Thursday, September 8, 2016

QuickSand.io in depth

In addition to our Cryptam tool. We created QuickSand.io, a fast C document forensics tool which can conduct cryptanalysis attacks on some XOR ciphers. QuickSand is a CLI, a C Library, and can be wrapped in a web interface.

QuickSand has a lot more user-customizable attack options for special cases while keeping the default analysis as fast as possible.

Exploits

Known exploits are scanned used embedded Yara, document streams are decoded - hex, base 64, zip, gzip. We don't handle PDF streams - you'll still need PDFExaminer.com for that.

Finding Embedded exe's

XOR+Rol from 20-10 bytes are found instantly with the default cryptanalysis attack.

Optional attacks

XOR Lookahead - where the current byte is xored with the following byte.
Math ciphers - +1 to +255 (equivalent to -1 to -255).
Bitwise not
Brute force 1 byte xor - for when null space is not replaced.
Odd XOR lengths


Example odd xor length:

This sample contains an exe obfuscated with a 21 byte XOR key:
./quicksand.out malware/112c64f7c07a959a1cbff6621850a4ad-2.virus -s 21 -e 50000
 -0> root {3}
  md5:112c64f7c07a959a1cbff6621850a4ad
  sha1:e7f7f6caaede6cc29c2e7e4888019f2d1be37cef
  sha256:9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512
  sha512:45e7807bc0ed6b8ab6ecf458c34edebb8781ed928e0b0649d73cf0d981513113160afc3c1dee5cd290a0053357d155fe1b129d342fc2d1072bcb039e972cc61b
  size:367631
  yara:exploits:exploit_cve_2015_2424
  score:30
  is_malware:2

  -1> xor {3}
   md5:31e676fd243e031170be515987784883
   sha1:69b22e4bd485f4486cf0f16aa4f894acb530b6f8
   sha256:a78eb148cd918b0e3e31a42dcfa3eaade731d9c2a935120d2b05428df06f78a0
   sha512:dd8e5bb444269ab4a3bca4c9754d931c7d70c462b5523e98d4dd5124d8196ada9f3e2675bf077998332de04e625c4e3f61b8b63341d58e614aa8d2e52213e17f
   parentsha256:9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512
   size:367631
   yara:executable:executable_win_pe
   xorlen:21
   corky:5cf193921cad62018eb1cf638f3f7eacecb041d240

More to follow.

No comments:

Post a Comment