Friday, April 19, 2013

Deciphering Cool Exploit Kit Payload (642.htm)

Cool Exploit kit and other similar kits have all started to encrypt the payload that they are downloading in an encrypted format (over network). Currently all of these payloads that come over the network are seen to be encrypted with “AES”. Below is the snapshot of the encrypted payload.

 The decryption process is embedded within the JAR, it is also responsible for downloading the encrypted payload. It uses a hardcoded key + and hardcoded IV to decrypt the AES encrypted payload. Below is a snapshot of the same.

The JAR also continues execution and finds itself in a place decrypting the encoded HTTP request (above pic) to encrypted file passed on from the Applet. The request to download the encrypted payload is sent later and the resultant bytes are saved in a bytearray.

Later on an Object to Cipher class is created which actually starts the decryption process as shown below,

Now the byte ByteArray “xzvhjit” holds the decrypted data which is later written to a file on the disk.

The decrypted file in this case is written to TEMP folder to a random filename.


And the virustotal link for the sample here. Detected by majority of the vendors as Kazy.

No comments:

Post a Comment