Inside a Kippo honeypot: how the billgates botnet spreads

A few months ago I decided to install a honeypot to find some new threat and to collect some new malware to be analyzed. There are several honeypot I had in mind to try, but for now I have chosen Kippo. From the Kippo’s homepage: “Kippo is a medium interaction SSH honeypot designed to log brute […]

Win32.BlackBerryBBC Malware Analysis

Today I got a mail containing a malware from The sender’s address is forged and this is kind of Email Spoofing. Email contains a description about malwares and encourages the receiver to install a file called Anti-Vir.rar.

PDF analysis of Nuclear Pack EK and CVE-2010-0188/CVE-2010-2883

On Malwarebytes’ blog it’s recently been published a description about Nuclear Pack exploit kit, though there isn’t a description of the PDF exploit used, so we’ve decided to proceed with a more in-depth analysis. PDF analysis In order to start the analysis we have used peepdf: There are two objects that appear to be suspicious: so let’s start with… object […]

HiMan EK and CVE-2013-2551

Recently during one of my analysis of URLs from urlquery, I came up with a URL ending in: /ie8910.html. The link, after being opened, returns an index with the following code:   As it can be seen from the “ip-blocked-by-firefox” Google Safe Browsing is already blocking the address, though there is no active service on port 8080 while there’s one running […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 3

We are finally at the end of our Caphaw/Shylock analysis. This time we will deal entirely with the code injected into explorer.exe process, the context will be a little more complex than previous episodes because we will work within a multithreaded environment. The injected code will identify an active domain (DGA based) in order to download other […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 2

Welcome to the second part of our analysis of Caphaw/Shylock. In the first chapter we have gone through the dropping and unpacking stages of this malware. In this second part we will go through the remaining HSE:: Step(s) – in particular we will see how the previously gathered information will be used, the network interactions […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 1

In this essay we will perform an in-depth analysis (from the unpacking to explorer.exe code injection) of the most recent version of Caphaw/Shylock, a banking malware that, at the time of discovery, was ranked as FUD (Fully UnDetected) by VirusTotal. The article will cover the following topics: Analysis of the packer and related unpacking. Reverse […]

Active CookieBomb, CVE 2013-2465 and Reveton

This is the second QuickAnalysis post after the one by evilcry; During my daily urlquery investigation (, I come across a website infected by the CookieBomb injection payload. hxxp:// The JS inside the index page, obviously, is obfuscated: after deobfuscation we have this: The code above clearly shows a classical CookieBomb Javascript infection. What is […]

AndroidOS.Opfake.a malware analysis

While sifting through the Clean-MX malware database I found one suspicious APK with a low detection rate (3/39 on VirusTotal), so I decided it was worth to a look at what seemed to be an OpFake variant. Clean-MX Link: VT Link: APK Link: OpFake (as usual password is infected) The malicious application has the […]

Low detection “Flash_update.exe”

UIC’s [Quick Analysis] blog posts are a fast way to share some information and/or samples which are under our microscope. About “Flash_update.exe” During my daily malware hunting I came across a sample reported by clean-mx at the following address: We have an executable named “Flash_update.exe” with (at the moment of writing) a low detection […]