Solved

malicious payload

Posted on 2015-01-22
3
78 Views
Last Modified: 2015-02-19
experts,

I have what appears to be a metasploit reverse tcp payload that someone emailed to me. I opened it on an isolated PC. When I open it with notepad, the structure appears to resemble a reverse tcp payload that I create through metasploit.

Everything is encrypted. Is there a tool that I can run this through so that I can see the actual IP address that this was going to phone home to?
0
Comment
Question by:trojan81
3 Comments
 
LVL 2

Assisted Solution

by:shawn555444
shawn555444 earned 250 total points
ID: 40565858
There are a bunch of tools that will allow you to encrypt payloads, some, like hyperion(sp?) will encrypt with AES, others could have it done in a customized fashion. Unfortunately, without knowing what kind of encryption, it'll be difficult to find a way to decrypt the ip address.
However, what you could do is let it run in an isolate environment (vm?) and see what it tries to call back to. If it was a smart payload, it'll probably send to a proxy in which case you have but a very small chance to find out where it originated from. Since I have no idea what the playload/exploit is for (Windows/Linux) I'll just put both here.

Linux: netstat -wput
Windows: tcpview from sysinternals

What will help is finding the program and checking from there.

If that doesn't work, and you really want to try one more thing, you could set up wireshark to listen to the packets going out and reading the packet that way. The payload will still be encrypted, but at least the source IP may be shown. Again, it may be a proxy.

As a last ditch effort, you may be able to try wireshark's ESP capabilities.

http://wiki.wireshark.org/ESP_Preferences

If you have anymore questions feel free to ask!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 40569244
Right, the easiest way is to run it, and see where it becon's to, submit it to Malwr.com or VirusTotal and have a look at the advanced tab's. Malwr.com in particular has a network analysis tab.
-rich
0
 

Author Closing Comment

by:trojan81
ID: 40619801
well done. thank you gentlemen
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question