Tuesday, September 20, 2016

QuickSand.io In Depth - Part 2 The Reports

QuickSand.io Reports

Today we're going to dig deeper into the QuickSand.io document malware analysis reporting, and how the analyst can dig deeper into the results and extracted executables.


The report header contains the information you'd expect - analysis time (for the submitted times you'll have to look at the submissions json page). File hashes. is_malware: 0 for clean, 1 for suspicious active content, 2 for exploits and embedded executables. Score - each yara rule for exploits or active content adds to the score. Runtime - it's fast. And the yara hits - exploits - CVE #, executables windows/mac/VB and whether a PE header is found, and general - the trojan signatures from Malware Tracker.

QuickSand.io Report Header


The streams section of the report is where you can did deeper into the content and cryptanalysis results. Clicking the headers expands the sections and the indentation shows the object relationships. Grey title are less interesting, red have exploits, and brown have executables.

The distribution item in the root can be very useful. The X's indicate the part of the file where an embedded executable exists. 0 is for null sections, F is for FF sections, 1 is for high entropy areas, and A is for ascii sections such as most of an RTF file.

We are also working on a structural hash structhash of the file which can help find samples from the same attacker or exploit kit.

QuickSand.io Streams section

DOCX Files

For docx files you'll see the hierarchy of files within the zip,  and embedded OLE files or high entropy data is analyzed for embedded executables as well.

Macros and No Embedded exe's

A lot of the new macro malware won't have an embedded exe, using the distribution results below, we   can see the file is mostly null blocks "0" and does not have enough entropy to have a built in EXE.


The XOR section shows the xorkey for cryptanalysis found keys, or xortkey for a key dictionary result.

XOR block


The Rol section shows the bitwise rol used. You can click the sha256 link for a hex dump of the section, and click (str) for the extracted strings. 

Rol/Ror block

Dropped Files

The dropped files section is similar, click the number (1) to see the hexdump and (str) to see the strings. The strings section can help to get a quick ID of the trojan or find some unique strings for a quick Yara rule.

Tip: hex dumps can be converted back to files: # xxd -r webhexdump.txt > malware.virus

dropped file hex dump

dropped file extracted strings


The bottom of the page has links to a JSON version of the report and a JSON of the submissions (date, original filenames).

Thursday, September 8, 2016

QuickSand.io in depth

In addition to our Cryptam tool. We created QuickSand.io, a fast C document forensics tool which can conduct cryptanalysis attacks on some XOR ciphers. QuickSand is a CLI, a C Library, and can be wrapped in a web interface.

QuickSand has a lot more user-customizable attack options for special cases while keeping the default analysis as fast as possible.


Known exploits are scanned used embedded Yara, document streams are decoded - hex, base 64, zip, gzip. We don't handle PDF streams - you'll still need PDFExaminer.com for that.

Finding Embedded exe's

XOR+Rol from 20-10 bytes are found instantly with the default cryptanalysis attack.

Optional attacks

XOR Lookahead - where the current byte is xored with the following byte.
Math ciphers - +1 to +255 (equivalent to -1 to -255).
Bitwise not
Brute force 1 byte xor - for when null space is not replaced.
Odd XOR lengths

Example odd xor length:

This sample contains an exe obfuscated with a 21 byte XOR key:
./quicksand.out malware/112c64f7c07a959a1cbff6621850a4ad-2.virus -s 21 -e 50000
 -0> root {3}

  -1> xor {3}

More to follow.