LinkedinGithub

Shellcode Analysis

Malware Details

Name - Malware.javaupdate.cs.malz Type - Malware Dropper

Static Analysis/Source Code Review

It can be seen that there is a block of hexadecimal array. This might be a malicious shellcode. Block-ifying the shellcode ; we get -

After that we see that the virtualalloc winAPI is being called and the shellcode is being passed onto it.

Also read-write permissions is being given to the shellcode. After all the winAPI shenanigans , we see that the shellcode object is being put to sleep for an indefinite period of time.

This will never come up on the process monitor because it is waiting for it's handler to release it which obviously never happens.

We move this shellcode onto remnux and write a python carver script.

carver.py-

with open("shell.txt","r") as f:
        hex_string=f.read().replace("0x","").replace("byte[] rsrc = new byte[464] {","").replace("};","").replace(",","")
        hex_encode=hex_string.encode()
print(hex_string)
print(hex_encode)

After running the script, we get the output of the hex string -

Then we modify the script more -

with open("shell.txt","r") as f:
        hex_string=f.read().replace("0x","").replace("byte[] rsrc = new byte[464] {","").replace("};","").replace(",","")
        hex_encode=hex_string.encode()
#print(hex_string)
#print(hex_encode)

with open("out.bin","wb") as out:
        out.write(hex_encode)

now we have a binary of the malicious shellcode. We now transfer this onto the FLARE-VM box.

	python -m http.server 
	wget http://10.0.0.3:8000/out.bin -UseBasicParsing -O out.bin

Now to analyse the shellcode, we open scdbg.

Tools used - scdbg Command used -

	scdbg /f out.bin -s -1

This command shows what the shellcode is doing at current runtime. We see some callouts to winAPIs . The shellcode is reaching out to -server: burn.ec2-13-7-109-121-ubuntu-2004.local, port: 443 and is downloading whatever it gets into an executable called - javaupdate.exe and runs it.

Conclusion

This is a malware dropper in shellcode version. When the program containing the shellcode runs, the main malware is downloaded onto the machine and is executed by the shellcode.

PreviousBinary PatchingNextMalware.unknown.exe.Malz

Last updated