Profiler 2.7

Profiler 2.7 is out with the following news:

+ added experimental support for Windows raw memory images
+ added support for EML files
+ added TOR-based URL download action
added JBIG2 decoder for PDFs
– improved PDF parsing against new malware samples
– improved search in hex view
– updated OpenSSL to 1.0.2
– updated Python to 3.6
– reduced dependencies on Linux
– fixed possible division by zero in PEObject::RvaToOffset
– fixed filter preview crash
– fixed Python multi-threading issue
– fixed PasteBin plugin
– fixed recognition of newer DEX files
– default to SHA-2/256 instead of SHA-1
– various bug fixes and improvements

With this version we also start to release the Advanced edition of Profiler. News entries marked by the ‘+’ sign are exclusive to the Advanced edition.

Experimental support for Windows raw memory images

Quite some time has passed since we published a post demonstrating some basic memory forensics capabilities in Profiler.

In this release of the Advanced edition we decided to publish that code, although barely functional. We didn’t want to additionally delay this long due release by working more on the memory forensic part. We will try to clean it up and make it more useful for the next release. 🙂

Enjoy!

URL Download Action (Tor)

In the upcoming version of Profiler Advanced we have introduced a new useful action, namely the URL Download action.

Many times in previous posts we have analyzed some malware which at the end of its shellcode ended up downloading a binary from the internet and executing it. We thought it would be nice to give our users the possibility to anonymously download content from the internet in order to continue the analysis.

One way to download anonymously from the internet using our new action is via Tor. On Windows it’s sufficient to install and run the Tor browser.

The action will automatically try to load a possible URL from the current context, be it hex view, text editor or clipboard.

The dialog of the action offers different configuration settings: headers, user agent, download method (direct, SOCKS4, SOCKS5) along with relative parameters, anonymity check and also what to do with the downloaded content (either download it to file or preview it in a hex view).

Since we’re using Tor, we can either use the SOCKS4 or 5 method. We specify our local address and the port onto which Tor is listening for connections, in this case 9150.

The anonymity check is performed against our own https secured server: it will fetch the real IP by connecting to our server and then try to connect again via the secure method.

When the anonymity verification option is selected, before downloading the payload, we are asked by a message box to confirm the success of the anonymization.

If we click on OK, Profiler will then fetch the actual payload.

If we chose to preview the content in a hex view and decide later that we want to save it on disk, we can do so by selecting all the bytes (Ctrl+A) and then copying them into a new file via the copy menu.

EML support

The upcoming 2.7 version of Profiler Advanced introduces support for the EML file format.

Support for EML files had until now only been present as experimental hook to extract attachments. We have now introduced full-fledged EML support and have removed the previous experimental code.

It’s possible to preview the email messages:

Inspect their file format:

And, as expected, inspect their attachments:

The image above shows JavaScript contained in a PDF inside a Zip archive attachment, while the image below shows ActionScript3 byte code of a SWF contained in a PDF inside a Zip archive attached to an email.

Enjoy!

Profiler Advanced

With the upcoming 2.7 version of Profiler, we will start releasing an Advanced edition alongside the Standard one. All our users who have bought a license until this point in time will automatically have their license work with the Advanced edition for free. This is our way to thank you for your trust!

Apart from support for Torrent files, all features which had been in the Standard edition until now will be kept there. The Advanced edition comes with new features and is especially designed for experts in the forensic and security field.

Each new version of Profiler will come with new features both in the Standard and Advanced edition. We will launch the Advanced edition with an early-adoption price.

JBIG2 Encoded Malware in PDFs

The upcoming version of Profiler 2.7 adds support for JBIG2 encoding inside PDFs. Although JBIG2 isn’t intended to encode data other than images, it can be used to do so. Quoting the PDF documentation:

The JBIG2Decode filter (PDF 1.4) decodes monochrome (1 bit per pixel) image data that has been encoded using JBIG2 encoding. JBIG stands for the Joint Bi-Level Image Experts Group, a group within the International Organization forStandardization (ISO) that developed the format. JBIG2 is the second version of a standard originally released as JBIG1.

JBIG2 encoding, which provides for both lossy and lossless compression, is useful only for monochrome images, not for color images, grayscale images, or general data. The algorithms used by the encoder, and the details of the format, are not described here. A working draft of the JBIG2 specification can be found through the Web site for the JBIG and JPEG (Joint Photographic Experts Group) committees at http://www.jpeg.org.

Here’s a PDF malware trying to conceal its XFA form by encoding it via JBIG2:

And the decoded content:

While this is in no way common in PDF malware, it’s an effective trick to prevent automatic and manual analysis, since JBIG2 is seldom supported by security tools.