Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Analyzing compressed shellcode - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing compressed shellcode

I received a malicious RTF file with several stages (PowerShell commands), containing Gzip compressed shellcode.

rtfdump shows the different elements of the RTF file:

We are interested in element 7 (containing a package)

This package contains a PowerShell command with BASE64 encoded commands.

base64dump can help us with the decoding:

PowerShell BASE64-encoded commands are UNICODE text, with utf16 we can convert it:

We notice another string of BASE64 text. Remark also the GzipStream object created at the end: this is a strong indication that the decode BASE64 data must be decompressed for further analysis:

Decompressing Gzip data can be done with translate:

Here we see yet another BASE64 string, and WIN32 API functions like VirtualAlloc and CreateThread, a strong indication that shellcode will be written to memory and executed.

Remark the User Agent String and IP address in this shellcode. To analyze shellcode, I often use the shellcode emulator scdbg.exe:

From the emulation report, we can see that this shellcode creates a TCP connection to port 4444, the default port used by Metasploit's reverse shells.

Remark that scdbg.exe emulates shellcode, it does not execute shellcode: no TCP connection is established. I prefer scdbg.exe over sctest from libemu because it emulates more WIN32 API functions, hence I will also use it on OSX and Linux with wine.

Didier Stevens
Microsoft MVP Consumer Security


652 Posts
ISC Handler
Feb 12th 2018

Sign Up for Free or Log In to start participating in the conversation!