Shellcodes
These indicators represent situations where a small piece of code is used as the payload in the exploitation of a software vulnerability. It is called shellcode because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode.
|
Indicator |
Description |
|---|---|
|
ApiHashing |
The file contains a byte sequence that looks like shellcode that tries to stealthily find library APIs loaded in memory. |
|
BlackholeV2 |
The file looks like it might have come from the Blackhole exploit kit. |
|
ComplexGotoEmbed |
The file may be able to force the browser to go to an address or to perform an action. |
|
ComplexSuspiciousHeaderLocation |
The PDF header is located at a non-zero offset which may indicate an attempt to prevent this file from being recognized as a PDF document. |
|
EmbeddedTiff |
The file may contain a crafted TIFF image with nop-sled to facilitate exploitation. |
|
EmbeddedXDP |
The file likely contains another PDF as an XML Data Package (XDP). |
|
FindKernel32Base1 |
The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory. |
|
FindKernel32Base2 |
The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory. |
|
FindKernel32Base3 |
The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory. |
|
FunctionPrologSig |
The file contains a byte sequence that is a typical function prolog, and likely contains shellcode. |
|
GetEIP1 |
The file contains a byte sequence that looks like a shellcode that resolves its own address to locate other things in memory and facilitate exploitation. |
|
GetEIP4 |
The file contains a byte sequence that looks like a shellcode that resolves its own address to locate other things in memory and facilitate exploitation. |
|
IndirectFnCall1 |
The file contains a byte sequence that looks like an indirect function call, and is likely shellcode. |
|
IndirectFnCall2 |
The file contains a byte sequence that looks like an indirect function call, and is likely shellcode. |
|
IndirectFnCall3 |
The file contains a byte sequence that looks like an indirect function call, and is likely shellcode. |
|
SehSig |
The file contains a byte sequence that is typical for Structured Exception Handling (SEH), and likely contains shellcode. |
|
StringLaunchActionBrowser |
The file may be able to force the browser to go to an address or to perform an action. |
|
StringLaunchActionShell |
The file may be able to execute shell actions. |
|
StringSingExploit |
The file might contain an exploit. |