Post

Malware Weight Loss the Fast Way with Foremost

Posted
By Tony Lambert
2 min read

After writing the last post on bringing malware down to a manageable size for analysis, I got some good feedback on different ways to achieve the same results outside of using pecheck. In this post I’ll go over an alternative method that moves much faster than pecheck which was recommended (and loved) by @AndreGironda.

Foremost for the win

For this post I’m using the same 300 MB+ sample from VT: 218efc289854e3ef9086e9c3db36cf627d2171ceaece2c26085250c6203b31cd. In the last post we took extra steps to triage, so we’ll skip straight to extraction in this instance.

If you’ve never used foremost before, it’s an awesome forensic utility that allows you to carve different files from blobs of data. Two of the file types it supports are Windows Executables and DLLs. The best thing about this tool is that it moves extremely fast, which you can see in the output below.

1
2
3
4
5
6
7
8
9
10
11
12
13

remnux@remnux:~/cases/heavyweight$ time pecheck -g s -D GoogleDrive.exe > lighter_GoogleDrive.exe

real	0m40.663s
user	0m39.736s
sys	    0m0.878s

remnux@remnux:~/cases/heavyweight$ time foremost -t exe -o o1 -i GoogleDrive.exe 
Processing: GoogleDrive.exe
|****|

real	0m0.804s
user	0m0.616s
sys	    0m0.171s

With the appropriate parameters, foremost cut a 300MB+ binary in less than a second where pecheck took about 40 seconds. After verifying file hashes, we even see that foremost achieved the same result as pecheck.

1
2
3
4
5

remnux@remnux:~/cases/heavyweight$ md5sum lighter_GoogleDrive.exe 
5af35bc75c8c4697b34b5645bdbbd559  lighter_GoogleDrive.exe

remnux@remnux:~/cases/heavyweight$ md5sum o1/exe/00000000.exe 
5af35bc75c8c4697b34b5645bdbbd559  o1/exe/00000000.exe

Files with multiple EXEs

To top things off, foremost even works quickly on files containing multiple executables such as this Ducktail sample I previously wrote about.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

remnux@remnux:~/cases/ducktail$ ls -lh ducktail.exe 
-rw-rw-r-- 1 remnux remnux 54M Aug  7 21:14 ducktail.exe

remnux@remnux:~/cases/ducktail$ time foremost -t exe -o o1 -i ducktail.exe 
Processing: ducktail.exe
|*|

real	0m0.146s
user	0m0.082s
sys	    0m0.061s

remnux@remnux:~/cases/ducktail$ tree o1/
o1/
├── audit.txt
├── dll
│   ├── 00001107.dll
│   ├── 00002547.dll

...

│   ├── 00107210.dll
│   ├── 00108104.dll
│   └── 00108293.dll
└── exe
    └── 00000000.exe

2 directories, 90 files

All in all, foremost is faster and probably my favorite method to carve EXEs/DLLs from data so far. Thanks for reading!

malware
malware pecheck foremost
This post is licensed under CC BY 4.0 by the author.