Hell to Shell

Quick back story before we begin. This was sent as a piece of spam that would do an auto forward to a malware domain if you happen to be logged in to your webmail.

All code posted here should be assumed dangerous.

  • First we start by scanning the suspicious url with jsunpack.jeek.org
    1. http://jsunpack.jeek.org/?report=0bd19e85ccb8b2b3c3e2e7613a535a9b7942864e

      From the scan we determine that there is shell code present.

      malicious: Alert detected /alert CVE-2006-0003 shellexecute with ./../b09a6ea.exe
      file: 7e298a35d99051d1ab97561b4d226982a388aedc: 96628 bytes
      file: b51009c990df01ea8f54d4f8eef3d83785a15547: 32590 bytes

  • Next we download the decoded data “7e29/8a35d99051d1ab97561b4d226982a388aedc” and upload it to
    1. wepawet.cs.ucsb.edu
  • We now have a nice looking report with shell code displayed, but we are not done yet.
    1. http://wepawet.cs.ucsb.edu/view.php?hash=ecf497e75f19fb75394cbbc568b28edf&type=js
  • Copy the shellcode out of wepawet and past it to sandsprite
    1. Note: I removed the spaces
  • You should be presented with an exe file that you can now upload to virus total.
    19/ 43 (44.2%)
    1. http://www.virustotal.com/file-scan/report.html?id=21a8629d7fb80f2d3f6a8c1122f3f885b2bf36e332546041d72850a4e0252231-1325179352

      You can also upload the exe to ThreatExport to see if it trys to make any other connections.

    -Enjoy and be safe

    -option reading-

  • If you want to output your own exe from shell code locally. Shellcode to x86 Assembly
  • To test to see if you have real shell code. Shellcode Analysis
  • Bookmark the permalink.

    Leave a Reply

    Your email address will not be published. Required fields are marked *