Solved

malicious payload

Posted on 2015-01-22
3
81 Views
Last Modified: 2015-02-19
experts,

I have what appears to be a metasploit reverse tcp payload that someone emailed to me. I opened it on an isolated PC. When I open it with notepad, the structure appears to resemble a reverse tcp payload that I create through metasploit.

Everything is encrypted. Is there a tool that I can run this through so that I can see the actual IP address that this was going to phone home to?
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 2

Assisted Solution

by:shawn555444
shawn555444 earned 250 total points
ID: 40565858
There are a bunch of tools that will allow you to encrypt payloads, some, like hyperion(sp?) will encrypt with AES, others could have it done in a customized fashion. Unfortunately, without knowing what kind of encryption, it'll be difficult to find a way to decrypt the ip address.
However, what you could do is let it run in an isolate environment (vm?) and see what it tries to call back to. If it was a smart payload, it'll probably send to a proxy in which case you have but a very small chance to find out where it originated from. Since I have no idea what the playload/exploit is for (Windows/Linux) I'll just put both here.

Linux: netstat -wput
Windows: tcpview from sysinternals

What will help is finding the program and checking from there.

If that doesn't work, and you really want to try one more thing, you could set up wireshark to listen to the packets going out and reading the packet that way. The payload will still be encrypted, but at least the source IP may be shown. Again, it may be a proxy.

As a last ditch effort, you may be able to try wireshark's ESP capabilities.

http://wiki.wireshark.org/ESP_Preferences

If you have anymore questions feel free to ask!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 40569244
Right, the easiest way is to run it, and see where it becon's to, submit it to Malwr.com or VirusTotal and have a look at the advanced tab's. Malwr.com in particular has a network analysis tab.
-rich
0
 

Author Closing Comment

by:trojan81
ID: 40619801
well done. thank you gentlemen
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question