Once complete, we can see this compound file contains three files, a small “Details” file and in this case there are two files, “File_0” and “File_1” both showing the same size. Additionally, you may wish to hash the files contained in the archive as I did in the screenshot below. For our purposes, we will continue to use WinHex to view the contents and gather additional information.Īfter redefining the snapshot and checking the box to uncover embedded data we can see the contents of the compound file. You are limited on the information that you can gain from the file content. Because it is a compound file, you could use 7zip to open the archive. There are a couple ways to view the contents of these files. Note the eight highlighted bytes of, D0 CF 11 E0 A1 B1 1A E1, are the file signature for a compound file. In the screenshot below is a quarantined file in the “.bup” format provided by a colleague. Inside the quarantine folder the malware files are stored with a “.bup” extension and while this initially looks complicated the files are simply compound files that can be opened with 7zip or any of the forensic tools of your choice. McAfee stores its quarantined files in a “Quarantine” directory located off the root of the C: drive. The purpose here is not to promote a tool but to demonstrate how the process works so you have the knowledge and understanding of what is happening to the data at the disk level and repeat it one whatever AV vendor has quarantined your files. We will be using the WinHex hex editing tool from X-Ways forensics to complete this process, however, there are a few other free tools that can be used to achieve the same goal. This paper will show you how to extract and de-obfuscate the quarantined files from McAfee AV and Avira anti-virus applications. None of which are the subject of this paper. There are many reasons locating the original malware executable is critical to an investigation, such as reverse engineering the code, hash analysis, text string analysis, etc.
In order for us to reverse this process manually we must know the one byte XOR key, which is difficult to decipher from the data in the “Details” file.
This process can be reversed from within the application but the user never sees what is going on behind the scenes. When McAfee or other anti-virus programs quarantines a malicious file they uses an XOR process with a one-byte key to obfuscate the data. However, sometimes we can get lucky and one or more workstations will have an updated anti-virus application that quarantined the malicious files for us. To make matters worse, the deleted malware is often overwritten by the time the IR team gets on site, which can make it difficult to collect and reverse engineer the code to identify Indicators of Compromise (IOCs). During an incident response engagement, it is common to find the original malware that wreaked havoc in the network was deleted as part of the anti-forensics built into the code or by an over eager first responder.
0 kommentar(er)
