[malwarelabs]

I search for some malware who used CVE-2014-1807 (Privilege escalation with HKCU\Software\Classes\. cf http://blog.livedoor.jp/blackwingcat/ar ... 59121.html ).
Microsoft give us some malware family (http://blogs.technet.com/b/srd/archive/ ... dates.aspx)
So I search for:
Win32/Koceg.O c60c1431ea90ee930cf221028c8b5006 https://www.virustotal.com/en/file/2f27 ... /analysis/
Win32/Optixpro.T 241c34c031c39c684e90cb31c9ac987e https://www.virustotal.com/en/file/e2a9 ... /analysis/
Win32/Malex.gen d98f888ae25bbd483acec5b221ae905c https://www.virustotal.com/en/file/bea3 ... /analysis/

thx in advance!

[TETYYSs]

MD5 241c34c031c39c684e90cb31c9ac987e
SHA1 6a496c0183fcb602713f7513edd29c9b4c5b181b
SHA256 e2a9125d2a358bd482006aa68296a5dca465c2fc5896154e0cb81921aad235f0

[360Tencent]

2x.zip

infected
(496.83 KiB) Downloaded 60 times

[Apocalypse]

@TETYYSs

It's a old delphi crap from 2k10 year and don't use 14-027 :D

[TETYYSs]

@TETYYSs

It's a old delphi crap from 2k10 year and don't use 14-027 :D

But that's the hash you requested

[malwarelabs]

Yep I don't found MS14-027 in this binary...
but if I refere to https://www.virustotal.com/en/file/2ef7 ... /analysis/ (md5: f474935ba2cead501d65bf18f0249277)

Set keys:
KEY: HKEY_CURRENT_USER\Software\Classes\.exe\(null)
TYPE: REG_SZ
VALUE: 4g (successful)
KEY: HKEY_CURRENT_USER\Software\Classes\.exe\Content Type
TYPE: REG_SZ
VALUE: application/x-m (successful)
KEY: HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon\(null)
TYPE: REG_SZ
VALUE: %1 (successful)
KEY: HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command\(null)
TYPE: REG_SZ
VALUE: C:\Documents and Settings\All Users\Application Data\pcdfdata\91a07dda97e9ca7d414360cabd4a907bf3bc9945e36fd7ccfb2202c0cdad45f9" /ex "%1"

it seems to be this vuln!