Wednesday, January 20, 2016

Magnitude Exploit Kit Shellcode

Magnitude Exploit Kit is seen to have been downloading shellcode in an independent stream in clear text format. Snapshot from wireshark below,



Post exploitation, the shellcode starts executing. When it starts, it harvests all the required API's. Below is the list of APIs gathered and pushed to stack for later use.


The payload is always downloaded to below location to the local machine (current user's temp directory).



Later it downloads the payload and executes it through "CreateProcessA" API. It is also observed that the shellcode makes use of PowerShell to download and execute the payload.

2 comments:

  1. can u plz share pcap? thx.
    @pwnslinger

    ReplyDelete
    Replies
    1. you can download from http://malware-traffic-analysis.net
      it has loads of pcaps for magnitude and other kits.

      Delete