McAfee quarantine files - Automating BUP file analysis.

Quarantine (.BUP) files, otherwise known as BackUp files, are created by various applications such as McAfee antivirus. McAfee will remediate and remove a suspected virus and will then store an encoded copy (.BUP file) of the suspected virus in a quarantine folder. The process to decode this quarantine file and analyse it is quite tedious, therefore I have developed a Python script to automate the process and perform some basic static malware analysis.


The reason for developing this python script was to hopefully optimise and automate my work flow. I wanted to speed things up and get familiar with some automated Malware Analysis using Python, so this was the perfect beginner level project. I am early on in my Malware Analysis journey so as I learn new skills I may update this script. This script is intended for myself to quickly unpack malware from the BUP file and perform some quick basic static analysis before I perform more in-depth analysis in a sandbox environment.

My original work flow:

  1. Extract the quarantine file (BUP) using 7Zip.

  2. Upload the resulting Details and File_0 files to CyberChef and perform an XOR with a 0x6A key on both files to decrypt them.

  3. Download the Details file and identify the original name of the malware file.

  4. Run strings against the FIle_0 file and analyse the output.

  5. Generate a SHA256 hash of the suspected malware file.

  6. Run the hash through VirusTotal or upload the suspected malware.

  7. If I need to download the file for further analysis from CyberChef, download it and rename the file as the original file name identified in the Details file.

Prerequisites:

You will need to have the following tools installed:

  • 7zip

  • xortool

  • ssdeep

  • strings

  • exiftool

I will update the script soon to not depend on installed tools and to use libraries instead. You will also need to initialise some variables for this script to work:

xortool_path = "PATH TO XORTOOL"
Apikey = "YOUR VIRUSTOTAL API KEY HERE"

UnBup the BUP file.

The below code snippet will take the path to the BUP file as input and will extract the xor'd malware sample (File_0) and the Details file using 7zip. Both of the extracted files will be xor'd with a 6a key to obtain the original quarantined file. The sample is then renamed to the name of the original file that was quarantined.


bup_file_path = input("File path to Bup file: ")

os.system("7z e " + bup_file_path + " >/dev/null 2>&1")

os.system("python3 " + xortool_path + "tool_xor.py -f Details -s 'j' > xor_Details")
os.system("python3 " + xortool_path + "tool_xor.py -f File_0 -s 'j' > xor_File_0")

os.system("rm Details")
os.system("rm File_0")

OrigonalFilePath = subprocess.check_output("cat xor_Details | grep -i OriginalName", shell=True);

Decoded_File_Path = OrigonalFilePath.decode('utf-8')

Stripped_File_Path= Decoded_File_Path.rstrip()

CleanedFilePath= Stripped_File_Path.lstrip('OriginalName=')

FileName = ntpath.basename(CleanedFilePath)

os.rename('xor_File_0',FileName)


Hashing the sample

A Sha256 hash is then generated on the original malware sample as the industry standard hashing algorithm for file and data integrity.

with open(FileName, "rb") as f:
	f_byte= f.read()
	result = hashlib.sha256(f_byte)
	print ("\n[+] SHA256 hash of " + FileName + " is: " +result.hexdigest())

Fuzzy hashing with Ssdeep

A an Ssdeep fuzzy hash is also generated which can be used to compare new files against existing malware for similarities.

Ssdeep_output = subprocess.check_output("ssdeep " + FileName, shell=True);
Decoded_ssdeep = Ssdeep_output.decode('utf-8')
Stripped_ssdeep= Decoded_ssdeep.rstrip()
print ("\n[+] The Ssdeep fuzzy hash is: " +str(Stripped_ssdeep))

Strings

Strings is run against the malware as a basic static malware analysis technique in order to extract text from a binary and to find any interesting commands or file paths etc.

strings_filename.txt
Strings_output = subprocess.check_output("strings " + FileName + " > strings_"+strings_file+".txt", shell=True);
print ("\n[+] Strings ouput has been saved to strings_" +strings_file+".txt" )

Exiftool

Exiftool is then run against the malware in order to dump its metadata to better help us understand what we are working with and to also observe any hidden commands embedded in the metadata.

Exif_output = subprocess.check_output("exiftool " + FileName + " > exif_"+strings_file+".txt", shell=True);
print ("\n[+] Exif ouput has been saved to exif_" +strings_file+".txt" )

VirusTotal API

The next step in this script is to submit this malware to virus total, there are multiple ways to do so but I opted to submit the sha256 hash to virustotal via their API. I received the HTTP response and converted it from a string to a dictionary to then be able to accurately chose which dictionary items I wanted to output to console such as the positive detections and the permalink to view the results in the browser..

Sha256 = result.hexdigest()
data = {"apikey":Apikey, "resource": Sha256}
response = requests.post('https://www.virustotal.com/vtapi/v2/file/report',data=data)
response.text
json_data = json.loads(response.text)
positive_scans = str(json_data["positives"])
print("\n[+] There were " + positive_scans + " malicious detections of this hash from Virus total")
full_details = json_data["permalink"]
print ("\n[+] View full detection results from Virus total at: " + full_details)

This is the first python script I have written that has actually automated my work flow and made it more efficient. I will be pushing the source code to GitHub shortly and will be committing updates to it as I learn more. I hope this helps you with your malware anlysis.

6 views

Recent Posts

See All