In this sample, we have a C# “program” that looks to be doing standard process injection using some windows APIs.

The interesting part tho is this rsrc byte array that has the actual shellcode. In order to find out if the shell code is benign or malicious we will be using the trusted REMnuxVM and a simple python carver script in order to “carve out” the shell code from these bytes. 

#!/usr/bin/evn python3

with open("code.txt", "r") as f:
    hex_string = f.read().replace("0x","").replace("byte[] rsrc = new byte[464] {","").replace("};","").replace(",", "")
    hex_encode = hex_string.encode()

#print (hex_string)
#print (hex_encode)

with open ("out.bin", "wb") as out:
    out.write(hex_encode)

The basic script will look something like this. And not it is time to get the out.bin file to our FlareVM to continue analysis. To do that, open a python http server on REMnux and wget the file from FlareVM like so.

Moving on, using scdbg, a shell code debugger. It will not actually run the shell code, but it will resolve everything that the shell code is trying to do. 

With the argument /f we are giving scdbg a “file” and with the -s flag we are telling the tool to do an unlimited amount of steps to go through the whole thing and not stop at some point. 

Looking through the actual shell code, it will load a DLL file to have access to all the windows APIs it needs in order to connect to the given server using https and downloads a file from that same url, gives it a name of javaupdate.exe and executes it with the WinExec API. So by the looks of it, that sample C# code was some kind of a dropper.