Malware Domain List

Malware Related => Malware Analysis => Topic started by: SysAdMini on November 21, 2014, 11:25:43 pm

Title: Sweet Orange exploit kit now contains CVE-2014-6332 exploit
Post by: SysAdMini on November 21, 2014, 11:25:43 pm
Today I came across several instances of Sweet Orange exploit kit. I didn't know it is Sweet Orange when I found it, but kafeine (http:// confirmed it is Sweet Orange. Thanks!

Here is an example.

Obfuscated exploit kit code looks like this:

This is how it looks deobfuscated:

Decode the text block starting with

Code: [Select]
if (true){
  scriptvar = '

using Base64. Result is a CVE-2014-6332 exploit in plain text.

See CVE-2014-6332 exploit code here:

Detection of payload was low when I found it (Virustotal 2/55)

Here is an analysis from Malwr :

I strongly recommend to install security MS14-064 (  immediately. At least 2 exploit kits ( are using a CVE-2014-6332 exploit now.
In case you are still running Windows XP, you are in trouble, because there is no patch for XP.