“Exploit-SWF.x “is a generic detection for a Trojan that are part of the Angler Exploit Kit
The files are highly obfuscated and won't run as they are since they are part of an infection chain created by Angler when the user access a web page compromised by it (known as "landing page")
The big string passed as parameter to the page is a Base-64 encoded data, which is converted to the string below:
The SWF file itself is also obfuscated with many ActionScript functions that seems harmless. It has functions to send and receive data from network, and to read and write files to disk. Not much else could be seen in the code due to obfuscation.
The SWF file exploits the vulnerability cve-2015-0336, which is related to Adobe Flash Player. More information about this vulnerability can be found on CVT home page:
The .BIN file present in the escalation seems to be the final payload after the infection, or the binary executable that will be installed on the machine. It is encrypted, possibly by an 8-byte XOR key. Once the payload is decrypted, it is directly injected into the memory of some privileged process (svchost, explorer, winlogon) and never written to disk. After that installation, the payload may perform other operations that depend on the type of malware it is.
Indication of Infection
Presence of above mentioned activities
Methods of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).