Sometimes I just need to search for a string in the files of a ZIP container, and for that I need to create a small YARA rule.
With this new version, I can let zipdump generate the rule, I just need to provide the string. The value provided to option -y needs to start with #s# (s stands for string). Here is an example where I search for string HUBBLE:
zipdump_v0_0_11.zip (https)
MD5: E97E0191757230D2C7F9109B91636BF7
SHA256: 6640F971F61F7915D89388D3072854C00C81C47476A96CAC7BE6740DA348467B
[…] I did with zipdump, this oledump version now also supports YARA rules provided via the command-line (# and […]
Pingback by Update: oledump.py Version 0.0.28 | Didier Stevens — Thursday 20 July 2017 @ 18:45
[…] He updated zipdump to version 0.0.11, adding the ability to auto-generated a YARA rule based off a string, and then search a zip file. Update:zipdump.py Version 0.0.11 […]
Pingback by Week 29 – 2017 – This Week In 4n6 — Sunday 23 July 2017 @ 11:09
[…] Update:zipdump.py Version 0.0.11 […]
Pingback by Overview of Content Published In July | Didier Stevens — Tuesday 1 August 2017 @ 21:52
[…] oledump.py, zipdump.py, base64dump.py, […]
Pingback by Emotet Maldoc & ViperMonkey – Didier Stevens Videos — Thursday 10 August 2017 @ 20:03
[…] oledump.py, zipdump.py, base64dump.py, pecheck.py, […]
Pingback by Metasploit’s msf.docm Analysis – Didier Stevens Videos — Monday 21 August 2017 @ 20:39
[…] rules can be used in combination with a tool like zipdump.py to scan XML files inside the ZIP container with the YARA […]
Pingback by Detecting DDE in MS Office documents | NVISO LABS – blog — Wednesday 11 October 2017 @ 11:45
[…] first sample uses PowerShell to download an executable and run it. With zipdump.py and our YARA rules we can extract the command, and with sed command […]
Pingback by YARA DDE rules: DDE Command Execution observed in-the-wild | NVISO LABS – blog — Thursday 12 October 2017 @ 11:13
[…] of file vbaProject.bin. This rule must be used with a tool that can scan inside ZIP files, like zipdump.py or […]
Pingback by Analyzing Metasploit’s Office Maldoc | Didier Stevens — Thursday 2 November 2017 @ 0:00
[…] I want to see the content of (malicious) .docx files without using MS Office. I will use my zipdump.py tool to extract the XML file with the content, and then use sed or translate.py to strip out XML […]
Pingback by New Tool: xmldump.py | Didier Stevens — Monday 18 December 2017 @ 0:00
[…] I often store malware in password protected ZIP files, these files can be analyzed too provided you use zipdump.py: […]
Pingback by SpiderMonkey and STDIN | Didier Stevens — Tuesday 24 April 2018 @ 0:00
[…] started the analysis of the file using Didier Stevens tool for any PK file called zipdump. The output seemed that of a normal OOXML […]
Pingback by Furoner.CAT — Friday 18 May 2018 @ 13:04
[…] started the analysis of the file using Didier Stevens tool for any PK file called zipdump. The output seemed that of a normal OOXML […]
Pingback by Apparent bening DOCX decoy that delivers malware – Furoner.CAT — Friday 18 May 2018 @ 13:07