Extract Shellcode from Fileless Malware like a Pro
iSpeech.org
Here I demonstrate how to extract shellcode from the context of a malicious Word doc which uses VBA to inject shellcode into the memory space of a victim process.
This code injection is executed solely in memory, therefore is considered 'fileless' as it never touches the disk. Good news for bad guys here is that conventional detection mechanisms will struggle with this kind of activity. Bad news for bad guys is that the malware only persists in memory, therefore dies with a reboot.
This is a super interesting technique of executing malware. I demonstrate to you how to extract the shellcode and convert it into a 'usable' executable for the purposes of further analysis and take a step further with you down the rabbit-hole and show how to debug such shellcode using x64dbg. Additionally I show how you can actually identify the shellcode origin with it's true intention using some basic OSINT and how to step through and extract relevant network indicators for the purpose of protecting your environment against such malicious traffic.
MD5 of the sample discussed: da6cc46575a6bc74509155b5f2657577
Enjoy the video - you can follow me on https://twitter.com/cybercdh and also don't forget to subscribe to my channel 🙂
2017-07-25 22:25:38
source
Gloss