Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Quickie: tshark & Malware Analysis SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quickie: tshark & Malware Analysis

The following screenshot drew my attention when I read Brad's diary entry "Excel spreadsheets push SystemBC malware":

This shellcode is encoded, each byte is represented with printable characters: \xHH where HH are hexadecimal characters.

And that is something that can easily be decoded with my tool (this tools supports many encodings, not only base64).

I was able to export this encoded shellcode as a file with Wireshark (File / Export Objects / HTTP), and then decode it.

But then I was wondering: can I avoid saving this shellcode to disk? Can I pipe together commands to analyze the shellcode?

And I found a solution with tshark (Wireshark's console version).

Here's how I did this:

I read Brad's pcap file (option -r) and apply a display filter (-Y) to select packets that contain xfc (the start of the encoded shellcode, minus the backslash): "http.file_data contains xfc". And I display the content of field http.file_data (options -Tfields and -e).

I can pipe this directly into my tool:

Like Brad mentioned, the shellcode is downloaded twice. And here we can see that it's the same shellcode (same hash).

And this looks indeed like shellcode (notice the IP address at the end of the hex/ascii dump):

That IP address (plus 0x00 byte) is followed by 4 bytes: that's most likely the Cobalt Strike license ID/watermark.

I can check this with my tool to analyze Cobalt Strike beacons:

Didier Stevens
Senior handler
Microsoft MVP


532 Posts
ISC Handler
Feb 8th 2021

Sign Up for Free or Log In to start participating in the conversation!