{"uuid": "e2efc426-95ae-4394-9843-15d83360d563", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2017-0199", "type": "exploited", "source": "https://t.me/indoghostsec/1901", "content": "INDOGHOSTSEC\n\n CVE-2017-0199 Vulnerability Exploit Sample Analysis BY INDOGHOSTSEC \ninstagram.com/indoghost.sec\n\n4x3ll666gh05t\n\n> md5: 0087AA25E20070186AC171BE6C528DA6 \n\n> File size: 31752 bytes (31kb) \n\n> File type: PDF         \n\nsample The initial file is disguised as a PDF file, hidden in its PDF data stream segment, a word file, and a JS hidden in its PDF Code. When the PDF is opened, the JS code will be executed. Then, the software that opens the word file by default on the computer will be called to open the word file. Then, if the software that is associated with the computer to open the word file by default is the office in the vulnerability version, it will execute by default Download the malicious link in word.    Use PDFstreamDumper to view the data of each segment of this PDF, this is a Word file with embedded data stream segments\n\nAttack Load \n\nFile MD5: AAFD0EBFE1AFBCAE1834430FEEBD5A31\nFile Type: of Bi nExecute / Microsoft.EXE [: the X86]\n\n> compiled language: NSIS Packer sample description;      the sample is The NSIS packaging program. After running the sample, the sample will successively call [collages.dll Corticoid.cab System.dll] ( where System.dl is harmless ) in its resource file, and then call the LoadLibraryExA function to load System.dll after System. dll will continue to call collages.dll address and call LoadLibraryA function to load collages.dll, collages.dll will Corticoid.cab compressed file decryption core sample shellcode decrypt it, then\n\n>  collages.dll uses process injection technology to create a child process that injects the decrypted shellcode data into the child process and executes the shellcode to execute malicious code for camouflage purposes. After finding that it is nsis packaged software, use 7-zip to decompress it, and you can see its related resource files. The cab file is a corrupted file, the cabinet compressed file size and its file type and it is suspected to be a shellcode resource file\n\n#Note Loaded the resource file, analyzed the two dlls at the beginning, found no malicious code, focused on the cab file, and turned it around for a long time in the packaging program. A lot of time wasted)\n\nby indoghostsec", "creation_timestamp": "2020-02-08T03:53:27.000000Z"}