Virus information:
"Exploit-SWF.x "is a nonexclusive location for a Trojan that are a piece of the Fisher Adventure Unit
The documents are exceptionally muddled and won't keep running as they are since they are a piece of a disease chain made by Fisherman when the client get to a page bargained by it (known as "point of arrival")
The huge string went as parameter to the page is a Base-64 encoded information, which is changed over to the string underneath:
Subject=Ping&key=AFC095B821F238B75D827C52804B8C907BC1E546ED
8FF102104C4A1061553FCD&addr=1JPkUqnjooe6GEgq8dWkJZwTmyujamk
cXR&files=0&size=0&version=0.4.0&OS=7601&ID=76&subid=0&gate=G0&is
_admin=0&is_64=0&ip=210.141.159.134
We can see a few fields with data about the tainted machine, and the fields ADDR and KEY. These are most likely parameters went to the server to be utilized as a part of making a novel endeavor for that machine, which will just keep running on that particular framework. This is conceivable what is utilized by the HTML page to load and decode the javascript in it, which thus must be utilized to load the SWF record.
The SWF record itself is additionally jumbled with numerous ActionScript capacities that appears to be safe. It has capacities to send and get information from system, and to peruse and compose documents to plate. Very little else could be found in the code because of obscurity.
The SWF document misuses the defenselessness cve-2015-0336, which is identified with Adobe Streak Player. More data about this weakness can be found on CVT landing page:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0336
The .bin document show in the acceleration is by all accounts the last payload after the contamination, or the paired executable that will be introduced on the machine. It is encoded, conceivably by a 8-byte XOR key. Once the payload is decoded, it is straightforwardly infused into the memory of some advantaged procedure (svchost, pilgrim, winlogon) and never kept in touch with plate. After that establishment, the payload may perform different operations that rely on upon the sort of malware it is.
"Exploit-SWF.x "is a nonexclusive location for a Trojan that are a piece of the Fisher Adventure Unit
The documents are exceptionally muddled and won't keep running as they are since they are a piece of a disease chain made by Fisherman when the client get to a page bargained by it (known as "point of arrival")
The huge string went as parameter to the page is a Base-64 encoded information, which is changed over to the string underneath:
Subject=Ping&key=AFC095B821F238B75D827C52804B8C907BC1E546ED
8FF102104C4A1061553FCD&addr=1JPkUqnjooe6GEgq8dWkJZwTmyujamk
cXR&files=0&size=0&version=0.4.0&OS=7601&ID=76&subid=0&gate=G0&is
_admin=0&is_64=0&ip=210.141.159.134
We can see a few fields with data about the tainted machine, and the fields ADDR and KEY. These are most likely parameters went to the server to be utilized as a part of making a novel endeavor for that machine, which will just keep running on that particular framework. This is conceivable what is utilized by the HTML page to load and decode the javascript in it, which thus must be utilized to load the SWF record.
The SWF record itself is additionally jumbled with numerous ActionScript capacities that appears to be safe. It has capacities to send and get information from system, and to peruse and compose documents to plate. Very little else could be found in the code because of obscurity.
The SWF document misuses the defenselessness cve-2015-0336, which is identified with Adobe Streak Player. More data about this weakness can be found on CVT landing page:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0336
The .bin document show in the acceleration is by all accounts the last payload after the contamination, or the paired executable that will be introduced on the machine. It is encoded, conceivably by a 8-byte XOR key. Once the payload is decoded, it is straightforwardly infused into the memory of some advantaged procedure (svchost, pilgrim, winlogon) and never kept in touch with plate. After that establishment, the payload may perform different operations that rely on upon the sort of malware it is.
No comments:
Post a Comment