Malware Analysis - handling base64

Published: 2007-06-10. Last Updated: 2007-06-10 17:20:40 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
I love work with information security. That’s a fact.:) I also really like to play with malware analysis, and from some time now, thats what I do for living :). And guess what I do in my free time??:) Yes, play with malware analysis too :).

I would like to share with you a situation that may occur when you are doing malware analysis.
I use pine to read some of my personal email, and last week I saved one spam that had something attached to it.
While analyzing the saved email, I saw that there was a file attached on it, that was base64 encoded.
The first sign it on the body:

------=_Part_75367_15338122.1181350292468
Content-Type: application/octet-stream; name="badfile.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="badfile.exe"
X-Attachment-Id: f_f2pdfmt5

...

Can you notice the:
Content-Transfer-Encoding: base64

Yes, that means that it is base64 encoded!:)

Now, how to handle it?

That’s what I want to share with you malware analysts enthusiastics today :)

As we can see with the GNU File utility, the saved-email.txt is a text file:

[lab3:~/mail# file saved-email.txt
saved-email.txt: ASCII text

I like perl, and it offers a really simple way to decode that file:

[lab3:~/mail# perl -MMIME::Base64 -e 'print decode_base64(join("", <>))' <saved-email.txt >badfile.exe.file

Done!
Now,did it work??
Easy, lets use the File utility again:

[lab3:~/mail# file badfile.exe.file
badfile.exe.file: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

Done!:) Now it is just to go ahaed an analyze the file, but thats another history...;)
-------------------------------------------------------------------------------------------
Handlers on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)
Keywords:
0 comment(s)

Comments


Diary Archives