Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Understanding this format


  • Please log in to reply
7 replies to this topic

#1 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:57 AM

Posted 04 March 2014 - 06:41 PM

Hi guys,

 

I'm a script noob, so forgive me for asking basics... But what is this format? How can I learn to translate it? (what is it called even, I don't know what to search for). I've seen it used several times before. Below is a sample from a packet analysis...

 length = 467

000 : 47 45 54 20 68 74 74 70 3A 2F 2F 77 77 77 2E 72   GET http://www.r
010 : 75 6E 73 63 61 6E 6E 65 72 2E 6E 65 74 2F 6C 69   unscanner.net/li
020 : 62 2F 74 61 61 6E 67 6F 6C 6F 61 64 2E 65 78 65   b/taangoload.exe
030 : 2E 68 74 6D 6C 20 48 54 54 50 2F 31 2E 31 0D 0A   .html HTTP/1.1..
040 : 48 6F 73 74 3A 20 77 77 77 2E 72 75 6E 73 63 61   Host: www.runsca
050 : 6E 6E 65 72 2E 6E 65 74 0D 0A 55 73 65 72 2D 41   nner.net..User-A
060 : 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E   gent: Mozilla/5.
070 : 30 20 28 58 31 31 3B 20 4C 69 6E 75 78 20 78 38   0 (X11; Linux x8
080 : 36 5F 36 34 3B 20 72 76 3A 32 34 2E 30 29 20 47   6_64; rv:24.0) G
090 : 65 63 6B 6F 2F 32 30 31 33 31 31 30 31 20 46 69   ecko/20131101 Fi
0a0 : 72 65 66 6F 78 2F 32 34 2E 30 20 49 63 65 77 65   refox/24.0 Icewe
0b0 : 61 73 65 6C 2F 32 34 2E 31 2E 30 0D 0A 41 63 63   asel/24.1.0..Acc
0c0 : 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 61   ept: text/html,a
0d0 : 70 70 6C 69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C   pplication/xhtml
0e0 : 2B 78 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E   +xml,application
0f0 : 2F 78 6D 6C 3B 71 3D 30 2E 39 2C 2A 2F 2A 3B 71   /xml;q=0.9,*/*;q
100 : 3D 30 2E 38 0D 0A 41 63 63 65 70 74 2D 4C 61 6E   =0.8..Accept-Lan
110 : 67 75 61 67 65 3A 20 65 6E 2D 55 53 2C 65 6E 3B   guage: en-US,en;
120 : 71 3D 30 2E 35 0D 0A 41 63 63 65 70 74 2D 45 6E   q=0.5..Accept-En
130 : 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65   coding: gzip, de
140 : 66 6C 61 74 65 0D 0A 52 65 66 65 72 65 72 3A 20   flate..Referer: 
150 : 68 74 74 70 3A 2F 2F 77 77 77 2E 72 75 6E 73 63   http://www.runsc
160 : 61 6E 6E 65 72 2E 6E 65 74 2F 66 69 6C 65 6C 69   anner.net/fileli
170 : 73 74 2E 61 73 70 78 3F 6C 3D 54 0D 0A 43 6F 6F   st.aspx?l=T..Coo
180 : 6B 69 65 3A 20 41 53 50 2E 4E 45 54 5F 53 65 73   kie: ASP.NET_Ses
190 : 73 69 6F 6E 49 64 3D 6A 78 64 7A 33 74 34 35 67   sionId=jxdz3t45g
1a0 : 31 63 7A 6E 74 34 35 79 76 61 6F 35 74 34 35 0D   1cznt45yvao5t45.
1b0 : 0A 44 4E 54 3A 20 31 0D 0A 43 6F 6E 6E 65 63 74   .DNT: 1..Connect
1c0 : 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D   ion: keep-alive.
1d0 : 0A 0D 0A                 

Thanks for your help..

 



BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:57 AM

Posted 04 March 2014 - 07:03 PM

Looks like an HTTP header to me.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 JohnC_21

JohnC_21

  • Members
  • 23,973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 04 March 2014 - 07:11 PM

It's the raw binary data of a file shown in Hexadecimal Format (base 16). You can edit a binary file with a Hex Editor. But beyond that I don't have much experience with Hex Editors or there use.

 

http://www.flexhex.com/docs/howtos/hex-editing.phtml

 

http://endlessparadigm.com/forum/showthread.php?tid=3201

 

Edit: I probably misunderstood the question, sorry.


Edited by JohnC_21, 04 March 2014 - 07:12 PM.


#4 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:57 AM

Posted 04 March 2014 - 07:12 PM

thanks guys.... I have the reading I need now. :thumbup2:


Edited by TsVk!, 04 March 2014 - 07:12 PM.


#5 Nostromov

Nostromov

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgrade, Serbia
  • Local time:04:57 PM

Posted 04 March 2014 - 08:08 PM

Looks like an HTTP header to me.

Ugh, yea; it's this page:
http://www.runscanner.net/lib/taangoload.exe.html


#6 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:57 AM

Posted 04 March 2014 - 08:44 PM

runscanner is generating many WEB-MISC Lotus Notes .exe script source download attempts, which is why I want to analyse the bin file created with this report...

 

may just be false positives.



#7 Nostromov

Nostromov

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgrade, Serbia
  • Local time:04:57 PM

Posted 04 March 2014 - 09:03 PM

Oh, duh! Yeah, gotcha; tnx 4 the update..:)



#8 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:57 AM

Posted 04 March 2014 - 09:11 PM

It's the raw binary data of a file shown in Hexadecimal Format (base 16). You can edit a binary file with a Hex Editor. But beyond that I don't have much experience with Hex Editors or there use.

 

http://www.flexhex.com/docs/howtos/hex-editing.phtml

 

http://endlessparadigm.com/forum/showthread.php?tid=3201

 

Edit: I probably misunderstood the question, sorry.

You actually provided the answer I needed. Thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users