Didier Stevens

Monday 17 July 2017

Quickpost: Analyzing .ISO Files Containing Malware

Filed under: Malware,Quickpost — Didier Stevens @ 22:15

Searching through VirusTotal Intelligence, I found a couple of .iso files (CD & DVD images) containing a malicious EXE spammed via email like this one. Here is the attached .iso file (from May 25th 2017) on VirusTotal, with name “REQUEST FOR QUOTATION,DOC.iso”.

Recent versions of Windows will open ISO files like a folder, and give you access to the contained files.

I found Python library isoparser to help me analyze .iso files.

Here is how I use it interactively to look into the ISO file. I create an iso object from an .iso file, and then I list the children of the root object:

The root folder contains one file: DIALOG42.EXE.

Looking into the content of file DIALOG42.EXE, I see the header is MZ (very likely a PE file):

And I can also retrieve all the content to calculate the MD5 hash:

This is a quick & dirty Python script to dump the first file in an ISO image to stdout:

import isoparser
import sys
import os

oIsoparser = isoparser.parse(sys.argv[1])

if sys.platform == 'win32':
    import msvcrt
    msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY)

This allows me to pipe the content into other programs, like pecheck.py:


Quickpost info


  1. Did you know that 7z can extract contents from .iso files?

    Comment by Mordac — Monday 17 July 2017 @ 22:26

  2. Yes. 7z can open many files.

    Comment by Didier Stevens — Monday 17 July 2017 @ 22:31

  3. I’ve also seen .JS files inside .iso phishes,

    Comment by Cadrom — Monday 17 July 2017 @ 22:44

  4. I’ll have to search for these too, thanks.

    Comment by Didier Stevens — Monday 17 July 2017 @ 22:45

  5. Whoops, my mistake those JS were actually inside .cab files.

    Comment by Cadrom — Monday 17 July 2017 @ 23:02

  6. This one was burned with ImgBurn v2.5.8.0, and has DESKTOP222 string in it: https://www.virustotal.com/en/file/d54ee3db4185c638bac422a898ceb4acef54c5479f1f99f4cb165bb56a034ad3/analysis/

    Comment by Waffle — Monday 17 July 2017 @ 23:10

  7. […] He shows how he analyses ISO files that contain malicious executables. Quickpost: Analyzing .ISO Files Containing Malware […]

    Pingback by Week 29 – 2017 – This Week In 4n6 — Sunday 23 July 2017 @ 11:07

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: