Now, it is a buggy program. I know of it so please bear with me. If you find something not working, or stupid, please tell me \ud83d\ude42<\/p>\n
Also, if you have any Quarantine files that you can share, from any AV, please send them over. I will appreciate it as it will help me to add new engines and test the support for already implemented ones. Thanks!<\/p>\n
Note: I used the code from Optiv to implement decryption of Kaspersky and Trend. This is a good stuff. Thanks to that – apart from decryption of the malware – DeXRAY now dumps additional metadata extracted from these two Quarantine file types. The metadata is stored in dedicated files with the .met extension, and is also printed to STDERR.<\/p>\n
Here is an example for Kaspersky:<\/p>\n
And for Trend:<\/p>\n The output files are saved into the following files:<\/p>\n In some cases you may find more than one .out file created for a given input files. This is the case with Trend Micro Quarantine files.<\/p>\n Another case like that is if the binary blob contains more than one encrypted PE file which is decrypted using X-Rays algorithm (basically, a number of PE files encrypted using a single byte XOR key inside one blob\/file).<\/p>\n The script can be downloaded here<\/a>.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" DeXRAY is a private tool that turned public a few years ago. Back in a day it helped me to decrypt some Quarantine files from forensic cases I worked on. Over time I expanded it to cover more engines and … Continue reading ![\"kav\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/kav.png\")
<\/a><\/p>\n<\/a><\/p>\n\n
\n
\n
\nand contains a decrypted input file which includes both metadata and the file content<\/li>\n<\/ul>\n<\/li>\n\n
\nthat contains the actual file you want to analyze.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n