Didier Stevens

Monday 17 July 2017

Quickpost: Analyzing .ISO Files Containing Malware

Filed under: Malware,Quickpost — Didier Stevens @ 22:15

Searching through VirusTotal Intelligence, I found a couple of .iso files (CD & DVD images) containing a malicious EXE spammed via email like this one. Here is the attached .iso file (from May 25th 2017) on VirusTotal, with name “REQUEST FOR QUOTATION,DOC.iso”.

Recent versions of Windows will open ISO files like a folder, and give you access to the contained files.

I found Python library isoparser to help me analyze .iso files.

Here is how I use it interactively to look into the ISO file. I create an iso object from an .iso file, and then I list the children of the root object:

The root folder contains one file: DIALOG42.EXE.

Looking into the content of file DIALOG42.EXE, I see the header is MZ (very likely a PE file):

And I can also retrieve all the content to calculate the MD5 hash:

This is a quick & dirty Python script to dump the first file in an ISO image to stdout:


import isoparser
import sys
import os

oIsoparser = isoparser.parse(sys.argv[1])

if sys.platform == 'win32':
    import msvcrt
    msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY)
sys.stdout.write(oIsoparser.root.children[0].content)

This allows me to pipe the content into other programs, like pecheck.py:

 

Quickpost info

13 Comments »

  1. Did you know that 7z can extract contents from .iso files?

    Comment by Mordac — Monday 17 July 2017 @ 22:26

  2. Yes. 7z can open many files.

    Comment by Didier Stevens — Monday 17 July 2017 @ 22:31

  3. I’ve also seen .JS files inside .iso phishes,

    Comment by Cadrom — Monday 17 July 2017 @ 22:44

  4. I’ll have to search for these too, thanks.

    Comment by Didier Stevens — Monday 17 July 2017 @ 22:45

  5. Whoops, my mistake those JS were actually inside .cab files.

    Comment by Cadrom — Monday 17 July 2017 @ 23:02

  6. This one was burned with ImgBurn v2.5.8.0, and has DESKTOP222 string in it: https://www.virustotal.com/en/file/d54ee3db4185c638bac422a898ceb4acef54c5479f1f99f4cb165bb56a034ad3/analysis/

    Comment by Waffle — Monday 17 July 2017 @ 23:10

  7. […] He shows how he analyses ISO files that contain malicious executables. Quickpost: Analyzing .ISO Files Containing Malware […]

    Pingback by Week 29 – 2017 – This Week In 4n6 — Sunday 23 July 2017 @ 11:07

  8. […] was asked if malware authors can abuse autorun.inf files in .ISO files: no, nothing will execute automatically when you open an .ISO file with autorun.inf file in Windows […]

    Pingback by .ISO Files & autorun.inf | Didier Stevens — Saturday 29 July 2017 @ 21:27

  9. […] posts: Quickpost: Analyzing .ISO Files Containing Malware, .ISO Files With […]

    Pingback by .ISO Files With Zone.Identifier – Didier Stevens Videos — Sunday 30 July 2017 @ 10:26

  10. […] posts: Quickpost: Analyzing .ISO Files Containing Malware, .ISO Files With […]

    Pingback by .ISO Files & autorun.inf – Didier Stevens Videos — Sunday 30 July 2017 @ 10:28

  11. […] Stevens posted a few times about analysing malicious ISO files and a reminder that ZoneIdentifier’s don’t follow […]

    Pingback by This Month In 4n6 – July – 2017 – This Week In 4n6 — Monday 31 July 2017 @ 13:55

  12. […] Quickpost: Analyzing .ISO Files Containing Malware […]

    Pingback by Overview of Content Published In July | Didier Stevens — Tuesday 1 August 2017 @ 21:52

  13. […] posts: Quickpost: Analyzing .ISO Files Containing Malware, .ISO Files With […]

    Pingback by .ZIP Files With Zone.Identifier – Didier Stevens Videos — Thursday 10 August 2017 @ 20:03


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.