This class starts pretty long chain of different method calls. There are few important classes.
One of them: decrypting the parameter that passes and encoded URL to the applet. The class Mete decrypts the parameter value:
public class Mete
{
public static String INdoi(String bxcwe)
{
String jhhi = "";
String o = "qwertyuiopasdf".concat("ghjklzxcvbnm0123456789.-=_/:?&");
String c = "nz63_/duac?0jr&hxsy4:ei.bk-15qlftvw92p=m8g7o";
for (int i = 0; i < bxcwe.length(); i++) {
jhhi = jhhi + o.charAt(c.indexOf(bxcwe.charAt(i)));
}
return jhhi;
}
}
It uses some slight obfuscation but the method is pretty simple – it uses variation of Caesar cipher to decode the string using another string as an indexing key: “qwertyuiopasdfghjklzxcvbnm0123456789.-=_/:?&” that extracts character from another string “nz63_/duac?0jr&hxsy4:ei.bk-15qlftvw92p=m8g7o“.
The value “h__cg88udhp&k.h2j68112h_ky” is decoded to the URL “http://iuh-gmbh.de/11.html“.
Let’s see the network capture, it is interesting:
Well, it is a binary file with name “setup.exe” but it does not look like an ordinary executable file that should have the signature “MZ” in the beginning. The file is encrypted in order to avoid IDS/IPS detection. The JAR applet contains classes that download and decrypts the EXE file contents.