Malware Analysis - handling base64
I love work with information security. That’s a fact.:) I also really like to play with malware analysis, and from some time now, thats what I do for living :). And guess what I do in my free time??:) Yes, play with malware analysis too :).
I would like to share with you a situation that may occur when you are doing malware analysis.
I use pine to read some of my personal email, and last week I saved one spam that had something attached to it.
While analyzing the saved email, I saw that there was a file attached on it, that was base64 encoded.
The first sign it on the body:
------=_Part_75367_15338122.1181350292468
Content-Type: application/octet-stream; name="badfile.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="badfile.exe"
X-Attachment-Id: f_f2pdfmt5
...
Can you notice the:
Content-Transfer-Encoding: base64
Yes, that means that it is base64 encoded!:)
Now, how to handle it?
That’s what I want to share with you malware analysts enthusiastics today :)
As we can see with the GNU File utility, the saved-email.txt is a text file:
[lab3:~/mail# file saved-email.txt
saved-email.txt: ASCII text
I like perl, and it offers a really simple way to decode that file:
[lab3:~/mail# perl -MMIME::Base64 -e 'print decode_base64(join("", <>))' <saved-email.txt >badfile.exe.file
Done!
Now,did it work??
Easy, lets use the File utility again:
[lab3:~/mail# file badfile.exe.file
badfile.exe.file: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Done!:) Now it is just to go ahaed an analyze the file, but thats another history...;)
-------------------------------------------------------------------------------------------
Handlers on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)
I would like to share with you a situation that may occur when you are doing malware analysis.
I use pine to read some of my personal email, and last week I saved one spam that had something attached to it.
While analyzing the saved email, I saw that there was a file attached on it, that was base64 encoded.
The first sign it on the body:
------=_Part_75367_15338122.1181350292468
Content-Type: application/octet-stream; name="badfile.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="badfile.exe"
X-Attachment-Id: f_f2pdfmt5
...
Can you notice the:
Content-Transfer-Encoding: base64
Yes, that means that it is base64 encoded!:)
Now, how to handle it?
That’s what I want to share with you malware analysts enthusiastics today :)
As we can see with the GNU File utility, the saved-email.txt is a text file:
[lab3:~/mail# file saved-email.txt
saved-email.txt: ASCII text
I like perl, and it offers a really simple way to decode that file:
[lab3:~/mail# perl -MMIME::Base64 -e 'print decode_base64(join("", <>))' <saved-email.txt >badfile.exe.file
Done!
Now,did it work??
Easy, lets use the File utility again:
[lab3:~/mail# file badfile.exe.file
badfile.exe.file: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Done!:) Now it is just to go ahaed an analyze the file, but thats another history...;)
-------------------------------------------------------------------------------------------
Handlers on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)
Keywords:
0 comment(s)
×
Diary Archives
Comments