Skip navigation.
Home

dxp's blog

Asprox

1311f650aa1209a3ec962b6a9a38fc98

Asprox sample from Mike Johnson of Shadowserver.org. See his write up here --> Asprox - It's Baaaaaaack

UrSnif / Gozi

c8bfc62b7a553ae62ad86a4d47874305

The newly created Registry Values are:
          o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
                + xrt_id = "4172558673"
                + xrt_options = 4E 45 57 4F 50 54 53 00 31 01 72 65 70 5F 73 69 7A DB 83 33 87 C7 77 C5 62 27 0C A8 0F 70 6F 4A 74
0D EF 7F 29 0B 10 30 1F 76 62 4F 63 72 87 70 74 06 20 64 DC 79 18 77 02 2E 79 73 61 F6 75 E0 CD 0E E0 E9 F2 E8 01 3A 20 25 74 C5 69
CC 6C 65 EF 48 20 3

IcePack Exploit Toolkit

aa292347b32a4bc4f33e51a76ccc9446

Browser based exploit code is broken down into seperate modules. Its statistics engine logs several important user variables such as IP, Browser and OS version. By default, it performs a check of the visiting IP to determine if it's already been seen and if so then avoids further interaction with that session.

Another interesting aspect is that it uses output stream buffering with a callback function which will obfuscate all data to avoid detection and readability. Specifically, it uses a random ASCII based substitution table to create a Javascript function which will decode the payload and run it.

Syndicate content