Thursday, 30 May 2013

Sakura: AES and Initial Payload URL decoding algorithm changes - May 2013

The information is based on a sample seen on 2013-05-30.

Cipher

New values for AES 'Secret Key' and 'Initialization Vector' variables.


Decoding algorithm

Initial Payload URL decoding algorithm has changed and now is exactly the same RedKit is using. One of the parameters on the landing page holds a string of characters that is being used to look up characters from yet another string to build the URL.


Using the characters in the parameter called 'param', the Initial Payload URL is assembled with the following code:


What's interesting to note, the variables names('c','o','url') used within the method match with the ones used in RedKit. Tsk-tsk, copyright infringement.



Related read:
http://malwageddon.blogspot.com/2013/05/sakura-landing-page-changes-may-2013.html
http://malwageddon.blogspot.com/2013/04/redkit-initial-payload-url-decoding.html

0 comments:

Post a Comment