PRACTICAL MALWARE ANALYSIS: SHELLCODE ANALYSIS (LAB 19-01)

Tools Used

  1. Ollydbg
  2. Shellcode2Exe
  3. Sctest

Sample:

  1. Lab19-01.bin SHA256: 12C25180A497E9F9544454332A29DF45D1F8506DEE485ED0026D9969AF4AFEDE

Lab 19-1
Analyze the file Lab19-01.bin using shellcode_launcher.exe.
Questions

To generate a exe from shellcode, I decided to use shellcode2exe tool as seen below.

shellcode2hex
Figure 1. shellcode2exe tool

1. How is the shellcode encoded?

The shellcode is alphabetically encoded. In figure 2, we can see the function responsible for decoding.

inmemory
Figure 2. Decoding Function

2. Which functions does the shellcode manually import?

We can use a tool called sctest to help us to emulate the shellcode.

sctest
Figure 3. sctest
sctest_output
Figure 4. sctest output

We can see that the shellcode uses LoadLibraryA, GetSystemDirectory, URLDownloadtoFile and WinExec.

We can also use ollydbg to see it live.

manuallyImports
Figure 5. Codes responsible for manually importing functions.
imports
Figure 5. Imports

3. What network host does the shellcode communicate with?

As seen in Figure 4, the shellcode communcates with http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe.

4. What filesystem residue does the shellcode leave?

c:\windows\system32\1.exe

5. What does the shellcode do?

  1. Download http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe.
  2. Save the payload as c:\windows\system32\1.exe
  3. Execute the payload
Advertisements
PRACTICAL MALWARE ANALYSIS: SHELLCODE ANALYSIS (LAB 19-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s