1. sherri

    April 2, 2010 at 12:04 pm

    Hi guys– please note that we’ve updated question #7 to include more info. cheers!

  2. Is questions #7 supposed to be answered with malware analysis? Because the pcap actually contains a DNS lookup for the HTTP Bot’s C&C, so this cannot be it. On the other hand, quick dynamic analysis of the malware in a Lab VM with Wireshark on the host does not exhibit any outbound connectings and strings on the dropped executable did not reveal any IP addresses either. Given the niveau of the other questions, thorough static analysis of the dropped executable also didn’t seem to be what is wanted, so I decided to rather quickly ask how this is intended.

  3. oxff: You’re welcome to use whichever approach you feel most comfortable with. However, I think performing static analysis of the dropped executable is not the easiest way to answer question #7.

  4. I can extract the executable from the pcap, but get checksum errors when using the appropriate unpacker. Anyone else having this issue?

  5. @Dave:

    I had no problems unpacking it.

    I’d look at how you’re extracting it from the pcap file, if you’re positive that you are extracting it correctly then you are probably using the wrong unpacker or a 3rd party unpacker.

  6. I have successfully extracted executable from pcap…and there is no checksum error while using appropriate unpacker.

  7. Winter, G

    Thanks for the replies. Now that the contest is over, I can say that I extracted with both foremost and manually. A hexdump shows UPX packing with version 3.0.1. I’ll take a look at the solution once posted and retrace my steps. Thanks again.

  8. For those that are interested, I was using foremost to extract the exe from a raw chuck exported out of Wireshark. For some reason, this introduced corruption. Using Network Miner, the exe had no issues being unpacked.

    This is peculiar to say the least, as the the header and footer of the exe are identical with the corrupted and correct versions. Guess the foremost just fell down in this instance.

  9. Dave,

    If you export chunked data from wireshark to unchunk later with another tool, try to export as ASCII and not as raw content.

  10. Thanks Ed,

    Gave that a shot and still no go. Could be a cross-platform issue, or god knows what. I’m just glad to be on the lookout for it from now on 🙂

    I’ll dig into it some more when I have time, but thank you all for your suggestions.


  11. Dave,

    Now contest is over, I can explain. When you check tcp follow stream option in wireshark, you can see there are few bytes before MZ starts and also at the end there are few extra bytes.
    I think foremost check header bytes MZ only to extract exe file.
    I think there are 2 ways you can use, manually if you want to carve then you can calculate length of PE file based on PE file structure and second can be run some tool which can create fake client/server request/response that way you can actually download exact pe file.


Leave a Reply

Your email address will not be published.