Force a package type i.e. rar #34
Comments
|
maybe if there a way to improve detection of rar? would be better case than just force |
|
Then the bigger issue here would be scanning files to determine their true nature. In this case it could have just as easily have contained a zip or PE. If I know the package type it would still be useful to specify it. |
|
There's some logic that looks at the first 4096 bytes or so which can be used here. Do you have a sample to showcase this behavior? |
|
https://drive.google.com/open?id=1P8JNOG0FuPsXZGOn_9z28YbWcVQfiDA1 pwd=infected It contains a malware sample, handle accordingly. |
|
@enzok It looks like the archive file is appended to the end of the image after IEND. Was there an additional script/step that would download this image and extract the compressed file? |
|
@idiom No, the file is an email attachment that has a .zipx extension. 7zip and WinRar will open the file as a RAR. It contains a Word Doc with VBA/Marcros. |
|
@enzok Yeah I extracted the document. It's interesting..I wonder if what we're seeing is a feature of the tools that they will ignore the first part of the file until the RAR header and extract the contents. So this may be a method to bypass inline scanning as it would appear to be an image file. |
I have a sample that returns as a PNG file using magic. However, it is in fact a rar file. I can unpack it with the rar command or with 7zip manually.
What would be the best way to pass the package type, rar in this case, to the unpacker.
I'm importing unpack from sflock currently.
The text was updated successfully, but these errors were encountered: