Category Archives: Exploit

Angler EK update

Recent Angler EK uses following keys to decrypt the encrypted binaries. unsigned int keys[4]= {0x39525143, 0x75487832, 0x57645730, 0x79356332}; // IE exploitunsigned int keys[4]= {0x47763879, 0x33767545, 0x66706F58, 0x65443372}; // flash exploit (CVE-2015-0311) Advertisements

Posted in Exploit, Exploit Kit | Tagged , , | Leave a comment

Digging deep into Recent Angler Exploit kit Fileless delivery

Recently ThreatGlass released a PCAP related to Angler Exploit kit from Looking into this, Angler EK has changed it’s obfuscation techniques to load it’s dropper from the exploit server. Let’s dig into this. The initial dropper is downloaded before … Continue reading

Posted in Exploit, Exploit Kit, Malware, Malware Analyzer, Shellcode, Windows | Tagged , , , | Leave a comment

Scanbox Javascript code – Exploit packs

This is the JavaScript code we usually see in exploit packs: function setCookie(id,value,bool){    d=new Date();     if(bool==1)    {        d.setTime(d.getTime()+365*10*24*60*60*1000);    }    else    {        d.setTime(d.getTime()-365*10*24*60*60*1000);    }    document.cookie = id+”=”+value+”;path=/;expires=”+d.toGMTString();} function getCookie(name)     {    var arr = document.cookie.match(new RegExp(“(^| )”+name+”=([^;]*)(;|$)”));     if(arr != null) return … Continue reading

Posted in Exploit, Exploit Kit | Tagged , | Leave a comment

Software enumeration using Internet Explorer

We do regularly see software enumeration using Internet Explorer in web infections. It tries to find some specific files(at fixed locations) related to AV and other analysis tools and avoids further execution of the exploit. There are two different techniques … Continue reading

Posted in Exploit, Exploit Kit, IE | Tagged , , , | 2 Comments

Digging deep into Angler Fileless Exploit delivery

We look in detail about Angler Exploit pack’s fileless infection. Thanks to friends at who provided captures of two different instances of Angler exploit pack delivery. You can download the samples and captures from these links Link1, Link2. There … Continue reading

Posted in Exploit, Exploit Kit, IE, Malware, Windows | Tagged , , , , | 6 Comments

CVE-2013-2551 Exploit

Lets give some meaningful name to variables/functions in CVE-2013-2551 Exploit. You should read this blog entry before reading the code here. Reading the VUPEN blog and understanding the exploit takes a lot of time. VUPEN is very brilliant with that … Continue reading

Posted in Exploit | Tagged , | 3 Comments