Setup Factory Extraction Support

[xorhex]

Possible to add extraction support for Setup Factory installers? Thanks!

Test Sample: 21321fbdc67896cc8e41cbf2c4c8430ecf5992040491fc477864c5363e3ae3d8

https://medium.com/@FatzQatz/unveiling-the-mustang-panda-operation-attack-on-thai-parliament-member-ac197a1ad8fa

[gdesmar]

Hi!
I went through the blog post you linked and it does look very valuable to extract that AmindPDFCore.dll statically. Would you know of any tool that can open Setup Factory installers, or documentation on how to read those files to extract internal resources?

For the moment, it looks like a sandbox like CAPE and our Assemblyline CAPE module would be able to extract it, but it does take a more complex setup and more time/resources.

[xorhex]

Hey!

All I've been able to find so far is https://github.com/Bioruebe/UniExtract2/releases (have not tried it) but at the same time guessing it only has support for older version of Setup Factory (Bioruebe/UniExtract2#52 (comment))

[xorhex]

Have not tried this either, but looks promising: https://github.com/Puyodead1/SFUnpacker

[gdesmar]

I'll add suf001 to the list in case it could become handy.

Sadly, UniExtract and suf001 does not look to be running well on Wine, and for the moment, we are running all of our tool on Linux.

I looked at SFUnpacker, and it doesn't seem to have an official release. I tried to download the original Observer from which most of the code come from, and it's not pre-compiled either. They refer vcpkg and Visual Studio, which are both Windows tools, but vcpkg looks to support Linux? Maybe there is a way to compile it to run on Linux, but I wouldn't hold my breath there. Maybe there's a way to compile it on Windows and run it in Wine, but that would also need a few tests.

I took a quick look at the code, and it's not too large. The overlay of your initial test sample is indeed starting with the SetupFactory8 signature, so I'd really love to add support if we find a way to run the code, or someone wants to rewrite it in python...! I may look into that later, but I have no timeline and no guarantee. I see an #include <Windows.h> and depending on how it's used, may break easy portability.

[gdesmar]

Hello!
I have some good news! I went over SFUnpacker and ported all of the important code to a new library called sfextract (pypi, github). I now added that library as a dependency in Extract, and starting with version 4.5.0.stable42, will extract all files that it can.

The new internal library sfextract support almost everything that SFUnpacker did, but there are still a few things missing (LZMA2 compressed data). It covers everything needed for your test sample to extracts the word document, executable and dll, plus some SetupFactory resource files.

If you want to install sfextract by itself, using pip install sfextract, you will also be able to just execute the sfextract command from the commandline on your executable, and it will extract the files in a folder next to your file.

If you have more samples that do not get opened correctly with sfextract, you can open a ticket on the sfextract repository. If you have issues for the Extract service, or any other Assemblyline tool, you can also open an issue on our centralize issue tracker to get more eyes on it, in case we miss the service repository issues.

[xorhex]

This is amazing - thank you!