Solved

malicious payload

Posted on 2015-01-22
3
77 Views
Last Modified: 2015-02-19
experts,

I have what appears to be a metasploit reverse tcp payload that someone emailed to me. I opened it on an isolated PC. When I open it with notepad, the structure appears to resemble a reverse tcp payload that I create through metasploit.

Everything is encrypted. Is there a tool that I can run this through so that I can see the actual IP address that this was going to phone home to?
0
Comment
Question by:trojan81
3 Comments
 
LVL 2

Assisted Solution

by:shawn555444
shawn555444 earned 250 total points
ID: 40565858
There are a bunch of tools that will allow you to encrypt payloads, some, like hyperion(sp?) will encrypt with AES, others could have it done in a customized fashion. Unfortunately, without knowing what kind of encryption, it'll be difficult to find a way to decrypt the ip address.
However, what you could do is let it run in an isolate environment (vm?) and see what it tries to call back to. If it was a smart payload, it'll probably send to a proxy in which case you have but a very small chance to find out where it originated from. Since I have no idea what the playload/exploit is for (Windows/Linux) I'll just put both here.

Linux: netstat -wput
Windows: tcpview from sysinternals

What will help is finding the program and checking from there.

If that doesn't work, and you really want to try one more thing, you could set up wireshark to listen to the packets going out and reading the packet that way. The payload will still be encrypted, but at least the source IP may be shown. Again, it may be a proxy.

As a last ditch effort, you may be able to try wireshark's ESP capabilities.

http://wiki.wireshark.org/ESP_Preferences

If you have anymore questions feel free to ask!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 40569244
Right, the easiest way is to run it, and see where it becon's to, submit it to Malwr.com or VirusTotal and have a look at the advanced tab's. Malwr.com in particular has a network analysis tab.
-rich
0
 

Author Closing Comment

by:trojan81
ID: 40619801
well done. thank you gentlemen
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
chrome anounces not support for xp what are the browser alternatives with xp? 16 112
Identity hacked! can I notify FBI? 14 1,020
.locky virus 5 44
Is my Machine open to hackers 3 91
Read about achieving the basic levels of HRIS security in the workplace.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now