Unpacking a Malicious Java Applet

Fellow researcher Denis Laskov shared the infection chain of a new exploit pack with an impressive bunch of security researchers. For some reason, I got called to help and was more than willing to contribute by analyzing the Java applet delivered by this pack. Before I jump in, be sure you check out Denis' blog post on this exploit pack.

Here is the applet we will be looking at. As Denis mentioned, this is heavily obfuscated and unique to each visitor. There is an embedded object in the JAR file.

This file contains gibberish but there is a visual pattern indicating that it has been XOR'd.

Looking at the file with a hex editor, we can probably conclude that the file has been XOR'd with the following five bytes: C9 CB C3 A2 91

But let's examine the JAR more closely and see if we can verify this. After looking through the code, we come across this. We can confirm that it is exploiting the latest Java vulnerability (CVE-2013-0422).

Further in the code, we see this. This takes the bytes from arrayOfByte1 and XORs bytes from arrayOfByte2.

Let's fire up Data Converter and enter those values using the settings you see below. I had to modify this program to better handle decimal keys and fix a bug that affected converting large files. Looks like this code is exploiting an older vulnerability!

Finally, we get to this piece of code.

Looks like the above code so we'll use Data Converter and the same settings again. This looks interesting and warrants further investigation.

Let's change the output format to hex and convert it again. Seeing "CAFEBABE" indicates that we just found a hidden class file. If you click on "Write to Binary File", we can save it directly to a binary file to examine it further.

Opening the class file in JD-GUI, we browse through the code and get to this routine. We see that it is XOR'ing the payload using five bytes.

Now let's use File Converter using the following settings. The input file is the object found in the JAR file. Pressing 'convert' button results in an executable file that infects the victim's PC.

This new version of File Converter can now handle keys with positive and negative integers as well as hex values. Note that decimal values of -55, -53, -61, -94, and -111 is the same as hex values of C9, CB, C3, A2, and 91 so entering either keys would yield the same results.

You can download the newer versions of the programs above here. I'll incorporate the changes in the next version of Converter when I'm done testing.

Again, special thanks to Denis for helping me test the programs.

Posted on: 01/14/2013