I received a malicious RTF file with several stages (PowerShell commands), containing Gzip compressed shellcode. rtfdump shows the different elements of the RTF file: We are interested in element 7 (containing a package) This package contains a PowerShell command with BASE64 encoded commands. base64dump can help us with the decoding: PowerShell BASE64-encoded commands are UNICODE text, with utf16 we can convert it: We notice another string of BASE64 text. Remark also the GzipStream object created at the end: this is a strong indication that the decode BASE64 data must be decompressed for further analysis: Decompressing Gzip data can be done with translate: Here we see yet another BASE64 string, and WIN32 API functions like VirtualAlloc and CreateThread, a strong indication that shellcode will be written to memory and executed. Remark the User Agent String and IP address in this shellcode. To analyze shellcode, I often use the shellcode emulator scdbg.exe: From the emulation report, we can see that this shellcode creates a TCP connection to port 4444, the default port used by Metasploit's reverse shells. Remark that scdbg.exe emulates shellcode, it does not execute shellcode: no TCP connection is established. I prefer scdbg.exe over sctest from libemu because it emulates more WIN32 API functions, hence I will also use it on OSX and Linux with wine. Didier Stevens |
DidierStevens 650 Posts ISC Handler Feb 12th 2018 |
Thread locked Subscribe |
Feb 12th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!