Shellcode Analysis
Last updated
Last updated
Name - Malware.javaupdate.cs.malz Type - Malware Dropper
It can be seen that there is a block of hexadecimal array. This might be a malicious shellcode. Block-ifying the shellcode ; we get -
After that we see that the virtualalloc winAPI is being called and the shellcode is being passed onto it.
Also read-write permissions is being given to the shellcode. After all the winAPI shenanigans , we see that the shellcode object is being put to sleep for an indefinite period of time.
This will never come up on the process monitor because it is waiting for it's handler to release it which obviously never happens.
We move this shellcode onto remnux and write a python carver script.
carver.py-
After running the script, we get the output of the hex string -
Then we modify the script more -
now we have a binary of the malicious shellcode. We now transfer this onto the FLARE-VM box.
Now to analyse the shellcode, we open scdbg.
Tools used - scdbg Command used -
This command shows what the shellcode is doing at current runtime. We see some callouts to winAPIs .
The shellcode is reaching out to -server: burn.ec2-13-7-109-121-ubuntu-2004.local, port: 443
and is downloading whatever it gets into an executable called - javaupdate.exe and runs it.
This is a malware dropper in shellcode version. When the program containing the shellcode runs, the main malware is downloaded onto the machine and is executed by the shellcode.
