Batch Analysis | Hexacorn

Yesterday Brian Baskin pinged me on Twitter asking about ccSubSdk files that Symantec solutions store on the system in the following location:

C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\<product>\CmnClnt\ccSubSDK

f.ex.

C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.5.0.19\CmnClnt\ccSubSDK

The SEP may store similar files in different location:

C:\ProgramData\Symantec\Symantec Endpoint Protection\<SEP version>\Data\CmnClnt\ccSubSDK
C:\ProgramData\Symantec\Common Client\ccSubSDK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<SEP version>\Data\CmnClnt\ccSubSDK

DeXRAY didn’t support them and it triggered my interest. I pretty quickly identified the algorithm as Blowfish, but for some reason it didn’t work. Eventually, after struggling with it for a while I ended up understanding the issue: it was a problem of little vs. big endianess – unfortunately, the same algorithms can be implemented to work with different data -ness.

Once I figured it out, I added a basic support for both {GUID} files and the submissions.idx. Now, when I say ‘support’ I mean the decryption of the outer layer only and a basic interpretation of what I can deduct from the file structure inside submissions.idx. Once you look at the decrypted files you will realize that the files contain some sort of container to store a lot of information about the suspected files / network data and possibly other data sets sent to the AV Reputation engines + actual files. On top of that, in some instances the content of the files is not encrypted (with a second layer), and in some it is.

It’s quite a headache.

Still, it’s worth pursuing further as it seems to be a great forensic artifact that may help to identify a lot of file-system and network activities that may not be recorded anywhere else, or long forgotten. We can retrieve metadata and the content of long lost files. And since the reputation engine intercepts pretty much all unknown suspicious files, as well as some network artifacts a lucky forensic investigator may actually find a smoking gun there…

Here are a few examples:

A suspicious file (PE file can be retrieved)

Silent/heuristic AV detections

A download of a PE file (HTTP PE Download):

There are also file metadata submissions with forensically interesting bits in a form of XML-like report:

<Report 
 Type="File Vote Report" 
 Count="#NUM OF FILES#">
 <File 
  Index="#INDEX#" 
  Active_timestamp="#EPOCH#" 
  File_MD5="#MD5#" 
  File_SHA256="#SHA256#" 
  FileName="#FILENAME#" 
  Path="#PATH#" 
  Signature="#SIG#" 
  Issuer="#ISSUER#" 
  Version="#VERSION#" 
  File_Type="#FILETYPE#" 
  AVE_Blob="#AVEBLOB#"/>

The Epoch, file path, file name, and hashes can support investigation in many ways. I believe there is a lot to explore here + in similar files from other vendors (if such files exist).

If you have ccSubSdk files available and want to share them with me for research, I’d appreciate it.

Coming back to DeXRAY – the full list of supported or recognized file formats is listed below:

AhnLab (V3B)
ASquared (EQF)
Avast (Magic@0=’-chest- ‘)
Avira (QUA)
Baidu (QV)
BitDefender (BDQ)
CMC Antivirus (CMC)
Comodo <GUID> (not really; Quarantined files are not encrypted 🙂 )
ESafe (VIR)
ESET (NQF)
F-Prot (TMP) (Magic@0=’KSS’)
Kaspersky (KLQ)
Lavasoft AdAware (BDQ) /BitDefender files really/
MalwareBytes Data files (DATA)
MalwareBytes Quarantine files (QUAR)
McAfee Quarantine files (BUP)
Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
Panda <GUID> Zip files
Spybot – Search & Destroy 2 ‘recovery’
SUPERAntiSpyware (SDB)
Symantec ccSubSdk files: {GUID} files and submissions.idx
Symantec Quarantine Data files (QBD)
Symantec Quarantine files (VBN)
Symantec Quarantine Index files (QBI)
TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF)
QuickHeal <hash> files
Vipre (<GUID>_ENC2)
Any binary file (using X-RAY scanning)

Thanks to Brian for raising the interesting challenge and patiently listening to my questions and comments 🙂

The latest version of DeXRAY can be found here.

Updated 2021-02-26

Added Avast libs

Updated 2020-06-22

Added ivm-inject.dll and log_api32. Andrew sent these long time ago, but I sat on it even longer. I finally managed to update the post & apologies to Andrew for this taking so long!!!

Updated 2019-10-17

And a few more additions from Andrew! RapportGP, RapportGP_x64, and aswhook. Thanks !

Updated 2019-09-20

Added a few more pointed out by Andrew! fshook32, aswhookx, aswhooka. Thanks!

Updated 2019-08-20

Added a few libraries pointed out by Andrew! ollydbg.dll vboxhook.dll, vghookx.dll and avghooka.dll. Thanks!

Updated 2018-07-14

Added apihex86.dll and apihex64.dll + apilogen.dll & amxread.dll

Updated 2017-12-17

Added makin library ahlo.dll

Updated 2017-11-18

Fixed incorrectly attributed iDefense Labs libs, added some 64- bit libs and updated descriptions

Old post

Detecting sandboxes is a cool domain for research. It’s been a fav topic for many companies to cover for many years in their blogs and there is… no end to it.

In this short summary, I’ll try to list all the phantom/real DLLs that anti-sandbox tricks rely on to detect suspicious, or at least unfriendly AV environment.

Some of them are very well known, some of them… less.

If you know any others, please do let me know.

Thank you!

Here they are:

a2hooks32 Emsisoft 32-bit
a2hooks64 Emsisoft 64-bit
adialhk Kaspersky Anti-Virus
amxread.dll Used by logman API Trace – API Tracing Manifest Read Library
AMSI.dll Used by Antimalware Scan Interface (AMSI)
aswAMSI.dll Used by Avast
anvirhook56 AnVir Software
apihex86.dll Used by logman API Trace (32-bit) – API Tracing X86 Hook Engine
apihex64.dll Used by logman API Trace (64-bit) – API Tracing x64 Hook Engine – also see this link
api_log iDefense Labs
apihookdll (Generic API Hooking DLL name)
apilogen.dll Used by logman API Trace – API Tracing Log Engine
apshook Cognizant Application Protection Hook
asho Library injected by makin
aswhook Avast Security Suite
avgrsstx AVG Internet Security
avcuf32 BitDefender 32-bit
avcuf64 BitDefender 64-bit
avghooka AVG (Link, Thx Andrew!)
avghookx AVG (Link, Thx Andrew!)
aswhooka.dll Avast (Link, Thx Andrew!)
aswhookx.dll Avast (Link, Thx Andrew!)
BgAgent BullGuard
cmdvrt32 Comodo 32-bit
cmdvrt64 Comodo 64-bit
cssdll32 Comodo (SafeSurf)
dbghelp Debug Help (Potentially used to detect sandboxing env)
desktopmessaging Sophos Anti-Virus
dir_watch iDefense Labs
eeconsumer Sophos Anti-Virus
fshook32 F-Secure (Link, Thx Andrew!)
guard32 Comodo 32-bit
guard64 Comodo 64-bit
hinthk HintSoft
iatloader API Override
icadapter Sophos Anti-Virus
icmanagement Sophos Anti-Virus
ieprot Rising Information Technology (IE Protector)
ivm-inject.dll Buster Sandbox Analyzer (Link, Link, Thx Andrew!)
kakatool Rising Information Technology
kloehk Kaspersky Anti-Virus (Outlook Express Hook)
kmon Rising Information Technology
log_api32 Buster Sandbox Analyzer (Link, Link, Thx Andrew!)
log_api64 Buster Sandbox Analyzer (Link, Thx Andrew!)
legacyconsumers Sophos Anti-Virus
mzvkbd Kaspersky Anti-Virus
ollydbg AVG (Link, Thx Andrew!)
pavshook Panda
PCTGMhk PC Tools
persistance Sophos Anti-Virus
pinvm PIN (Instrumentation Framework)
printfhelp Unknown Sandbox
psapi Possibly loaded to look for processes/modules
pstorec Possible SunBelt Sandbox (but also other sandboxes that preload DLLs)
QOEHook Qurb
R3HOOK Kaspersky Anti-Virus (Ring 3 Hooker)
rapport Trusteer
rapportGP Trusteer
rapportGP_x64 Trusteer
rooksbas Trusteer
sar1 Sophos Anti-Rootkit
sar2 Sophos Anti-Rootkit
sar3 Sophos Anti-Rootkit
sar4 Sophos Anti-Rootkit
savneutralres Sophos Anti-Virus
savreseng Sophos Anti-Virus
savshellext Sophos Anti-Virus 32-bit
savshellextx64 Sophos Anti-Virus 64-bit
sbie SandBoxie
sbie!ll SandBoxie
sbiedll SandBoxie
sbiedllx SandBoxie
scaneditfacade Sophos Anti-Virus
scanmanagement Sophos Anti-Virus
security Sophos Anti-Virus
sf2 Avast
sipsmanagement Sophos Anti-Virus
snxhk Avast
sophos_detoured Sophos Anti-Virus
sophos_detoured_x64 Sophos Anti-Virus
sophosbho Sophos Anti-Virus
sophosbhox64 Sophos Anti-Virus
sophtaineradapter Sophos Anti-Virus
ssleay32 Trusteer (could be a legitimate use of OpenSSL library though)
swi_filter Sophos Anti-Virus
swi_ifslsp Sophos Anti-Virus
swimanagement Sophos Anti-Virus
sxin Qihoo 360
systeminformation Sophos Anti-Virus
tamperprotectionmanagement Sophos Anti-Virus
threatdetection Sophos Anti-Virus
translators Sophos Anti-Virus
UMEngx86 Norton Sonar
VBOXHOOK VirtualBox (Sample; Thx Andrew!)
virusdetection Sophos Anti-Virus
vmcheck Virtual PC
vmhgfs VMWare
wbsys Stardock.Net (WindowBlinds)
wl_hdlr Agnitum (Outpost)
wl_hook Agnitum (Outpost)
wpcap Attempts ot WinPCAP library (possible sandbox detection)
wpespy Winsock Packet Editor (WPE)

A separate category is the OS DLLs. The technique that some malware relies on requires loading f.ex. ntdll.dll as a data file, parsing it manually as a PE file, then discovering its exports, finding the code of the API functions that are typically hooked, and eventually comparing that ‘static’ code with the code of the actually loaded library (in memory). This is a trick used by some older packers (AFAIR Themida), but also some custom (and typically advanced, since written in asm most of the time) malware.

Note: if you use this list in a commercial sandbox, please ensure you give a credit 🙂

Hexacorn

Hexacorn

Category Archives: Batch Analysis

DeXRAY 1.6 – ccSubSdk files

Enter Sandbox – part 12: The Library of naughty libraries