Friday, April 24, 2015

Viewing files McAfee Quarantined

If you've ever had to work with the McAfee Antivirus product, you know that if it detects something it will Quarantine that file. Basically rendering it useless to the malware/attacker. If you need to extract or get that file back (as a researcher) for further analysis, here's a simple way.

Download the punbup.py tool from herrcore.

Simple basics are...
1.) SHOW FILE INFO punbup.py -d c:\Quarantined\abc.bup

[Details]
DetectionName=W97M/Downloader.q
DetectionType=1
EngineMajor=5700
EngineMinor=7163
DATMajor=7778
DATMinor=0
DATType=2
ProductID=12106
CreationYear=2015
CreationMonth=4
CreationDay=22
CreationHour=19
CreationMinute=14
CreationSecond=42
TimeZoneName=Central Daylight Time
TimeZoneOffset=300
NumberOfFiles=1
NumberOfValues=0

[File_0]
ObjectType=5
OriginalName=\\?\C:\Users\XXX\Downloads\2471f4a0febbfede40f5d700553eb28d97519ac49454bcc79f0fb7383559198b.bin
WasAdded=0


2.) SHOW MD5 HASH OF FILE
punbup.py -c md5 c:\Quarantined\abc.bup
md5 hash for File_0: beb25dc0d73e289432fc624610b103c9


3.) GET THE FILE BACK (be careful!!!)
punbup.py -f c:\Quarantined\abc.bup | clip

or

punbup.py -f c:\Quarantined\abc.bup > badfile.doc


Now it's time to dig in and research.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment