Didier Stevens

Friday 21 July 2017

Update: emldump.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 22:15

This new version outputs the filename for attachments:

emldump_V0_0_10.zip (https)
MD5: 34DBB3BCB1A2B04C45286C0583F11C07
SHA256: C5877E252DDB61B40BFFCC5403DB500E672DACFE96FAA7D1E0668246C5202DE5

Thursday 20 July 2017

Update: oledump.py Version 0.0.28

Filed under: My Software,Update — Didier Stevens @ 18:45

Like I did with zipdump, this oledump version now also supports YARA rules provided via the command-line (# and #s#).

oledump_V0_0_28.zip (https)
MD5: D89C1E0DA9A95A166EF8F36165F6A873
SHA256: 58F44B68BC997C2A7F329978E13DC50E406CCCCD2017C0375AA144712F029BFB

Wednesday 19 July 2017

Update:zipdump.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 22:20

Sometimes I just need to search for a string in the files of a ZIP container, and for that I need to create a small YARA rule.

With this new version, I can let zipdump generate the rule, I just need to provide the string. The value provided to option -y needs to start with #s# (s stands for string). Here is an example where I search for string HUBBLE:

zipdump_v0_0_11.zip (https)
MD5: E97E0191757230D2C7F9109B91636BF7
SHA256: 6640F971F61F7915D89388D3072854C00C81C47476A96CAC7BE6740DA348467B

Tuesday 18 July 2017

.ISO Files With Zone.Identifier

Filed under: maldoc,Malware — Didier Stevens @ 22:20

An .iso file downloaded from the Internet (thus with a Zone.Identifier ADS) opened in Windows 10 will not propagate this “mark-of-the-web” to the contained files.

Here is an example with file demo.iso, marked as downloaded from the Internet:

When this file is opened (double-clicked), it is mounted as a drive (E: in this example), and we see the content (a Word document: demo.docx):

This file is not marked as downloaded from the Internet:

Word does not open it in Protected View:

Monday 17 July 2017

Quickpost: Analyzing .ISO Files Containing Malware

Filed under: Malware,Quickpost — Didier Stevens @ 22:15

Searching through VirusTotal Intelligence, I found a couple of .iso files (CD & DVD images) containing a malicious EXE spammed via email like this one. Here is the attached .iso file (from May 25th 2017) on VirusTotal, with name “REQUEST FOR QUOTATION,DOC.iso”.

Recent versions of Windows will open ISO files like a folder, and give you access to the contained files.

I found Python library isoparser to help me analyze .iso files.

Here is how I use it interactively to look into the ISO file. I create an iso object from an .iso file, and then I list the children of the root object:

The root folder contains one file: DIALOG42.EXE.

Looking into the content of file DIALOG42.EXE, I see the header is MZ (very likely a PE file):

And I can also retrieve all the content to calculate the MD5 hash:

This is a quick & dirty Python script to dump the first file in an ISO image to stdout:

import isoparser
import sys
import os

oIsoparser = isoparser.parse(sys.argv[1])

if sys.platform == 'win32':
    import msvcrt
    msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY)

This allows me to pipe the content into other programs, like pecheck.py:


Quickpost info

Sunday 16 July 2017

Beta: format-bytes.py

Filed under: Beta,My Software — Didier Stevens @ 23:57

I needed a tool that can interpret bytes as various integers, so I came up with format-bytes.py:

I’m not happy yet with the layout of the output, that’s why it’s beta.


Saturday 15 July 2017

Mimikatz Videos

Filed under: Hacking — Didier Stevens @ 21:01

I created more mimikatz videos.

And if you didn’t see it, @gentilkiwi created a BSOD command for minesweeper ;-).

mimikatz and protected processes:

mimkatz RPC mode:

And mimikatz skeleton command:

Friday 14 July 2017

ClamAV sigtool –decode-sigs

Filed under: Malware — Didier Stevens @ 0:00

Here is a great tip from @PintAndClick: you can pipe the output of sigtool –find-sigs into sigtool –decode-sigs to get a nice breakdown of the signatures:


Thursday 13 July 2017

Analyzing ClamAV Signatures – Correction

Filed under: Malware — Didier Stevens @ 23:26

My previous blog post “Analyzing ClamAV Signatures” is incorrect. Here is a better explanation.

I wrongly assumed that the signature printed in the debug statement would be the actual signature in the ClamAV database. That is not always the case.

So here is a better method.

First I update the signatures (yup, that’s ClamAV on Windows):

This is a standard scan:

The signature is Win.Trojan.Mimikatz-6331391-0.

Then I do a search with sigtool in the database, providing a regular expression (Mimikatz-6331391) to match signature names (this matching process is case sensitive):

And this signature is more interesting. This is an extended signature. It is composed of several fields (: is the separator). Here I have each field on a separate line:

Field 1 is the name of the signature.

Field 2 is the type of file to scan: 1 is for PE files

Field 3 is the part of the file to scan: SE1 is the second section of the PE file.

Field 4 is the hex signature: the sequence of bytes to search for in the section, expressed as hexadecimal data. {-10} is a wildcard for 0 to 10 arbitrary bytes.

Field 5 is the minimum version of the ClamAV engine that supports this type of signature.

The bytes represent strings (UNICODE and ASCII):

This signature does not trigger on the genuine mimikatz binaries:

Wednesday 12 July 2017

Analyzing ClamAV Signatures

Filed under: Malware — Didier Stevens @ 0:00

While updating my Petya/Notpetya notes, I saw that ClamAV now detects resources 1 and 2 (zlib compressed PE files) as Mimikatz. Curious about how they detect Mimikatz, I wanted to take a look at the signature. I’ve done this before, but I forgot exactly how. So here is a blog post to remind me next time.

First I update the signatures (yup, that’s ClamAV on Windows):

This is a standard scan:

The signature is Win.Trojan.Mimikatz-6331391-0.

Then I do a scan with option –debug, this will print out the signature:

The signature is: 2813d34f6197eb4df42c886ec7f234a1:47616:Win.Trojan.Mimikatz-6331391-0

I hoped for something more interesting: this is an MD5 hash-based signature. 2813d34f6197eb4df42c886ec7f234a1 is the MD5 hash of the file, 47616 is its file size, and Win.Trojan.Mimikatz-6331391-0 is the signature name.



« Previous PageNext Page »

Blog at WordPress.com.