You are browsing the archive for DeXRAY.

DeXRAY 2.0 released

March 9, 2017 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Software Releases

Recently I was contacted by two fellow DFIRers (thx @JamesHabben and @bmmaloney97) who suggested some improvements to the tool.

James mentioned to me a type of Quarantine files that I never heard of (Lumension LEMSS) and was kind enough to provide the recipe on how to handle them which I implemented in the tool (hope it works!).

Brian wrote some piece of code to integrate it with DeXRAY. Thanks to his efforts McAfee BUP files are now finally properly handled (the older version of DeXRAY required the user to carve out the decrypted malware, because DeXRAY didn’t handle OLE files). Thx!

In the effort to better parse some troublesome files I have added an additional routine to carve the files out (and I use it for Symantec ccSubSdk files).

Lo and behold the DeXRAY is now 2.0.

You can download it here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)

DeXRAY 1.7 – ccSubSdk files – part 2

September 18, 2016 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Software Releases

I have added a buggy routine that attempts to interpret the content of the decrypted ccSubSdk files; this is based purely on looking at the file properties – at first I noticed that there are many GUID-like values that appear in the files many times and across many files. Then looking at the layout I tried to split the data by using these GUIDs as dividers – this was helpful and led to a better understanding of how these chunks are structured. Some patterns started emerging and in the end the serialization character of the file layout became more apparent. Walking through trial-and-error I put together a raw parser that attempts to make a better sense of the data records.

The tool stores the hexadecimal dumps of the interpreted data in .met files that are now accompanying all decrypted out files for both submission.idx and actual submission files. You will find errors in some of the output files, but atm it’s the best it can do. Work in progress 🙂

The output is tagged using  ‘###’ f.ex.:

### GUID
      21 A3 05 3F B7 43 78 45 93 C8 CD C5 F6 4A 14 9A  !..?.CxE.....J..
09
      22 00 00 00                                      "...

06
      01 00 00 00                                      ....

06
      01 00 00 00                                      ....

07
      13 00 00 00                                      ....

      4D 72 43 6C 65 61 6E 20 53 75 62 6D 69 73 73 69  MrClean Submissi
      6F 6E 00                                         on.

### STRING-A
      MrClean Submission

The following identifiers are now being used:

  • STRING-A – String ANSI
  • STRING-W – String Wide (Unicode-16LE)
  • BLOB – binary blob
  • GUID – 16 bytes long GUID-like data

The latest version of DeXRAY can be found here.