From Network Forensic To Shellcode Analysis

Hello all, in this article I will share an experience about malware analysis in a lab simulation network. Assume that you set up a SOC and your tier 1 analyst inform you about an alert, it comes from Suricata to your SIEM as anormal traffic alert and you have decided to perform network forensic and you have some pcaps about incident. First you analyzed anormal TCP 443 traffic like this;

As you see that traffic flows through TCP 443 but it is not TLS traffic because you dont see 4 handshake and When you follow TCP stream you see this stream;

As it shown in the screenshoot of the network packets, an executable was transferred over TCP 443 and it’s not normal. Please pay attention MZ, This program can not be run in Dos mode strings. Now the analyst should go back in the time and analyze the previous traffic with related IP which initiated the malicious traffic. So some Http flows was detected. In this case, for clearifying the incident we need to follow tcp stream, for quick detection as an analyst you can search some exploit patterns in the clear text HTTP traffic like “\x90” Nops or “\x41" junks. Why we search this patterns? Because we have already seen MZ and higly likely an exploit can be used so to gain time with our experience we will search some keyword and levarage the cleartext traffic.

When we assemble the network packets we have obtained a javascript code like this;

Encoding is used as you see. Bingo we have catched a shellcode from network network traffic;

Shellcode was embeded as an exploit code into a html page’s javascript code. It seems like an exploit kit which was inserted by the threat actor for watering hole attack. Save the javascript code to a new file;

Window location contents IP address and Url, so we can use this as an IOC. It’s time to dump unicode for extracting shellcode so We need to use base64dump tool.

second object includes shellcode so we will extract it;

I only copied the shellcode again for encoding problems and I extracted it again like this way;

I will convert the unicode to binary format and then I will convert bin format to exe format for testing it in sandbox and performing reverse enginnering;

I moved this files to windows analysis machine and I used scdebugger for shelcode analysis;

Then I opened the Ghydra for reversing the shellcode exe form;

As you see that shellcode exe have 2 imports, GetProcaddress and LoadlibraryA. Go on with Peframe tool in Remnux;

I uploaded the malicious exe file to Virustotal for executing it in a Sandbox. You can see the results from output is given below;

Sandbox indicates that cmd.exe is opened by the malicious file. When we checked the strings of exploits we see some versions like this;

The exploit checks the version of the browsers. So we can deduce that this exploit is browser exploit, adversary uses heapspray shellcode for compromising client and if the victem clicks a link (remember window location IOC) this exploit code will execute. Lets research it with some Googling;

I have googled some specific strings and I came up with this topic.

I came back to exploit code and I saw this strings too;

You can also emulate the javascript code with box-js tool in remnux like this;

Dont forget delete the non Javacript tags, and illegal characters otherwise it’s not gonna work. Thank you for reading, Have a niceday….