Analyzing Shellcode of GrandSoft's CVE-2018-8174


CVE-2018-8174 exploit code published in 2018-05-21.

GrandSoft Exploit Kit used to be CVE-2016-0189 before. Now, it's using CVE-2018-8174. It's almost the same as PoC, except that some obfuscation has been added. However shellcode is unique. Previously VBScript (CVE-2016-0189) code generated cryptographic keys and decoded the payload. It was changed to doing in shellcode.

Previously flow is as follows:
    Random Number Generation -> Generate key Using Random Number -> 
    Add the key to the End of URL -> Download Encrypted Malware -> 
    Decode by the key

new flow is as follows:
    Random key Generation ->  Add the key to the End of URL -> 
    Download Encrypted Malware -> Decode by the key

      in shellcode


First let's see the recent GrandSoft traffic. The link of saz file is introduced in Kafeine's blog.

Looking at this saz file, it looks like the following.

The flow of traffic is the same. It consists of Landing Page, Exploit and Malware. CVE-2018-8174 is used for exploit, which downloads and executes malware. Malware payload is encrypted. Therefore, the shellcode decrypts the malware using some numerical values of the URL.


For technical explanation of CVE-2018-8174 please refer to other articles.

Actually the code used in GrandSoft is like this.

Dead code is included, but it is basically the same as PoC. What is different is PoC with GetShellcode part. GrandSoft's GetShellcode function has been renamed to the c111111 function, and it is such a function.


Shellcode calls API using hash, however this hash differs from well-known one.

Shellcode Hash Algorithm is ror14AddHash32.
pseudocode is as follows:

Shellcode uses GetTickCount function to generate keys.

Decoding algorithm was not changed as of vbs.

pseudocode is as follows:


GrandSoft got CVE-2018-8174. This may be a bit more powerful. Shellcode is a little characteristic. Enjoy analysis of shellcode!