DeXRAY 2.24 update

Posted on by

Added yet another file type to the list – K7 <md5>.qtn.

The latest version of DeXRAY can be downloaded here.

DeXRAY supports:

  • AhnLab (V3B)
  • Amiti (IFC)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • Cisco AMP
  • CMC Antivirus (CMC)
  • Comodo (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • G-Data (Q) (Magic@0=0xCAFEBABE)
  • K7 Antivirus (<md5>.QNT)
  • Kaspersky (KLQ, System Watcher’s .bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Antimalware / Microsoft Security Essentials
  • Microsoft Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 metadata + 0B AD malicious content
  • Panda Zip files
  • Sentinel One (MAL)
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN), including from SEP on Linux
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal files
  • Vipre (_ENC2)
  • Zemana files+quarantine.db
  • Any binary file (using X-RAY scanning)

When good URLs are bad for business

Posted on by

Analyzing memory dumps comes with a price – ‘good’ information overload. One that annoys me a lot is running URl/domain extraction tools over the memdump and finding tones of legitimate URLs that make it harder to find the juicy stuff I am after. I mean, things like:

  • http://www.w3.org/2001/XMLSchema-instance
  • http://www.w3.org/2000/svg
  • http://www.w3.org/1999/xlink
  • http://www.w3.org/XML/1998/namespace
  • http://www.w3.org/1999/xhtml
  • http://www.w3.org/2000/xmlns/
  • http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd
  • http://update.microsoft.com
  • http://schemas.microsoft.com/rtc/2009/05/simplejoinconfdoc

There is a lot of ‘good’ URLs embedded in manifests, various resources (e.g. HTML/XML/Json/CSS files), certificates, and many are introduced as a side-effect of linking with static libraries that often include copyright information and URL to author’s page. And of course, there is vendor information either directly in the resources or in binary or its config files.

Not only memory dump analysis suffer from it. The same goes for network log analysis – lots of requests that ‘hide’ the juicy stuff are related to authentication checks, downloads from certificate stores, etc..

In an effort to help with analysis I started building a small repository of these ‘good’ URL (at the moment primarily related to certificates). I extracted these from my ‘good’ sample repository so I believe all of them are legitimate. If you find any error, please let me know.

You can download the repo here.