Unbup-dissecting-mcafee-quarantined-files

From aldeid
Jump to navigation Jump to search

Description

Unbup is a toolkit useful for dissecting a McAfee quarantined file (BUP). It is composed of the 3 following files:

UnBup.pl
McAfee UnBup tool written in Perl because it was faster than the bash script also included
UnBup.sh
McAfee UnBup tool written in Bash script because it was fast to prototype (but runs slower than the Perl equivalent)
xor.pl
Simple bitwise xor script written in Perl

Installation

Prerequisites

$ sudo apt-get install p7zip-full

Installation of unbup

$ cd /data/tools/
$ git clone https://github.com/OpenSecurityResearch/unbup.git
$ cd unbup/

Usage

Syntax

Usage: ./UnBup.sh [option] <file.bup>

Options

-d
details file only (no executable)
-h
help menu
-s
safe executable (extension is .ex)

Example

Let's extract a BUP file: 

$ ./UnBup.sh 7dd9a0333b32c0.bup
Extracting encoded files from Bup
Creating the Details.txt file
Extracting the binary

Following files are created:

  • 800000CB.@: the virus
  • Details.txt: the details file created by unbup

Here is what my Details.txt file looks like: 

$ cat Details.txt

[Details]
DetectionName=TDSS.d
DetectionType=1
EngineMajor=5600
EngineMinor=1067
DATMajor=7192
DATMinor=0
DATType=2
ProductID=12106
CreationYear=2013
CreationMonth=9
CreationDay=10
CreationHour=0
CreationMinute=51
CreationSecond=59
TimeZoneName=Romance Daylight Time
TimeZoneOffset=-120
NumberOfFiles=1
NumberOfValues=5

[Value_0]
KeyRoot=HKLM
KeyName=Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName=HIDEFILEEXT
KeyIs64Bit=0
WasAdded=0
ValueType=4
ValueData=0

[Value_1]
KeyRoot=HKLM
KeyName=Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName=SUPERHIDDEN
KeyIs64Bit=0
WasAdded=0
ValueType=4
ValueData=1

[Value_2]
KeyRoot=HKLM
KeyName=Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName=SHOWSUPERHIDDEN
KeyIs64Bit=0
WasAdded=0
ValueType=4
ValueData=1

[Value_3]
KeyRoot=HKLM
KeyName=Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName=HIDDEN
KeyIs64Bit=0
WasAdded=0
ValueType=4
ValueData=1

[Value_4]
KeyRoot=HKLM
KeyName=Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ValueName=NOFOLDEROPTIONS
KeyIs64Bit=0
WasAdded=0
ValueType=4
ValueData=0

[File_0]
ObjectType=5
OriginalName=C:\PROGRAM FILES\GOOGLE\DESKTOP\INSTALL\{6D07572D-6BCD-0CDF-F507-A0F64F465B69}\   \   \‮ﯹ๛\{6D07572D-6BCD-0CDF-F507-A0F64F465B69}\U\800000CB.@
WasAdded=0

[File_1]
ObjectType=5

Comments

Retrieved from "https://www.aldeid.com/w/index.php?title=Unbup-dissecting-mcafee-quarantined-files&oldid=22222"