Hello guys,
I’m sorry for the few posts in the last weeks, but I was quite busy. Today I am going to analyze another interesting JAVA malware.
Our target is a jar, md5: 38f083169319d0141532db992d295448. The jar contains one class: AppletX. After using a java decompiler on our target, we will get the AppletX class code.
I will report only the relevant parts. Let’s go..
Firstly, the malware tries to discover the operating system in use by using System.getProperty(“os.name”), then it fills str1 according to the O.S. in use.
At this point the malware proceeds by exploiting a vulnerability located into getSoundBank method [CVE-2009-3867] to execute malicious code on the victim system. It retrieves the parameters: sc and np (meaningful names) and then it uses the following spray method in order to place the shellcode:
As we can see, this function simply converts the parameters into hex and then it calls the real spray method:
This method is the heart or engine(if you prefer) of the malware. I have underlined the value of the variable i, since I have found another variant of this malware md5: 52586e8a85188a0ada59294650c91362, that only changes the value of i to an higher value.
This malware is another good reason to turn off all java* contents while browsing the web. As always feedbacks and comments are welcome.
I hope you have enjoyed this post.
See you soon ;]
Just a quick analysis of a WoW infostealer (md5: D214BD51E47DFD3DEA97B5A2ED28CBF5 / ThreatExpert).
The program is a simple dropper, there are no antidebug tricks nor it uses complex obfuscation techniques, it just extracts the DLL (md5: 7DEFE341246BB1DE68A7AFB233FB8CAF) that contains the core of the virus. The dll itself is sprayed on multiple (scrambled) resources inside the dropper:
The resoures are extracted and concatenated to form the dll in: C:\Windows\System32\msnjkwfb.dll, and after that the dropper invokes a function in the dll responsible for the installation and deletes itself.
The installer registers the dll for autorun, retrieves the WoW path, and copies inside it the dll under the name msvcr70.dll, after, it injects code into the WoW exacutable (wow.exe): adds a section (.ngaut) and changes the program entrypoint to its code. The injected code just loads msvcr70 and gives control back to the original entrypoint.
When the dll is loaded by wow.exe it starts searching for the main window, and then does some checks on the window’s title “World of Warcraft” and class “GxWindowClassD3d” if both checks succeeded it acquires the SeDebugPrivilege and spawns a thread that collects the information using static offsets into the program. Once all the information is gathered it sends a HTTP request to:
with the following request:
?WOWID=%s&Area=%s&WU=%s&WP=%s&MAX=%d/%d&Gold=%d&Serv=%s&rn=%s&key=%s
the site is still up at this time, so be careful WoW gamers :P
p.s. for those interested here the py script to descramble and merge the extracted resources
