QuickSand.io

Office document malware analysis
+cryptanalysis attack on 256 byte XOR obfuscation (2^0-10 bytes)
+static extraction of embedded executables

[Hash Search] | [Recent Reports] | [Advanced Search]

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.

QuickSand can be run as a command line tool, be wrapped in a web/db interface, or integrated into other products. It can be used as an exploit detection engine, a sandbox pre-processor, or a forensic tool to extract document malware streams. Fingerprint exploit kit usage by exploit location and offset. Run Yara malware trojan signatures on exploit documents against dynamically decoded streams and unXORed executables.

Web API:

On GitHub now.

Free standalone command line version:

On GitHub - quicksand_lite project.

Detailed blog post.

Samples:

Zip stream within an OLE document [html] [json]:

$  ./quicksand.out malware/2fcd11f53f84f596248de10ae42ed1fe69c2fa68ad81d19b8ceb9cb2b67c9ca9.docx 
 -0> root {2}
  md5:2d3312c5f0abfbac74d2db681df1bf52
  sha256:2fcd11f53f84f596248de10ae42ed1fe69c2fa68ad81d19b8ceb9cb2b67c9ca9
  sha512:d60cb92fde6473f2261c54f4223996cf1b229e9b44939d3c922786cd21fcd2c2fad0640bbd0377f44453078ece4a3de6b44063298349b7cf68da57d523eeafe7
  size:50696
  root:score:20
  root:is_malware:2

-1> root:zip@49160/word/activeX/activeX1.xml {1}
   md5:697982b692868d0fd05910954e0e971a
   sha256:5923857ab213b3b29348babfea4bf9590c4a3b193395eb0897d3934d4d29b158
   sha512:009534446a2003f9ff62f7159117ccc8137e17a43d0ce4458fae1f6b01435c97a63fe9732107c63b5092d4205ae0ae9c284f7d274edafae5705e6702a6941af8
   parentsha256:2fcd11f53f84f596248de10ae42ed1fe69c2fa68ad81d19b8ceb9cb2b67c9ca9
   size:349
   root:zip@49160/word/activeX/activeX1.xml:yara:exploits:exploit_cve_2012_1856

-1> root:zip@49160/word/activeX/activeX39.xml {1}
   md5:aa410ab76f7122c2a17c5f8645d47d40
   sha256:6514a03cde437a6f747d0b698cb8f23fba70914d992e8d0bd1990dfb84d3dbc0
   sha512:7a17843d94157c20c11e99f420db51cf0659e5c4199a1f3eadb01efceab50263b4679ecfad6c83401d94ce9df6b0d0c26b5ed41c9320dbc6e40506b600d68ea4
   parentsha256:2fcd11f53f84f596248de10ae42ed1fe69c2fa68ad81d19b8ceb9cb2b67c9ca9
   size:349
   root:zip@49160/word/activeX/activeX39.xml:yara:exploits:exploit_cve_2015_1770

32 byte XOR encoded executable [html] [json]:

$ ./quicksand.out malware/32byte.virus
 -0> root {5}
  md5:7048add2873b08a9693a60135f978686
  sha256:6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081
  sha512:5a307987530dafaea66cc9e1d609b76f41b42befb7bb314b5cbb08f6da50d7e42d9e8e07c609ff50189ba43bf9464126fc41502d6c76c690bd2850df67e16800
  size:429440
  root:yara:exploits:exploit_MS12_060_tomato_garden
  root:yara:exploits:warning_vb_macro
  root:distribution:0000000000000001100000100000XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  root:score:21
  root:is_malware:2

-1> root:xor {3}
   md5:2d86cacbbfe9eb85e0bb60f262ef8fd0
   sha256:c48f3a8c56b8ccc6994f00b60ca33a5be61d34c2db7e5a63771addb2019b077e
   sha512:28676d85c402c3c9d28531c5a41217a03db1486cac41859719322125ffbb2bc08cbadc999791f23c18370b910c5f51f30d97127252994b3c028dc0e318e5de59
   parentsha256:6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081
   size:429440
   root:xor:yara:executable:executable_win
   root:xorlen:32
   root:xorkey:fafbfeffd7dff7ffbffebefffff5f7fdffafbfefff7ffd7dfbffebefdfff5f7f

root:xor dump 6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081_c48f3a8c56b8ccc6994f00b60ca33a5be61d34c2db7e5a63771addb2019b077e-1.qsdump of 400768 bytes

OpenXML docx file with a PostScript exploit and multiple embedded EXEs in hex streams [html] [json]:

$ ./quicksand.out malware/238ca1ab29f191b767837748fb655c8e_eps_2545.docx 
 -0> root {2}
  md5:238ca1ab29f191b767837748fb655c8e
  sha256:743ccc54a4ef9d9b836ea3643443d142428d8743edab076074c786e2e759e205
  sha512:0645407bc2d1d3ed81a7a11a423a599e392ed718fb8bdca1cc27f6bf3fef8c9fefb7780a5ca854d1aa971d8f8ab04d914490c1ddd4d01c2b1f90a7256341be8c
  size:130803
  root:score:40
  root:is_malware:2

-1> root/word/media/image1.eps {2}
   md5:dc13f4675017de8ae4e28761f012d11e
   sha256:ba28280e0c3e1bce2ccb326c33865160142c9c309e08eef08b5c8b075a35aca5
   sha512:071b830e83d58147f379816f34875b8522d3de8f27df4e6c4a4b3684c770132c3a48a0c4d94232ba2036dcd01b9df6c937e2b1762fbc8b3b20421cd62749806f
   parentsha256:743ccc54a4ef9d9b836ea3643443d142428d8743edab076074c786e2e759e205
   size:430395
   root/word/media/image1.eps:yara:exploits:exploit_cve_2015_2545
   root/word/media/image1.eps:yara:executable:executable_win

-2> root/word/media/image1.eps:hex@15713 {1}
    md5:81f2a2b49384127a3e3170924b265479
    sha256:cb031431393e6c18b61f0309a54abba0f4b7c08287f24cc1ef9da49854e9f664
    sha512:817c3764706061e0c0ece3ce5ab78f9fbefc9780a037784c4e79186635ddb619a8f7768fb00560e8c087a1ad5e1af8920d4222327b7086b4ffda3229f87a8b60
    parentsha256:ba28280e0c3e1bce2ccb326c33865160142c9c309e08eef08b5c8b075a35aca5
    size:104464
    root/word/media/image1.eps:hex@15713:yara:executable:executable_win

-2> root/word/media/image1.eps:hex@235198 {1}
    md5:edf9ec059b9d205fc2b2a595d7e0ca7c
    sha256:5cedf547db82b5e377f3729f27953c49b672877cbc561dc595c0842572055e8d
    sha512:e6a6a8ab10054b97dd48733b372713afd8f4221d873dd973f18072fceba32a147651eeedade83b7c53ba06056bf1ced5ccb5c0c6683f7dbda6666dab3604c633
    parentsha256:ba28280e0c3e1bce2ccb326c33865160142c9c309e08eef08b5c8b075a35aca5
    size:96272
    root/word/media/image1.eps:hex@235198:yara:executable:executable_win

root/word/media/image1.eps:hex@15713 dump 743ccc54a4ef9d9b836ea3643443d142428d8743edab076074c786e2e759e205_cb031431393e6c18b61f0309a54abba0f4b7c08287f24cc1ef9da49854e9f664-1.qsdump of 50176 bytes
root/word/media/image1.eps:hex@15713 dump 743ccc54a4ef9d9b836ea3643443d142428d8743edab076074c786e2e759e205_cb031431393e6c18b61f0309a54abba0f4b7c08287f24cc1ef9da49854e9f664-2.qsdump of 54280 bytes
root/word/media/image1.eps:hex@235198 dump 743ccc54a4ef9d9b836ea3643443d142428d8743edab076074c786e2e759e205_5cedf547db82b5e377f3729f27953c49b672877cbc561dc595c0842572055e8d-1.qsdump of 43520 bytes
root/word/media/image1.eps:hex@235198 dump 743ccc54a4ef9d9b836ea3643443d142428d8743edab076074c786e2e759e205_5cedf547db82b5e377f3729f27953c49b672877cbc561dc595c0842572055e8d-2.qsdump of 52744 bytes

Simple scoring:

is_malware=0: no known exploit, no obfuscated content, no embedded exe detected.
is_malware=1: no known exploit, dynamic content of undetermined threat, no embedded exe detected.
is_malware=2: exploit or embedded executable detected.
score=NN: detailed score based on Yara rule weighted scores.

Features:

Fast document deconstruction
Yara API integration: Executable | Exploits | Trojans
Run yara signatures against decoded streams and unxored executables
Cryptanalysis of obfuscated executables and extraction: xor | rol/ror
Non bruteforce instant cracking of long 256 byte XOR keys (2^0-10 bytes).
Optional brute force 1 byte xor attack.
Optional brute force math cipher attack.
Optional xor-lookahead algorithm (xorla).
Pre-sandbox processing of phishing samples to extract executables/implant installers
Integratabtle cross platform Ansi C

Sandbox pre-processing benefits:

Static extraction of embedded executables.
Less need for different versions of Office or PDF readers and patch levels in the sandbox environment.

Exploit detection and embedded executable detection:

OLE MS Office documents: doc, xls, ppt...
RTF
MIME MSO/html MS Office format
OpenXML Docx, pptx, ppsx, xlsx...

Embedded executable detection:

PDF
any other format such as Hangul Korean office documents

Stream decoding:

Zip
Hex
Mime MSO/Base 64
ExOleObjStgCompressedAtom GZInflate
ActiveMime GZUncompress

Static Library Dependencies:

Build from source:

./build.sh

Command line options:

Options:

-h or --help: this message
-j or --json: output json data
-b or --brute: brute force zero-not-replaced 1 byte xor
-l or --lookahead: try xor-lookahead algo
-m or --math: try math ciphers
-n or --not: try bitwise not
-e or --meanexec: [bytes] try chunking high entropy data
-s or --size: [len] try only xor keys of this size
-r or --raw: output proprietary text
-d or --drop: drop extracted executables
-o or --objects: drop all objects
-p or --out: [dir] directory to write dropped files
-y or --yara: skip yara scan for general / malware identification

Industry standard Yara rules for known exploit detection:

Example rule, rank variable is used to score a sample.

C API:

#include "libqs.c"
quicksandInit(); //initialize system
struct qs_file *qs_root = NULL;

quicksand_do(string, fsize, quicksand_build_message("root", NULL, &qs_root, QS_FILE_CHILD), &qs_root);  //process string of size fsize
char *buffer = malloc(24000);
quicksandGraph(buffer, 24000, 0, qs_root); // create report
printf("%s", buffer); //print report
quicksandDropFiles(qs_root, &qs_root);
quicksandReset(&qs_root); //cleanup between samples
quicksandDestroy(); //final cleanup

Subscriptions & maintenance:

QuickSand updates - emerging threats, streams processing and embedded executable detection.
Yara signatures - new CVE exploits

Contact:

Operated by Malware Tracker Limited.

QuickSand.io software by TyLabs.