DeXRAY 2.05 update

Posted on by

If there is one proof that online collaboration works it is DeXRAY. Since the tool was first released it received quite a bit of attention from the DFIR community. Every once in a while I get not only a positive feedback from the users, but also very important contributing ideas and code offered by security researchers and professionals.

This release is not different.

A few days ago I was pinged by Luis Rocha (@countuponsec) who generously offered his insight and results of his and Antonio Monaca’s research on Kaspersky’s System Watcher feature (available in KES10) that quarantines files in the following location:

  • C:\ProgramData\Kaspersky Lab\KES10\SysWHist\file_cache\<md5>.bin

Luis discovered that the files are encrypted with a static XOR key 397b4d58c9397b4d58c9.

Based on his research I have quickly implemented a routine in Dexray to decrypt these files.

Thanks Luis and Antonio!

You can download the latest version here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ, System Watcher’s <md5>.bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Zemana <hash> files+quarantine.db
  • Any binary file (using X-RAY scanning)