search

brad-sp / community-modified

Modified edition of cuckoo community modules
31 stars 17 forks source link

ek_flash and other generic signatures do not fire on certain exploit kits #74

Closed kevross33 closed 9 years ago

kevross33 commented 9 years ago

In analysing various exploit kits using these signatures - especially focused on the ek_flash signature due to its current relevance across many EKs - I have noticed some exploit kits such as Nuclear does not fire even though it should according to all analysis it should fire. For instance if taking a recent Nuke EK example such as http://malware-traffic-analysis.net/2015/08/12/index.html and loading in the landing page allowing the scripts to run correctly results in the following json:

                    "category": "browser", 
                    "parentcaller": "0x00000000", 
                    "return": "0x00000000", 
                    "timestamp": "2015-07-13 11:19:43,358", 
                    "caller": "0x00000000", 
                    "thread_id": "896", 
                    "repeated": 0, 
                    "api": "COleScript_ParseScriptText", 
                    "status": true, 
                    "arguments": [
                        {
                            "name": "Script", 
                            "value": "\r\nwindow.runer = true;\r\nif(window.runer){\r\nfunction flash_run(fu,fd).........WHATEVER......allowScriptAccess=always..........more badness......
                        }

Based on this though this signature should match and certainly regex matches fine so I am not sure why these signatures will not match and I can't get any signature - even simple ones - to fire against nukeEK.