?
Solved

malicious payload

Posted on 2015-01-22
3
Medium Priority
?
85 Views
Last Modified: 2015-02-19
experts,

I have what appears to be a metasploit reverse tcp payload that someone emailed to me. I opened it on an isolated PC. When I open it with notepad, the structure appears to resemble a reverse tcp payload that I create through metasploit.

Everything is encrypted. Is there a tool that I can run this through so that I can see the actual IP address that this was going to phone home to?
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 2

Assisted Solution

by:shawn555444
shawn555444 earned 1000 total points
ID: 40565858
There are a bunch of tools that will allow you to encrypt payloads, some, like hyperion(sp?) will encrypt with AES, others could have it done in a customized fashion. Unfortunately, without knowing what kind of encryption, it'll be difficult to find a way to decrypt the ip address.
However, what you could do is let it run in an isolate environment (vm?) and see what it tries to call back to. If it was a smart payload, it'll probably send to a proxy in which case you have but a very small chance to find out where it originated from. Since I have no idea what the playload/exploit is for (Windows/Linux) I'll just put both here.

Linux: netstat -wput
Windows: tcpview from sysinternals

What will help is finding the program and checking from there.

If that doesn't work, and you really want to try one more thing, you could set up wireshark to listen to the packets going out and reading the packet that way. The payload will still be encrypted, but at least the source IP may be shown. Again, it may be a proxy.

As a last ditch effort, you may be able to try wireshark's ESP capabilities.

http://wiki.wireshark.org/ESP_Preferences

If you have anymore questions feel free to ask!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 40569244
Right, the easiest way is to run it, and see where it becon's to, submit it to Malwr.com or VirusTotal and have a look at the advanced tab's. Malwr.com in particular has a network analysis tab.
-rich
0
 

Author Closing Comment

by:trojan81
ID: 40619801
well done. thank you gentlemen
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question