The lab has been receiving lots of malicious flash files lately. Most of the flash files that we've received have obfuscated shellcodes.

Our systems flagged one sample and I decided to take a closer look. The obfuscation is simple, it only uses XOR and ADD instructions.

Basically, its taking advantage of a recent exploit and it's coupled with SQL attacks. It downloads and executes a file from the following site:

   http://www.psp1122.cn/[removed].exe

We detect the downloaded EXE file as Trojan-PSW.Win32.OnlineGames.AYJU and the flash file as Exploit.SWF.Downloader.A.

Here's an animated image of decrypted shellcode:



Signing off,
Gerald