quicksand_lite – Command line tool for scanning streams within office documents plus xor db attack.
Latest Change 12/5/2017:
+ added detection for EPS obfuscation using xor.
+ Remove tempnam calls.
quicksand_lite is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.
File Formats For Exploit and Active Content Detection;
– doc, docx, docm, rtf, etc
– ppt, pptx, pps, ppsx, etc
– xls, xlsx, etc
– mime mso
– eml email
quicksand – Office document malware analysis.
Features:
+ Fast document deconstruction
+ Yara API integration: Executable | Exploits | Trojans
+ Run yara signatures against decoded streams and unxored executables
+ Cryptanalysis of obfuscated executables and extraction: xor | rol/ror
+ Non bruteforce instant cracking of long 256 byte XOR keys (20-10 bytes).
+ Optional brute force 1 byte xor attack.
+ Optional brute force math cipher attack.
+ Optional xor-lookahead algorithm (xorla).
+ Pre-sandbox processing of phishing samples to extract executables/implant installers
+ Integratabtle cross platform Ansi C
Installation;
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
#mac: brew install automake libtool wget #ec2 aws ami: yum install automake libtool wget https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz gunzip v3.5.0.tar.gz tar -xvf v3.5.0.tar cd yara-3.5.0 chmod 777 ./build.sh LD_LIBRARY_PATH=/usr/local/lib export LD_LIBRARY_PATH LDFLAGS=-L/usr/local/opt/openssl/lib export LDFLAGS CPPFLAGS=-I/usr/local/opt/openssl/include export CPPFLAGS ./build.sh sudo make install cd .. wget hhttp://zlib.net/zlib-1.2.11.tar.gz gunzip zlib-1.2.11.tar.gz tar -xvf zlib-1.2.11.tar cd zlib-1.2.11 ./configure make sudo make install cd .. wget https://nih.at/libzip/libzip-1.1.3.tar.gz gunzip libzip-1.1.3.tar.gz tar -xvf libzip-1.1.3.tar cd libzip-1.1.3 ./configure make sudo make install sudo ln -vs /usr/local/lib/libzip/include/zipconf.h /usr/local/include cd .. git clone https://github.com/tylabs/quicksand_lite && cd quicksand_lite ./build.sh ./quicksand.out -h ./quicksand.out malware.doc |
Source: https://github.com/tylabs