DeXRAY 2.05 update

January 26, 2018 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Software Releases

If there is one proof that online collaboration works it is DeXRAY. Since the tool was first released it received quite a bit of attention from the DFIR community. Every once in a while I get not only a positive feedback from the users, but also very important contributing ideas and code offered by security researchers and professionals.

This release is not different.

A few days ago I was pinged by Luis Rocha (@countuponsec) who generously offered his insight and results of his and Antonio Monaca’s research on Kaspersky’s System Watcher feature (available in KES10) that quarantines files in the following location:

  • C:\ProgramData\Kaspersky Lab\KES10\SysWHist\file_cache\<md5>.bin

Luis discovered that the files are encrypted with a static XOR key 397b4d58c9397b4d58c9.

Based on his research I have quickly implemented a routine in Dexray to decrypt these files.

Thanks Luis and Antonio!

You can download the latest version here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ, System Watcher’s <md5>.bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Zemana <hash> files+quarantine.db
  • Any binary file (using X-RAY scanning)

Comments are closed.