Category Archives: Malware Analysis

DeXRAY 2.03 update

Posted on by

Added ‘handling’ of quarantine.qtn from Symantec products on MAC.

Saying ‘handling’, because at the moment there is no good perl library for encrypted .zip files, BUT…  we really don’t need such library since the decryption is trivial. If the quarantine.qtn is found, you will get a list of files inside the container + information how to extract each file (hint: the password is… a file name 🙂

You can download it here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Zemana <hash> files+quarantine.db
  • Any binary file (using X-RAY scanning)

Sysmon doing lines

Posted on by

This is just an experiment I ran today to see if I could fool sysmon (or more specifically: any program that parses sysmon logs, or users viewing the sysmon logs in the Event Viewer) into doing an extra line, or two… .

What if…

…the command line of the spawn process (calculator in this case) looked like a part of the Event Log itself? Something along these lines :

calc

 CurrentDirectory: C:\non-existing\
 User: test-pc\user
 LogonGuid: {15a1393e-e37e-58de-0000-0020e0940300}
 LogonId: 0x394E0
 TerminalSessionId: 1
 IntegrityLevel: High
 Hashes: SHA1=2E391131F9B77A8EC0E0172113692F9E2CCCEAF0
 ParentProcessGuid: {15a1393e-97f2-59d2-0000-0010a4d8a500}
 ParentProcessId: 666
 ParentImage: C:\windows\system32\calc.exe

Obviously, you can’t run it from a command line, you need a program to run it for you using the CreateProcess API.

The result would be like this:

So… when the data is previewed, the user can (at least for a moment) believe the calc.exe was indeed spawn by the process ID 666 and parent process is calc.exe (which on its own is kinda difficult), and the current directory is c:\non-existing.

Programs exporting logs into CSV/TXT could get potentially fooled too as the injected data lines up with expected logs and a possible state machine parsing them could be fooled; one could potentially inject a number of such fake logs and potentially disturb the log parsing process and create some funny, non-existing process-tree scenario.