Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: It is a resume - Part 2 SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
It is a resume - Part 2

In part 2, we are going to take a closed look at the image in object 3.

First we dump the stream and look at the beginning and end:

FF D8 is the Start Of Image Marker of a JPEG image.

FF D9 is the Eod Of Image Marked of a JPEG image.

It's likely that we are indeed dealing with a JPEG image, and not something else.

Next I check if I can find strings inside the JPEG image:

With my maldoc YARA rules (maldoc.yara found in the ZIP package) I can search for shellcode:

The first line will scan the raw stream (the JPEG image) with YARA and the rules we provided (maldoc.yara).

The second line will perform the same scan, but with decoders to see if the shellcode is encoded with simple encoding techniques (XOR 1 byte, ADD 1 byte and ROL 1 byte).

There is no output from these commands, the YARA rules don't trigger: this means we can't find shellcode inside the image. This does not necessarily mean there is no shellcode, but that we can't find any...

In part 3, we'll take a deeper look...

Didier Stevens
Microsoft MVP


597 Posts
ISC Handler
Sep 4th 2017

Sign Up for Free or Log In to start participating in the conversation!