When You hunt for malware, it common situation when You got a lot of TCPDump files, where all the infecting process saved as step-by-step.
No matter what tool You use for dumping this stuff – You always can view it later with WireShark
Today I was in process of testing BHEK for malicious payload, when malware distributing host “suddenly” died. And part of samples i still not archived for future reversing!
But – wait a minute! sniffer dump file! just need to extract data. But how?
If You got a transfer via FTP – You can see post of Benjamin S. Williams about “Extracting Files from Packet captures”
Since malware rarely use FTP for payload deliver, I failed to use this way.
So I invented my own. , open WireShark, right-click on one of packets from the stream that contain exe file and choose “Follow TCP Stream”
In bottom drop menu, instead of “Entire conversation”, choose only server response, that contain exe file:
An then Choose “Save as”, to save the stream to disk. call it dump (without extension)
Ok, now we have file wwiyj server HTTP response, that contain HTTP header and executable.
We’ll need HEX-editor. I use GHex, You can choose whatever tool You like
We open dumped file and remove all HTTP header from it:
If You don’t have reversing experience yet, You may see that usually executables in Microsoft systems start from MZ or 4D 5A in HEX, in name of Mark Zbikowski 🙂
Now – we need to save extracted file with proper extension and start to reverse\debug\execute in VM.
Save as – dump.exe
Done and done!