If you've ever had to work with the McAfee Antivirus product, you know that if it detects something it will Quarantine that file. Basically rendering it useless to the malware/attacker. If you need to extract or get that file back (as a researcher) for further analysis, here's a simple way.
Download the punbup.py tool from herrcore.
Simple basics are...
1.) SHOW FILE INFO
punbup.py -d c:\Quarantined\abc.bup
[Details]
DetectionName=W97M/Downloader.q
DetectionType=1
EngineMajor=5700
EngineMinor=7163
DATMajor=7778
DATMinor=0
DATType=2
ProductID=12106
CreationYear=2015
CreationMonth=4
CreationDay=22
CreationHour=19
CreationMinute=14
CreationSecond=42
TimeZoneName=Central Daylight Time
TimeZoneOffset=300
NumberOfFiles=1
NumberOfValues=0
[File_0]
ObjectType=5
OriginalName=\\?\C:\Users\XXX\Downloads\2471f4a0febbfede40f5d700553eb28d97519ac49454bcc79f0fb7383559198b.bin
WasAdded=0
2.) SHOW MD5 HASH OF FILE
punbup.py -c md5 c:\Quarantined\abc.bup
md5 hash for File_0: beb25dc0d73e289432fc624610b103c9
3.) GET THE FILE BACK (be careful!!!)
punbup.py -f c:\Quarantined\abc.bup | clip
or
punbup.py -f c:\Quarantined\abc.bup > badfile.doc
Now it's time to dig in and research.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment