Category Archives: File Formats ZOO

DeXRAY 2.0 released

Posted on by

Recently I was contacted by two fellow DFIRers (thx @JamesHabben and @bmmaloney97) who suggested some improvements to the tool.

James mentioned to me a type of Quarantine files that I never heard of (Lumension LEMSS) and was kind enough to provide the recipe on how to handle them which I implemented in the tool (hope it works!).

Brian wrote some piece of code to integrate it with DeXRAY. Thanks to his efforts McAfee BUP files are now finally properly handled (the older version of DeXRAY required the user to carve out the decrypted malware, because DeXRAY didn’t handle OLE files). Thx!

In the effort to better parse some troublesome files I have added an additional routine to carve the files out (and I use it for Symantec ccSubSdk files).

Lo and behold the DeXRAY is now 2.0.

You can download it here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)

Old Flame Never Dies (a.k.a. decompiling LUA)

Posted on by

When the news about Flame exploded all over the media, I remember grabbing available samples and like many other researchers started poking around. Pretty quickly, I extracted a large number of very unique strings from various Flame samples and posted them online.

Recently, I accidentally came across that old post and started wondering if anyone ever posted the decompiled Lua scripts for the malware. I googled around for some of the strings I posted on my blog back then and to my surprise – my blog was the only one showing up!

I guess there must be some conspiracy theory that will explain that…

Back in 2012, I didn’t have all the samples, but I did run them through a quick analysis process which I will describe below. The procedure for obtaining the strings was extremely crude, but like many quick&dirty solutions – it worked pretty well (and it was fast!).

  • For each DLL, load it via rundll32
    • For each exported function, execute it
      • For ever every single execution, delay for some time
      • Grab memory dumps for rundll32
      • Kill rundll32

Interestingly, I still have the memory dumps I used to extract the strings from, so… since I suddenly thought of these Lua scripts I re-used the memdumps to extract over 60 Lua bytecoded scripts (from both static files and memory dumps to be precise).

And here comes the real purpose of the thread – document how to obtain decompiled Lua scripts from Flame:

  • I wrote a quick carving tool in perl to extract Lua bytecode from both static files, and memory dumps
    • This was pretty easy, since the compiled Lua always starts with a header “\x1BLua”
    • For each extracted file, I wrote another quick&dirty script to rename it to the name embedded inside the bytecoded Lua script
    • That’s how we get the ‘original’ name of the files f.ex. ‘MUNCH_ATTACKED_ACTION.lua’ is embedded inside the bytecoded Lua script

munch_attacked_action-lua

  • With all the files preprocessed, I ran them through a Lua decompiler
    • For many files, it worked like a charm; for some, it failed

If you remember Kaspersky’s Flame code from 2012:

kaspersky0

you can find the code inside the flame_props.lua.dec file (you need to remove decompiler’s comments):

kaspersky1

The collection of all decompiled scripts can be found here.

The password is: old_flame_never_dies

List of all scripts:

  • ___kaspersky.dec
  • attackop_base_prods.lua.dec
  • attackop_base_sendfile.lua.dec
  • ATTACKOP_FLAME.lua.dec
  • ATTACKOP_FLAME_PRODS.lua.dec
  • ATTACKOP_FLAME_STARTLEAK.lua.dec
  • ATTACKOP_FLASK.lua.dec
  • ATTACKOP_FLASK_PRODS.lua.dec
  • ATTACKOP_JIMMY.lua.dec
  • ATTACKOP_JIMMY_PRODS.lua.dec
  • ATTACKOP_MOVEFILE.lua.dec
  • ATTACKOP_RUNDLL.lua.dec
  • basic_info_app.lua.dec
  • casafety.lua.dec
  • clan_entities.lua.dec
  • clan_seclog.lua.dec
  • CRUISE_CRED.lua.dec
  • euphoria_app.lua.dec
  • event_writer.lua.dec
  • fio.lua.dec
  • flame_props.lua.dec
  • get_cmd_app.lua.dec
  • IMMED_ATTACK_ACTION.lua.dec
  • json.lua.dec
  • leak_app.lua.dec
  • libclanattack.lua.dec
  • libclandb.lua.dec
  • libcommon.lua.dec
  • libdb.lua.dec
  • libflamebackdoor.lua.dec
  • liblog.lua.dec
  • libmmio.lua.dec
  • libmmstr.lua.dec
  • libnetutils.lua.dec
  • libplugins.lua.dec
  • libwmi.lua.dec
  • main_app.lua.dec
  • MUNCH_ATTACKED_ACTION.lua.dec
  • MUNCH_SHOULD_ATTACK.lua.dec
  • NETVIEW_HANDLER.lua.dec
  • NETVIEW_SPOTTER.lua.dec
  • payload_logger.lua.dec
  • post_cmd_app.lua.dec
  • REG_SAFETY.lua.dec
  • RESCH_EXEC.lua.dec
  • rts_common.lua.dec
  • SECLOG_HANDLER.lua.dec
  • SECLOG_SPOTTER.lua.dec
  • SNACK_BROWSER_HANDLER.lua.dec
  • SNACK_ENTITY_ACTION.lua.dec
  • SNACK_NBNS_HANDLER.lua.dec
  • STD.lua.dec
  • storage_manager.lua.dec
  • SUCCESS_FLAME.lua.dec
  • SUCCESS_FLAME_STARTLEAK.lua.dec
  • SUCCESS_GET_PRODS.lua.dec
  • table_ext.lua.dec
  • transport_nu_base.lua.dec
  • TRANSPORT_NU_DUSER.lua.dec
  • TRANSPORT_NUSYSTEM.lua.dec
  • USERPASS_CRED.lua.dec
  • WMI_EXEC.lua.dec
  • WMI_SAFETY.lua.dec