Skip to main content


Showing posts from September, 2016 In Depth - Part 2 The Reports ReportsToday we're going to dig deeper into the document malware analysis reporting, and how the analyst can dig deeper into the results and extracted executables.

Header The report header contains the information you'd expect - analysis time (for the submitted times you'll have to look at the submissions json page). File hashes. is_malware: 0 for clean, 1 for suspicious active content, 2 for exploits and embedded executables. Score - each yara rule for exploits or active content adds to the score. Runtime - it's fast. And the yara hits - exploits - CVE #, executables windows/mac/VB and whether a PE header is found, and general - the trojan signatures from Malware Tracker.

Streams The streams section of the report is where you can did deeper into the content and cryptanalysis results. Clicking the headers expands the sections and the indentation shows the object relationships. Grey title are less interesting, red have exploits, and brown have… in depth

In addition to our Cryptam tool. We created, a fast C document forensics tool which can conduct cryptanalysis attacks on some XOR ciphers. QuickSand is a CLI, a C Library, and can be wrapped in a web interface.

QuickSand has a lot more user-customizable attack options for special cases while keeping the default analysis as fast as possible.

Exploits Known exploits are scanned used embedded Yara, document streams are decoded - hex, base 64, zip, gzip. We don't handle PDF streams - you'll still need for that.

Finding Embedded exe's XOR+Rol from 20-10 bytes are found instantly with the default cryptanalysis attack.

Optional attacks XOR Lookahead - where the current byte is xored with the following byte.
Math ciphers - +1 to +255 (equivalent to -1 to -255).
Bitwise not
Brute force 1 byte xor - for when null space is not replaced.
Odd XOR lengths

Example odd xor length: This sample contains an exe obfuscated with a 21 byte XOR key:
./quicksand.out ma…