After writing the last post on bringing malware down to a manageable size for analysis, I got some good feedback on different ways to achieve the same results outside of using
pecheck. In this post I’ll go over an alternative method that moves much faster than
pecheck which was recommended (and loved) by @AndreGironda.
For this post I’m using the same 300 MB+ sample from VT: 218efc289854e3ef9086e9c3db36cf627d2171ceaece2c26085250c6203b31cd. In the last post we took extra steps to triage, so we’ll skip straight to extraction in this instance.
If you’ve never used
foremost before, it’s an awesome forensic utility that allows you to carve different files from blobs of data. Two of the file types it supports are Windows Executables and DLLs. The best thing about this tool is that it moves extremely fast, which you can see in the output below.
1 2 3 4 5 6 7 8 9 10 11 12 13 remnux@remnux:~/cases/heavyweight$ time pecheck -g s -D GoogleDrive.exe > lighter_GoogleDrive.exe real 0m40.663s user 0m39.736s sys 0m0.878s remnux@remnux:~/cases/heavyweight$ time foremost -t exe -o o1 -i GoogleDrive.exe Processing: GoogleDrive.exe |****| real 0m0.804s user 0m0.616s sys 0m0.171s
With the appropriate parameters,
foremost cut a 300MB+ binary in less than a second where
pecheck took about 40 seconds. After verifying file hashes, we even see that
foremost achieved the same result as
1 2 3 4 5 remnux@remnux:~/cases/heavyweight$ md5sum lighter_GoogleDrive.exe 5af35bc75c8c4697b34b5645bdbbd559 lighter_GoogleDrive.exe remnux@remnux:~/cases/heavyweight$ md5sum o1/exe/00000000.exe 5af35bc75c8c4697b34b5645bdbbd559 o1/exe/00000000.exe
To top things off,
foremost even works quickly on files containing multiple executables such as this Ducktail sample I previously wrote about.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 remnux@remnux:~/cases/ducktail$ ls -lh ducktail.exe -rw-rw-r-- 1 remnux remnux 54M Aug 7 21:14 ducktail.exe remnux@remnux:~/cases/ducktail$ time foremost -t exe -o o1 -i ducktail.exe Processing: ducktail.exe |*| real 0m0.146s user 0m0.082s sys 0m0.061s remnux@remnux:~/cases/ducktail$ tree o1/ o1/ ├── audit.txt ├── dll │ ├── 00001107.dll │ ├── 00002547.dll ... │ ├── 00107210.dll │ ├── 00108104.dll │ └── 00108293.dll └── exe └── 00000000.exe 2 directories, 90 files
All in all,
foremost is faster and probably my favorite method to carve EXEs/DLLs from data so far. Thanks for reading!