The JAR file contains four class files in the bpac package:
-
KAVS.class;
-
a$1.class;
-
a.class - the applet;
-
b.class - the URL decrypter.
The applet starts out by generating a random name for the executable under the system temporary directory. The name is made up entirely of random digits and has the extension ".exe" appended.
Next, it checks whether the operating system is Windows, by searching for the string Windows in the os.name system property.
If the OS checks out, the applet downloads the file and executes it with a call to Runtime#exec.
The code is somewhat obfuscated, for example, the names of the system properties java.io.tmpdir and os.name appear reversed.
We have observed two variants of the decrypter:
-
One performs a series of single-character replacements on the URL, then appends
the string "?i=1".
-
The other one is a bit more complex, it assumes the URL isn’t encrypted at all, and duplicates some of the applet’s code. It downloads the file at the given URL, assumes it’s a PE executable and checks the Characteristics field of the IMAGE_FILE_HEADER for 0x2000, i.e., IMAGE_FILE_DLL.
It generates a random name made up of digits for the executable, under the system temporary directory, it appends the proper extension taking into account whether the file is a DLL or an EXE. If it’s an EXE, it executes it with a call to Runtime#exec, just like the applet does, if it’s a DLL, it registers it using regsvr32.
SHARE
THIS ON