The 24 October, during my regular malware monitoring hobby, I observed a suspicious infected server in Taiwan (www.grvb.com.tw) who is actually still online. The home page of the server is loading a first Java Applet with a JAR file “Java.jar” and a second Java Applet as a single class file “eiAD.class“.

VirusTotal analysis of “Java.jar” (2990711e7cd04553260a6fbccf8ea6a6) reported 5/43 Java/Downloader detection, and analysis of “eiAD.class” (8d4ddd1e1f41a2e8e18da097ecafecbc) reported 5/44 CVE-2012-4681 Oracle Java Gondvv exploit detection. The detection rate is really low and a deeper analysis of these elements is interesting.

Thanks to @_sinn3r, @binjo, @jjarmoc and @maxime_tz for all they’re advises.

Java.jar” (paste bin source code) JAR Java/Downloader analysis

This JAR file contain a Manifest file how reveal that the file was compiled with “Java 1.6.0_29 (Sun Microsystems Inc.)” and the JAR file is signed with a RSA signature.

You can see this self-signed certificate was create the 16 October and was pretending to be generated by Microsoft and issued by Microsoft. By signing an applet, the restrictions on an applet are mostly removed. Signing an applet, basically means that the applet writer is vouching that the applet is safe. The user of a signed applet can accept the signed applet and have it run without most restrictions, or reject the applet and not have it run at all. A self-signed applet will trigger a security warning pop-up advising you on the associated risks. Similar self-signed Java Applet could be generated with java_signed_applet Metasploit exploit module.

By analyzing the source code of “Java.jar” we can see interesting arrays and functions.

The “FCKME” is an array where a space is representing a new entry in the array. The guys don’t seem to like ESET anti-virus editor of NOD-32 :)

Encoded string is present and will be decoded by the beside “FJKOKL” function. You can see that the 29 value of the “FCKME” array will be used to complete the encoded text.

This function will remove all the “[>|<]” values of the encoded text with the following result.

687474703a2f2f7777772e677672622e636f6d2e74772f75706c6f61642f757365722f66696c65732f6e756d“.

The string is encoded in HEX and after decoding you will have the following result completed with “FCKME[29]” how is “.exe“.

http://www.gvrb.com.tw/upload/user/files/num.exe” (this file is actually no more existing)

The following table will provide all value of “FCKME” array.

With all these value we are able to decode all “FCKME” variable used in the “Java.jar” code.

As you can see the Java.jar is only a self-signed Java downloader. Finally, as pointed by @_sinn3r, this Applet is surely used as a plan B, if eiAD.class is not triggered.

eiAD.class” (paste bin source code) CVE-2012-4681 Java class file analysis

By analyzing the source code of “eiAD.class” we can see interesting arrays and functions.

This variable seem to be one more time an reference to ESET anti-virus editor and especially to the “Foxxy Software Outfoxed” blogpost. (Thanks to @binjo).

Encoded string is present and will be decoded by the beside “FJKOKL” function, also used in “Java.jar“. A space is representing a new entry in the “JFI” array.

FJKOKL” will remove all the “[>|<]” values of the encoded text with the following result.

4e6f7468696e67206c696b652073756e2e206265696e672061206177742e20536f6d6574696d6573204920707574206d792053756e546f6f6c6b697420696e206d7920617373686f6c652120596f752073656520746865206765742069732061204669656c642074686174204e616d6520666f72202e657865206f6b6179202f2f2049206d65616e20676f642064616d6e2074686520676574206973206265696e672073657420666f7220746865205365637572697479204d616e6167657220666f722066696c653a2f202120476f742064616d6e20492077616e7420736f6d65206d696c6b2066726f6d206d79206d6f6d6d696573207469747a20666f72207468617420616363

“.

The string is encoded in HEX and after decoding you will have the following result.

Nothing like sun. being a awt. Sometimes I put my SunToolkit in my asshole! You see the get is a Field that Name for .exe okay // I mean god damn the get is being set for the Security Manager for file:/ ! Got damn I want some milk from my mommies titz for that acc“.

The following table will provide all value of “JFI” array.

With all these value we are able to decode all “JFI” variable used in the “Java.jar” code.

With all these variables and other functions the code will be able to reconstruct CVE-2012-4681 Oracle Java vulnerability.

Another encoded string is present in “eiAD.class” and this encoded string has the same result as the “Java.jar“.

http://www.gvrb.com.tw/upload/user/files/num.exe” (this file is actually no more existing)

I found a Author variable occurrence “lEZdLl.classon pastebin who was posted by a Guest the 24 September, and is equivalent to “eiAD.class“.

HGIDO” value of “lEZdLl.class” is “http://212.150.101.32/Facebook_msn.exe” (this file is actually no more existing).

Here under a demonstration video of the effectiveness of these files against anti-viruses.