In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 3

We are finally at the end of our Caphaw/Shylock analysis. This time we will deal entirely with the code injected into explorer.exe process, the context will be a little more complex than previous episodes because we will work within a multithreaded environment. The injected code will identify an active domain (DGA based) in order to download other […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 2

Welcome to the second part of our analysis of Caphaw/Shylock. In the first chapter we have gone through the dropping and unpacking stages of this malware. In this second part we will go through the remaining HSE:: Step(s) – in particular we will see how the previously gathered information will be used, the network interactions […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 1

In this essay we will perform an in-depth analysis (from the unpacking to explorer.exe code injection) of the most recent version of Caphaw/Shylock, a banking malware that, at the time of discovery, was ranked as FUD (Fully UnDetected) by VirusTotal. The article will cover the following topics: Analysis of the packer and related unpacking. Reverse […]

Active CookieBomb, CVE 2013-2465 and Reveton

This is the second QuickAnalysis post after the one by evilcry; During my daily urlquery investigation (, I come across a website infected by the CookieBomb injection payload. hxxp:// The JS inside the index page, obviously, is obfuscated: after deobfuscation we have this: The code above clearly shows a classical CookieBomb Javascript infection. What is […]

AndroidOS.Opfake.a malware analysis

While sifting through the Clean-MX malware database I found one suspicious APK with a low detection rate (3/39 on VirusTotal), so I decided it was worth to a look at what seemed to be an OpFake variant. Clean-MX Link: VT Link: APK Link: OpFake (as usual password is infected) The malicious application has the […]

Low detection “Flash_update.exe”

UIC’s [Quick Analysis] blog posts are a fast way to share some information and/or samples which are under our microscope. About “Flash_update.exe” During my daily malware hunting I came across a sample reported by clean-mx at the following address: We have an executable named “Flash_update.exe” with (at the moment of writing) a low detection […]

Quick Volatility overview and R.E. analysis of Win32.Chebri

Introduction In this article we will start from the physical memory dump of a machine suspected of malware compromise, successively with volatility we will establish if the machine is infected and produce evidences from memory artifacts. In the next steps the malicious component will be carved from memory and analyzed with a classical Reverse Engineering […]

Analysis of CVE-2010-0188 PDF from RedKit ExploitKit

After noticing a substantial increase in RedKit infections, following a series of investigations performed on URLQuery, we have decided to go deeper to understand what was happening behind the curtains. RedKit is an exploitation packs that uses the following infection flow: We have this for today’s example: and the resource is A user visiting a page compromised with […]

Malicious Java Applet Deobfuscation

On Sunday (13th January 2013), I’ve received an email from @it4sec with regards to a malicious Java applet that he had received. So I’ve decided to write about it since Java applet seems like a common thing used by ExploitKits recently. Recon Stage Since a .jar file is basically a sort of “container”, let’s use […]

Stabuniq Financial Infostealer Trojan Analysis

According to Symantec, Stabuniq is a financial infostealer trojan which has been found on servers belonging to financial institutions, including banking firms and credit unions. The Trojan also compromised home computer users and computers at security firms. Targets sounds interesting, so here at UIC R.E.Academy we decided to take an in depth look to this trojan […]