Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Force a package type i.e. rar #34

Open
enzok opened this issue Jun 8, 2018 · 7 comments
Open

Force a package type i.e. rar #34

enzok opened this issue Jun 8, 2018 · 7 comments

Comments

@enzok
Copy link

enzok commented Jun 8, 2018

I have a sample that returns as a PNG file using magic. However, it is in fact a rar file. I can unpack it with the rar command or with 7zip manually.

What would be the best way to pass the package type, rar in this case, to the unpacker.

I'm importing unpack from sflock currently.

@doomedraven
Copy link
Contributor

maybe if there a way to improve detection of rar? would be better case than just force

@enzok
Copy link
Author

enzok commented Jun 8, 2018

Then the bigger issue here would be scanning files to determine their true nature. In this case it could have just as easily have contained a zip or PE. If I know the package type it would still be useful to specify it.

@jbremer
Copy link
Member

jbremer commented Jun 8, 2018

There's some logic that looks at the first 4096 bytes or so which can be used here. Do you have a sample to showcase this behavior?

@enzok
Copy link
Author

enzok commented Jun 8, 2018

https://drive.google.com/open?id=1P8JNOG0FuPsXZGOn_9z28YbWcVQfiDA1

pwd=infected

It contains a malware sample, handle accordingly.

@idiom
Copy link

idiom commented Jun 17, 2018

@enzok It looks like the archive file is appended to the end of the image after IEND. Was there an additional script/step that would download this image and extract the compressed file?

@enzok
Copy link
Author

enzok commented Jun 18, 2018

@idiom No, the file is an email attachment that has a .zipx extension. 7zip and WinRar will open the file as a RAR. It contains a Word Doc with VBA/Marcros.

@idiom
Copy link

idiom commented Jun 19, 2018

@enzok Yeah I extracted the document. It's interesting..I wonder if what we're seeing is a feature of the tools that they will ignore the first part of the file until the RAR header and extract the contents. So this may be a method to bypass inline scanning as it would appear to be an image file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants