A suspicious .class file download triggered the alert.
GET /jb/kukukuk.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows ) Java/1.6.0_22
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Now we can observed that Host is an octal host and user agent indicated java and its version. => A download attempt from an Applet.
Now the goal is to identify where it was download and what is it doing?
Got the pcap and started analyzing
Got the culprit poppywort.in. Now I have three things to analyze….
First comes first, Containment – contain the target machine from infection.
Search the java cache folder and delete it.
Now analyze the class file to see what exactly it does.
A First look indicates me that
1) it takes a value as parameter (“ololo”) – I have to identify what is that parameter value
2) It calls for java.io.tmpdir => It could be the place to save the downloaded malware
3) obj – ms0cfg32.exe => probably downloaded malware file name.
Immediately my containment strategy is to look for that file ms0cfg32.exe and it is not there. Whoosh, why?
Possibility1) Malware downloaded -> executed -> cleared the trace and stored somewhere else
Possiblity 2) Exploit failed to exploit
I checked pcap for any executable download after the download of this class file – luckily no executable downloaded.
Also I need to check from where the executable is downloaded. So I have to find out value of “ololo”.
So I need the applet code to figure it out which should be in the html file
Analyzing html file with obfuscated java script
Pastebin Link of html – http://pastebin.com/JGxsLNKL
Basically I see the obfuscation works like
…. some script to decode that writes to “var decodeScript” …
document.write(decodeScript); or eval(decodeScript)
Now my job is to understand the S, java script that decodes
So, I copy the html content to Malzilla à export the scripts to Decoder à Format code
Now try to understand the code à Write a stub script replacing document.write(),eval() with alert to see the content.
Here in this case variable GCArnehi holds some obfuscated content.
Currently I have beutified the script and as shown above. You can see a fuction like ejvxf(jrcFS) is called. I can figure it out land replace it as
jrcFS += String.fromCharCode(WaAl9qHF[i]^182);
now I can get the script
Huh….I got a script that actually deobfuscates the obfuscated text stored in GCArNehi and writes to file.
So I added this script to the stub script again and beatified it and modified to see what exactly it does. You can see the modifications in below image.
I also can see that it is only exploits if it is IE or Opera
Finally got the script
Buetify the script to understand what it is doing and get the required value for “ololo”
I can see that it has multiple exploits depending my Java version. If my JRE version is less than 18 it downloads a jar file to exploit. Since my java version is 22 (minor update ver) it is downloading the kukukuk.class and value of ololo is there clearly.
I found it to be an executable. So I checked the logs if this download was processed or not, luckily its not hence I am safe and conclude to second possibility – exploit failed to exploit.
If I have lower java version, I am gone>
Moral – ALWAYS UPDATE YOUR SOFTWARES specifically Microsoft, Java, Adobe.
And story did not end here, as it exploits PDF as well. If you check the initial scripts, it also downloaded pfa.js which has script to identify the version of plugins, java, pdf etc.