• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 95
  • Last Modified:

malicious payload

experts,

I have what appears to be a metasploit reverse tcp payload that someone emailed to me. I opened it on an isolated PC. When I open it with notepad, the structure appears to resemble a reverse tcp payload that I create through metasploit.

Everything is encrypted. Is there a tool that I can run this through so that I can see the actual IP address that this was going to phone home to?
0
trojan81
Asked:
trojan81
2 Solutions
 
shawn555444Commented:
There are a bunch of tools that will allow you to encrypt payloads, some, like hyperion(sp?) will encrypt with AES, others could have it done in a customized fashion. Unfortunately, without knowing what kind of encryption, it'll be difficult to find a way to decrypt the ip address.
However, what you could do is let it run in an isolate environment (vm?) and see what it tries to call back to. If it was a smart payload, it'll probably send to a proxy in which case you have but a very small chance to find out where it originated from. Since I have no idea what the playload/exploit is for (Windows/Linux) I'll just put both here.

Linux: netstat -wput
Windows: tcpview from sysinternals

What will help is finding the program and checking from there.

If that doesn't work, and you really want to try one more thing, you could set up wireshark to listen to the packets going out and reading the packet that way. The payload will still be encrypted, but at least the source IP may be shown. Again, it may be a proxy.

As a last ditch effort, you may be able to try wireshark's ESP capabilities.

http://wiki.wireshark.org/ESP_Preferences

If you have anymore questions feel free to ask!
0
 
Rich RumbleSecurity SamuraiCommented:
Right, the easiest way is to run it, and see where it becon's to, submit it to Malwr.com or VirusTotal and have a look at the advanced tab's. Malwr.com in particular has a network analysis tab.
-rich
0
 
trojan81Author Commented:
well done. thank you gentlemen
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now