Security Research
Showing results for 
Search instead for 
Do you mean 

Let’s see how protected you think you are.

Oleg_Petrovsky on ‎03-17-2014 10:22 PM

This malicious URL turned up on the malc0de crowd sourcing site on March 11.


Figure 1 - Appearance of the malicious URL on malc0de March 11



Unfortunately the exact time of the submission is not known. What is known is that the VirusTotal site registered the submission at least 16 hours earlier before we started looking at it which was at 10:18 AM UTC on March 12, and as of that time, almost 16 hours later; only 13 AV products out of 49 detected it.


Figure 2 - VirusTotal scan results for javaplas.exe March 11



Granted some of the scanners are for adware, but even discounting those there are a number of big players that let this file through. Now, even assuming you are updating your signatures as often as VirusTotal does (that is, as soon as they become available) -- you are still in trouble.
The file in question is a .NET executable and when decompiled by dotPeek  (our tool of choice for this example), reveals among others the following classes:


Figure 3 - dotPeek decompiling result for javaplas.exe



Right away the Decrypt and the obfuscation towards the decompiling of some class methods stand out:


Figure 4 - Attempting decompiling in dotPeek




And that includes Main, the entry point method:


Figure 5 - More obfuscated methods in dotPeek





To get an idea about what’s going on inside the obfuscated methods let’s look at the MSIL byte code, which is generally more prone to various forms of obfuscation. Looking at the Main methods it shows that it is referring to the WindowsFormsApplicationBase::Run method.  By the way, the leave.s loc_2D jump over the finally{..} block is most probably a culprit that throws out the decompiler.

Figure 6 - MSIL byte code in IDA



At a glance there are a number of interesting methods which look quite suspicious and found inside WindowsFormsApplicationBase:


Figure 7 - WindowsFormsApplicationBase in dotPeek




For instance: WriteUrlToMemoryMappedFile



stores a remote URL in a local file, possibly for use by other malware components:



No less interesting is RegisterChannel:




This method creates a channel, with channel services allowing for inbound and outbound control connections over TCP/IP.  There are also a number of other methods imported from Microsoft.Visualbasic.dll such as: RegistryProxy, Name, Network, ComputerInfo, and  FileSystemProxy. These are all for getting objects to manipulate the registry, gain access to the network, and retrieve information regarding the computer’s name, memory-loaded assemblies and operating system. All of this, in terms of security, makes the .net assembly quite peculiar. But this is just scratching the surface. When executed, the file self-injects its own process with a loader and continues to build and decrypt itself in memory in small chunks. The rest of the malware code is stored in the .text section together with the byte code. The information entropy of the .text section is high which suggests that the self-injected code is encrypted.

The trojan performs the following actions:


Drops malicious PE files:

  • C:\NTKernel\nt32.exe
  • C:\NTKernel\javaan14v3u1.exe
  • C:\%user%\Documents\315load32.exe
  • C:\ProgramData\load32.exe
  • C:\ProgramData\NTKernle\nt32.exe

Jaavaan14v3u1.exe injects an iexplorer.exe instance with its own code and then terminates. Execution then continues from the iexplorer.exe process.




C:\%user%\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\ file
Which points to: C:\ProgramData\NTKernle\nt32.exe

Keeps many copies of itself around the system and constantly monitors and restarts itself in case its processes are shut down.


Downloads and installs updates for itself (if available) from zoros<snip>.com


Downloads the file CPU.files, which indicates that the trojan is used for mining bitcoins.


So overall this is an extremely pervasive and harmful piece of malware which roots itself deep within the system and is extremely hard to get rid of.  And this all could’ve been stopped if the installation file: javaplas.exe was detected. Let’s see how we are doing after two days of the file being in the wild. Here’s the latest snap shot from VirusTotal on March 14:


Figure 8 - VirusTotal scan results for javaplas.exe March 14



It shows that even after more than two days, this very pervasive and dangerous piece of malware is not picked up by some of the major AV players.
And here are the scan results for the malware file dropped by the trojan.


Figure 9 - VirusTotal scan results for javaan.exe March 14



These results are even less comforting. The actual piece of code that is responsible for the malware’s payload was only first submitted 9 hours ago and is detected by even fewer AV products.
Looking at the source of this file on the web we can see that this particular family has been around and has been updated since at least March 3.


Figure 10 - Malicious URL history on malc0de



It shows a frequency of updates with an average of one per day. And if it takes more than two days to get it detected we are in trouble.
It also pays to notice that the zoros<snip>.com site represents a legitimate business and looks like it fell to a hack attack or social engineering attempt.


Figure 11 - the compromised host



A quick look through the whois database shows the owner and the location of the malware seeding site.


Figure 12 - Whois records for zoros<snip>.com



The physical address of the owner happens to be in Samokov city in Bulgaria.

We made our best effort to notify the site developers and the registrant of the domain name about the hosted malware.

So, as usual, exercise vigilance and remember that the first line of defense is you. Pay attention to the source of files and in particular, executables. Trust your common sense. Take note of the little things because this is where you can see (or even sense) that there’s something wrong. That trojan dropper file, javaplas.exe, doesn’t’ sound too trustworthy, especially when you consider where it came from.

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all