1

When I opened my email this morning I found a rather odd message in my mail box. It didn't seem like your every day spam email as it looked like a base64 encoded string and nothing else. Here is a screenshot of the email:

enter image description here

I tried running it through decoders, and after decoding it to hexadecimal I ran it through a malware analyzer on this website, and it looks like possible assembly code.

There is also a strange header in the email: X-phsgyov: twxmjuo says, which makes it seem like the email was crafted.

My question is, does anyone have any knowledge of what this is? There is a pastebin link of what I've found so far here.

Paradoxis
  • 892
  • 7
  • 15
  • 1
    Looks like Base64 encoding to me. Try http://string-functions.com/base64decode.aspx – Steve Dodier-Lazaro Apr 23 '15 at 08:50
  • @SteveDL I already tried that, which I stated in my question. If you click the pastebin link you can see it's hexadecimal, which looks like possible assembly code. – Paradoxis Apr 23 '15 at 08:54
  • I think this screenshot comes from a GMail account. In the bottom-right corner you should find a link allowing you to access the details of this account activity, did you find anything unusual here (like mail retrieval from an unknown source for instance)? – WhiteWinterWolf Apr 23 '15 at 09:52
  • The assembly makes me raise an eye brow. Also there seems to be certain ASCII characters with a high frequency in that hex dump. If I were to hazard a guess it may be xor'ed data. – wireghoul Apr 23 '15 at 11:03

1 Answers1

1

In your interpretation of the message, you're performing a step that a computer wouldn't: you're assuming the output of the base64 decoding process is ASCII-encoded hexadecimal and converting it to binary before performing the disassembly process. The first few bytes of the message are (note: there's a newline before the 5

571266161278423

with hex values

0a 35 37 31 32 36 36 31 36 31 32 37 38 34 32 33

which disassemble to

0000: or    dh,(di)
0002: aaa
0003: xor   (bp:si),si
0005: seg   ss
0006: seg   ss
0007: xor   $3231,si
000b: aaa
000c: cmp   (si),dh
000e: xor   dh,(bp:di)

which is utter nonsense. There may be a hidden meaning in the message, but it isn't shellcode.

Mark
  • 34,390
  • 9
  • 85
  • 134