Analyzing Java exploit with deobfuscating Javascript

A suspicious .class file download triggered the alert.

GET /jb/kukukuk.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows ) Java/1.6.0_22
Host: 2374507291
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

Now we can observed that Host is an octal host and user agent indicated java and its version. => A download attempt from an Applet.

Now the goal is to identify where it was download and what is it doing?

Got the pcap and started analyzing

Got the culprit poppywort.in. Now I have three things to analyze….

First comes first, Containment – contain the target machine from infection.

Search the java cache folder and delete it.
Now analyze the class file to see what exactly it does.

A First look indicates me that
1) it takes a value as parameter (“ololo”) – I have to identify what is that parameter value
2) It calls for java.io.tmpdir => It could be the place to save the downloaded malware
3) obj – ms0cfg32.exe => probably downloaded malware file name.

Immediately my containment strategy is to look for that file ms0cfg32.exe and it is not there. Whoosh, why?
Possibility1) Malware downloaded -> executed -> cleared the trace and stored somewhere else

Possiblity 2) Exploit failed to exploit

I checked pcap for any executable download after the download of this class file – luckily no executable downloaded.
Also I need to check from where the executable is downloaded. So I have to find out value of “ololo”.

So I need the applet code to figure it out which should be in the html file

Analyzing html file with obfuscated java script

 

Pastebin Link of html – http://pastebin.com/JGxsLNKL

Basically I see the obfuscation works like

S = “obfuscated javascript/html”;
….
…. some script to decode that writes to “var decodeScript” …
….
document.write(decodeScript); or eval(decodeScript)

Now my job is to understand the S, java script that decodes

So, I copy the html content to Malzilla à export the scripts to Decoder à Format code
Now try to understand the code à Write a stub script replacing document.write(),eval() with alert to see the content.

Here in this case variable GCArnehi holds some obfuscated content.

Currently I have beutified the script and as shown above. You can see a fuction like ejvxf(jrcFS) is called. I can figure it out land replace it as

jrcFS += String.fromCharCode(WaAl9qHF[i]^182);
}
alert(jrcFS);

now I can get the script

Huh….I got a script that actually deobfuscates the obfuscated text stored in GCArNehi and writes to file.
So I added this script to the stub script again and beatified it and modified to see what exactly it does. You can see the modifications in below image.
I also can see that it is only exploits if it is IE or Opera

 

Finally got the script

Buetify the script to understand what it is doing and get the required value for “ololo”

I can see that it has multiple exploits depending my Java version. If my JRE version is less than 18 it downloads a jar file to exploit. Since my java version is 22 (minor update ver) it is downloading the kukukuk.class and value of ololo is there clearly.
I found it to be an executable. So I checked the logs if this download was processed or not, luckily its not hence I am safe and conclude to second possibility – exploit failed to exploit.

If I have lower java version, I am gone>
Moral – ALWAYS UPDATE YOUR SOFTWARES specifically Microsoft, Java, Adobe.

And story did not end here, as it exploits PDF as well. If you check the initial scripts, it also downloaded pfa.js which has script to identify the version of plugins, java, pdf etc.

Please find the stub below
Stub script to deobfuscate java script – LINK
Stub java program that uses modified kukuku class to get the details – LINK
Original malicious html file – LINK

 

 

 

 

 

 

 

Advertisements

About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Articles, Notes, security and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s