![]() This paper will show you how to extract and de-obfuscate the quarantined files from McAfee AV and Avira anti-virus applications. None of which are the subject of this paper. There are many reasons locating the original malware executable is critical to an investigation, such as reverse engineering the code, hash analysis, text string analysis, etc. In order for us to reverse this process manually we must know the one byte XOR key, which is difficult to decipher from the data in the “Details” file. This process can be reversed from within the application but the user never sees what is going on behind the scenes. When McAfee or other anti-virus programs quarantines a malicious file they uses an XOR process with a one-byte key to obfuscate the data. However, sometimes we can get lucky and one or more workstations will have an updated anti-virus application that quarantined the malicious files for us. To make matters worse, the deleted malware is often overwritten by the time the IR team gets on site, which can make it difficult to collect and reverse engineer the code to identify Indicators of Compromise (IOCs). During an incident response engagement, it is common to find the original malware that wreaked havoc in the network was deleted as part of the anti-forensics built into the code or by an over eager first responder. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |