Unpacking a Malicious Java Applet

Fellow researcher Denis Laskov shared the infection chain of a new exploit pack with an impressive bunch of security researchers. For some reason, I got called to help and was more than willing to contribute by analyzing the Java applet delivered by this pack. Before I jump in, be sure you check out Denis’ blog post on this exploit pack.

Here is the applet we will be looking at. As Denis mentioned, this is heavily obfuscated and unique to each visitor. There is an embedded object in the JAR file.

2013-01-14_01

This file contains gibberish but there is a visual pattern indicating that it has been XOR’d.

2013-01-14_02

Looking at the file with a hex editor, we can probably conclude that the file has been XOR’d with the following five bytes: C9 CB C3 A2 91

2013-01-14_03

But let’s examine the JAR more closely and see if we can verify this. After looking through the code, we come across this. We can confirm that it is exploiting the latest Java vulnerability (CVE-2013-0422).

2013-01-14_04

Further in the code, we see this. This takes the bytes from arrayOfByte1 and XORs bytes from arrayOfByte2.

2013-01-14_05

Let’s fire up Data Converter and enter those values using the settings you see below. I had to modify this program to better handle decimal keys and fix a bug that affected converting large files. Looks like this code is exploiting an older vulnerability!

2013-01-14_06

Finally, we get to this piece of code.

2013-01-14_07

This code looks similar to the one above so we’ll use Data Converter and the same settings again. This looks interesting and warrants further investigation.

2013-01-14_08

Let’s change the output format to hex and convert it again. Seeing “CAFEBABE” indicates that we just found a hidden class file. If you click on “Write to Binary File”, we can save it directly to a binary file to examine it further.

2013-01-14_09

Opening the class file in JD-GUI, we browse through the code and get to this routine. We see that it is XOR’ing the payload using five bytes.

2013-01-14_10

Now let’s use File Converter using the following settings. The input file is the object found in the JAR file. Pressing the ‘convert’ button results in an executable file that infects the victim’s PC.

2013-01-14_11

This new version of File Converter can now handle keys with positive and negative integers as well as hex values. Note that decimal values of -55, -53, -61, -94, and -111 is the same as hex values of C9, CB, C3, A2, and 91 so entering either keys in this program would yield the same results.

You can download the newer versions of the programs above here. I’ll incorporate the changes in the next version of Converter when I’m done testing.

Again, special thanks to Denis for helping me test the programs.

This entry was posted in Malscript, Tools and tagged , , , . Bookmark the permalink.