Category Archives: Exploit

Deobfuscate Javascript using PhantomJS (Headless browser)

Posted on June 18, 2015 by hiddencodes

Recently when i got a chance to analyze Neutrino Exploit kit capture, i noticed that Neutrino EK has a detection and check for headless browser and other JS based frameworks. One thing that is interesting about Neutrino EK is all … Continue reading

Posted in browser, Chrome, Exploit, Exploit Kit | Tagged , , , , | 5 Comments

Angler Exploit kit breaks Referer chain using HTTPS to HTTP redirection

Posted on May 29, 2015 by hiddencodes

The author(s) behind Angler EK is known to release reliable exploit(s) for flash/IE and to use various techniques to break various logics used by analysis products for the detection. Recently a security researcher blogged about a new technique used by … Continue reading

Posted in Exploit, Exploit Kit, Malware | Tagged , , , , | 1 Comment

Instrument Microsoft Office applications to defeat macro obfuscations

Posted on May 18, 2015 by hiddencodes

With the recent increase in documents with macros used to deliver malwares, researchers spend considerable amount of time to analyze these attached scripts to understand the inner workings. Though the macros does follow the similar pattern in file download and … Continue reading

Posted in Document Macro malware Analysis, Exploit, Malware, Malware Analyzer | Tagged , , , , | 1 Comment

Extend Sulo to find the CVE of Flash exploits

Posted on February 25, 2015 by hiddencodes

In this blog, i like to discuss more about detecting the vulnerability triggered by a particular exploit using Sulo. I have extended it to detect few of the recent vulnerabilities. I have added code to detect CVE-2015-0310, CVE-2015-0311 and CVE-2015-0313. … Continue reading

Posted in browser, Exploit, Exploit Kit, Flash, Flash Exploit Analysis | Tagged , , , , , , , | 1 Comment

Understanding CVE-2015-0310 Flash vulnerability

Posted on February 20, 2015 by hiddencodes

The Flash vulnerability CVE-2015-0310 is fixed in recent patch from Adobe. The vulnerability is in RegEx result parsing code. The vulnerability affects all the version below 16.0.0.287 and patched on January 2015. Though Adobe didn’t provide much information about the … Continue reading

Posted in Exploit, Exploit Kit, Flash, Flash Exploit Analysis | Tagged , , , , | 2 Comments

Defeat initial packers used in flash exploits using Sulo

Posted on January 29, 2015 by hiddencodes

Using Sulo it is quite easy to defeat the initial packers used in the recent flash exploits. All we need is setting up one VM environment as i mentioned in my previous blog and in Sulo Github page. Once you … Continue reading

Posted in Exploit, Exploit Kit, Flash Exploit Analysis | Tagged , , | 8 Comments

Use Sulo to analyze Flash Exploit files

Posted on January 28, 2015 by hiddencodes

In this blog post, i have decided to blog about my experience in using Sulo for analyzing flash exploit. I have played with Sulo for quite sometime now extending it to newer version of flash and used it to analyze … Continue reading

Posted in Exploit, Exploit Kit, Flash Exploit Analysis | Tagged , , | 8 Comments

Angler EK update

Posted on January 28, 2015 by hiddencodes

Recent Angler EK uses following keys to decrypt the encrypted binaries. unsigned int keys[4]= {0x39525143, 0x75487832, 0x57645730, 0x79356332}; // IE exploitunsigned int keys[4]= {0x47763879, 0x33767545, 0x66706F58, 0x65443372}; // flash exploit (CVE-2015-0311)

Posted in Exploit, Exploit Kit | Tagged , , | Leave a comment

Digging deep into Recent Angler Exploit kit Fileless delivery

Posted on November 13, 2014 by hiddencodes

Recently ThreatGlass released a PCAP related to Angler Exploit kit from wira-ku.com. Looking into this, Angler EK has changed it’s obfuscation techniques to load it’s dropper from the exploit server. Let’s dig into this. The initial dropper is downloaded before … Continue reading

Posted in Exploit, Exploit Kit, Malware, Malware Analyzer, Shellcode, Windows | Tagged , , , | Leave a comment

Scanbox Javascript code – Exploit packs

Posted on October 23, 2014 by hiddencodes

This is the JavaScript code we usually see in exploit packs: function setCookie(id,value,bool){    d=new Date();     if(bool==1)    {        d.setTime(d.getTime()+365*10*24*60*60*1000);    }    else    {        d.setTime(d.getTime()-365*10*24*60*60*1000);    }    document.cookie = id+”=”+value+”;path=/;expires=”+d.toGMTString();} function getCookie(name)     {    var arr = document.cookie.match(new RegExp(“(^| )”+name+”=([^;]*)(;|$)”));     if(arr != null) return … Continue reading

Posted in Exploit, Exploit Kit | Tagged , | Leave a comment