











Scrolling down the class tree on the left, we soon come to the "Viante" class and this is where the main functionality of this malware resides.We can see that this particular code is fairly straightforward and is very lightly obfuscated with randomly named variables. However, we can easily follow the execution path and tell that the malware will reach out to "http://191.252.2.91/0509/" to download "kk.zip". If we manually visit this IP and subdirectory we can see that the malware author has staged many other zips for download:We downloaded all of the Zips above to check their contents and they were all the same. The only variance is the initial Zip name as seen above. This is indicative of the author distributing different variants which are coded to download each of the different named zips. Since all files contain the same malware it does not look like this JAR is set to distribute different malware campaigns e.g.(one for ransomware, another for banking trojans, another for adware, etc.)