Cool Exploit kit and other similar kits have all started to encrypt the payload that they are downloading
in an encrypted format (over network). Currently all of these payloads that
come over the network are seen to be encrypted with “AES”. Below is the snapshot
of the encrypted payload.
The decryption process is embedded within the JAR, it is also
responsible for downloading the encrypted payload. It uses a hardcoded key +
and hardcoded IV to decrypt the AES encrypted payload. Below is a snapshot of
the same.
The JAR also continues execution and finds itself in a
place decrypting the encoded HTTP request (above pic) to encrypted file passed
on from the Applet. The request to download the encrypted payload is sent later
and the resultant bytes are saved in a bytearray.
Later on an Object to Cipher class is created which actually
starts the decryption process as shown below,
Now the byte ByteArray “xzvhjit”
holds the decrypted data which is later written to a file on the disk.
The decrypted file in this case is written to TEMP folder to
a random filename.
And the virustotal link for the sample here.
Detected by majority of the vendors as Kazy.
No comments:
Post a Comment