Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Malware Analysis - handling base64 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware Analysis - handling base64
I love work with information security. That’s a fact.:) I also really like to play with malware analysis, and from some time now, thats what I do for living :). And guess what I do in my free time??:) Yes, play with malware analysis too :).

I would like to share with you a situation that may occur when you are doing malware analysis.
I use pine to read some of my personal email, and last week I saved one spam that had something attached to it.
While analyzing the saved email, I saw that there was a file attached on it, that was base64 encoded.
The first sign it on the body:

------=_Part_75367_15338122.1181350292468
Content-Type: application/octet-stream; name="badfile.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="badfile.exe"
X-Attachment-Id: f_f2pdfmt5

...

Can you notice the:
Content-Transfer-Encoding: base64

Yes, that means that it is base64 encoded!:)

Now, how to handle it?

That’s what I want to share with you malware analysts enthusiastics today :)

As we can see with the GNU File utility, the saved-email.txt is a text file:

[lab3:~/mail# file saved-email.txt
saved-email.txt: ASCII text

I like perl, and it offers a really simple way to decode that file:

[lab3:~/mail# perl -MMIME::Base64 -e 'print decode_base64(join("", <>))' <saved-email.txt >badfile.exe.file

Done!
Now,did it work??
Easy, lets use the File utility again:

[lab3:~/mail# file badfile.exe.file
badfile.exe.file: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

Done!:) Now it is just to go ahaed an analyze the file, but thats another history...;)
-------------------------------------------------------------------------------------------
Handlers on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)
Pedro

155 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!