`) - handles setting up the instance of `dev.neko.nekoclient.q.C` for actually sending data to the server. Sometimes the stealing/encoding is here, sometimes it's in the other class. Can't tell why exactly yet. Code pattern implies this has a `<T>` type parameter corresponding to the associated `PacketType`. - **BaseCommand** / **dev.neko.nekoclient.q.y.C** (deobf: `dev.neko.nekoclient.packet.impl.NoncePacket`) - seems to be a root class that all packets send to/from the server implement. Implements `PacketType`. - **dev.neko.nekoclient.q.y.y** (deobf: `dev.neko.nekoclient.packet.impl`) - This package contains the actual definitions for the packets/etc that are sent between the client and server. - **dev.neko.nekoclient.q.e.e** (deobf: `dev.neko.nekoclient.packet.listener.impl`) - Contains the actual packet handlers for the server's requests. Known commands are as follows: - **command** (*dev.neko.nekoclient.q.e.e.h* / deobf: `dev.neko.nekoclient.packet.listener.impl.CommandPacketListener`) - Runs an arbitrary shell command on the system. Wee. - **ddos** (*dev.neko.nekoclient.q.e.e.j* / deobf: `dev.neko.nekoclient.packet.listener.impl.DDoSPacketListener`) - Apparently this bot has a button for making a DDOS!! Lovely. :D D: - **disconnect** (*dev.neko.nekoclient.q.e.e.G* / deobf: `dev.neko.nekoclient.packet.listener.impl.DisconnectPacketListener`) - Seems to make the client disconnect. - **hello** (*dev.neko.nekoclient.q.e.e.b* / deobf: `dev.neko.nekoclient.packet.listener.impl.HelloPacketListener`) - Sends metadata relating to the user operating system, basic user information, and the version of the client. - **proxy** (*dev.neko.nekoclient.q.e.e.m* / deobf: `dev.neko.nekoclient.packet.listener.impl.ProxyPacketListener`) - Allows the server to tell a client to send data to a remote server. Haven't looked too closely at the details. - **requestbrowserdata** (*dev.neko.nekoclient.q.e.e.l* / deobf: `dev.neko.nekoclient.packet.listener.impl.RequestBrowserDataPacketListener`) - Handles extracting browser cookies and logins. - **requestdiscord** (*dev.neko.nekoclient.q.e.e.i* / deobf: `dev.neko.nekoclient.packet.listener.impl.RequestDiscordPacketListener`) - Handles extracting Discord login information. - **requestexodus** (*dev.neko.nekoclient.q.e.e.A* / deobf: `dev.neko.nekoclient.packet.listener.impl.RequestExodusPacketListener`) - Handles extracting information from the Exodus wallet client. - **requestmsa** (*dev.neko.nekoclient.q.e.e.c* / deobf: `dev.neko.nekoclient.packet.listener.impl.RequestMSAPacketListener`) - Handles extracting Minecraft login information. - **updatemodule** (*dev.neko.nekoclient.q.e.e.C* / deobf: `dev.neko.nekoclient.packet.listener.impl.UpdateModulePacketListener`) - Sets whether a module is enabled or not. Of note, the only module that seems to exist is the one for cryptocurrency hijacking on the clipboard. - **dev.neko.nekoclient.api.q** (deobf: `dev.neko.nekoclient.api.info`) - Structures for system information. Constructed in `Client`. - **dev.neko.nekoclient.api.windows.e** (deobf: `dev.neko.nekoclient.api.windows.vmescape`) - Seems to be related to breaking out of [Windows Sandbox](https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview), a specific Windows feature. Not too sure how this works. - **dev.neko.nekoclient.api.e.q** (deobf: `dev.neko.nekoclient.api.stealer.discord`) - Handles extracting Discord tokens from the computer. - **dev.neko.nekoclient.api.e.e** (deobf: `dev.neko.nekoclient.api.stealer.browser`) - Handles extracting browser cookes and login information from the computer. Notable classes: - **dev.neko.nekoclient.api.e.e.C** (deobf: `dev.neko.nekoclient.api.stealer.browser.impl.BrowserDataStealer`) - main class for extracting browser info - **dev.neko.nekoclient.api.e.e.c** (deobf: `dev.neko.nekoclient.api.stealer.browser.BrowserData`) - stores all login data - **dev.neko.nekoclient.api.e.e.e.C** (deobf: `dev.neko.nekoclient.api.stealer.browser.impl.credential.Credential`) - stores login information - **dev.neko.nekoclient.api.e.e.y.C** (deobf: `dev.neko.nekoclient.api.stealer.browser.cookie.Cookie`) - stores cookie information - **dev.neko.nekoclient.api.e.e.q.C** (deobf: `dev.neko.nekoclient.api.stealer.browser.impl.decrypt.chrome.ChromeDecryptor`) - handles decrypting chrome secret information - **dev.neko.nekoclient.api.e.e.e.e** (deobf: `dev.neko.nekoclient.api.stealer.browser.impl.decrypt.mozilla`) - Code to access the nss3.dll library from Firefox. - It's broken because the obfuscator they used changed the names in the jni `Library` definitions for the methods actually found in nss3. As a result, decrypting user passwords for Firefox-based browsers is broken, at least in the version I have a sample of. - **This is fixed as of a more recent update - they disabled the obfuscator.** - **dev.neko.nekoclient.api.e.y** (deobf: `dev.neko.nekoclient.api.stealer.msa`) - Code to steal Minecraft login information. Notable classes: - **dev.neko.nekoclient.api.e.y.e.A** (deobf: `dev.neko.nekoclient.api.stealer.msa.auth.ClientType`) - appears to store different API keys that may be used to log into Minecraft with - **dev.neko.nekoclient.api.e.y.e.e.i** (deobf: `dev.neko.nekoclient.api.stealer.msa.auth.credentials.MinecraftCredentials`) - stores minecraft login tokens - **dev.neko.nekoclient.api.e.y.C** (deobf: `dev.neko.nekoclient.api.stealer.msa.impl.MSAStealer.RefreshToken`) - seems to be the root class for storing Minecraft logins - **dev.neko.nekoclient.api.e.y.c** (deobf: `dev.neko.nekoclient.api.stealer.msa.impl.MSAStealer`) - actually does the stealing of credentials - **dev.neko.nekoclient.o.e** - Code related to trying to hijack cryptocurrency transfers, by replacing addresses in the clipboard. - **dev.neko.nekoclient.api.e.y.e** - Seems to contain a small library for accessing the Minecraft launcher API. - **dev.neko.nekoclient.e** - Generic kitchen-sink utility package, malware edition. Notable classes: - **dev.neko.nekoclient.e.m** - appears to write a bunch of system information to some file format - **dev.neko.e** (deobf: `dev.neko.nekoinjector`) - Contains the code used to infect other jar files with the stage0 bootstrap. Notable classes: - **InfectionMethod** / **dev.neko.e.e.C** - The base class for all infection methods. - **FMLModInfection** / **dev.neko.e.e.e.A** - The handler for infecting Forge Mod Loader mods. - **BukkitPluginInfection** / **dev.neko.e.e.e.C** - The handler for infecting Bukkit plugins. - **MinecraftInfection** / **dev.neko.e.e.e.c** - The handler for infecting Minecraft's own client jar. This may not actually work? Going to check how the handling for signed binaries works. - **FabricModInfection** / **dev.neko.e.e.e.i** - The handler for infecting Fabric mods. - **BungeePluginInfection** / **dev.neko.e.e.e.l** - The handler for infecting Bungee plugins. - **dev.neko.e.q.C** - Container for .jar data. - **dev.neko.e.q.c** - Container for class data. - **e.e.e** - Appears to be minimal-json, used across the malware. I have no idea why this is the only dependency that's been obfuscated. - Repository: https://github.com/ralfstx/minimal-json - **dev.neko.nekoclient.api.y.e** - Implementation for the various ways the malware can DDoS targets. Pretty boring. - Most interesting thing about this is that it's got code that's specifically designed to target Minecraft servers. Who knows how well it works.