It is a well-known fact that the most common encryption algorithm used by malware authors relies on an eXclusive OR (a.k.a. XOR) operation using a static, one byte long key. It is used so often that many researchers already have their own scripts and tools that attempt to cryptanalyse encrypted files and discover hidden data. And in case you don’t – you will now have one as well :-).
DeXRAY is a simple perl script that tries to discover encrypted executables and DLLs (or, more generically – Portable Executables a.k.a. PE) within a given data file e.g. it could be an encrypted PE that is embedded inside a malicious dropper (including non-PE files e.g. PDFs) or network traffic.
How it works
DeXRAY relies on a simple technique known as X-RAY. The technique is probably as old as an antivirus industry itself and relies on a simple fact that xoring two values from analyzed data will produce the same result as the result obtained from xoring these values if they have been previously encrypted with a static key.
A xor B = (A xor key) xor (B xor key) = same value
Since all Portable Executables start with letters ‘M’ and ‘Z’, xoring ‘M’ and ‘Z’ will produce the same value as xoring (‘M’ xor key) with (‘Z’ xor key)
‘M’ xor ‘Z’ = (‘M’ xor key) xor (‘Z’ xor key) = 0×17
In other words, it is a known plain-text attack.
DeXRAY attempts to decrypt
- Any binary file (using X-RAY)
- Symantec Quarantine files (VBN/QBD)
- McAfee Quarantine files (BUP)
Quarantine files are supported specifically for a very simple reason: they often rely on a XOR-based encryption algorithm and X-RAY is a very suitable technique to decrypt them. To make things easier, DeXRAY recognizes file extensions of known Quarantine files and uses (widely) known hard coded keys to decrypt these files while maintaining some flexibility in case some keys have changed.
perl DeXRAY.pl <filename or directory>
What is the output?
If it works, you will get files saved as <original filename.XXXXXXXX.YY.out>
- XXXXXXXX is the offset (hexadecimal) where the file starts in the original file
- YY is the encryption key (hexadecimal)
There may be more files than one. In some cases the log from the script may show two output files with the same name (one obtained from de-xoring with a hard coded value and second one from X-RAY; in such case, only one file is produced).
Examples and Notes
- Symantec Quarantine files (.VBN) – xor 0x5A
DeXRAY won’t work with some Symantec Quarantine files. As far as I can tell, it is because not all VBN files are actualy encrypted, so it’s worth looking at a hex dump of such files first. It may also not work if the Quarantined file is not Portable Executable – X-RAY only supports Portable Executable. Adding support for other files (e.g. Flash, PDF) is trivial. Finally, note that there are often two VBN files associated with one Quarantine entry – one contains some metadata, second is the actual encrypted file and is located in a Quarantine subdirectory named similarly to the first VBN file.
The content of the decryptable VBN file is metadata at the top of the file (clear text and strings visible, but header format is unknown) that is followed by the encrypted content we want to grab. One more note here – the location of the encrypted data within the VBN file is not static as some blogs suggest. DeXRAY script is trying to ‘guess’ the offset to the encrypted by reading first 32-bit value from the file (while it is not documented, it appears to be actually pointing to the encrypted content).
- Symantec/Norton Quarantine files (.QBD) – xor 0xB3 / xor 0x4C
DeXRAY decrypts the whole file using static key 0xB3. This allows to decrypt the metadata at the top of the file. It then uses X-RAY and finds the encrypted malware (it’s encrypted with the key 0x4C)
- McAfee Quarantine (.BUP) – xor 0x6A
DeXRAY decrypts the whole file using static key 0x6A. This allows to decrypt the metadata at the top of the file. It then relies on X-RAY to find and extract the encrypted malware
- only PE files are supported by X-RAY, but adding support for known malicious files is trivial and you could add it yourself, or drop me a line and I will add it.
I am not sure if all static keys are always correct as I didn’t have enough samples to test, but it seemed to work in all tests. If you come across files that you know for sure they should be containing malware and DeXRAY fails to decrypt them, feel free to send them over and I will have a look.