Content & Malware Analysis

Expand all | Collapse all

CAS 7z files

  • 1.  CAS 7z files

    Posted 09-14-2020 08:20 AM
    Hello everyone 

    It is possible to detonate .7z files with password (secret).
    I m using ghost_user_with_unpacker.py with Execution Arguments: 7z.exe e {sample} -psecret
    Do I need to modify the plug-in (create my own)?


    Thank you for your time


  • 2.  RE: CAS 7z files

    Broadcom Employee
    Posted 09-15-2020 03:50 PM
    Hello Jakub, 

    The password protected file will fail scanning with the error " Password Protected File" and that is by design, our solution scans files not deciphers passwords!
    The sandboxing and AV scanning will do their best to look at the file signature and try to identify if the file is a threat based on the file MD5 and SHA but as soon as it gets to the Password , it will error out as expected.

    Here is how it works for archived files that are not password protected and what needs to be done: https://knowledge.broadcom.com/external/article/175150/onbox-sandboxing-of-archive-files-on-the.html

    For more info see the CAS Admin Guide.

    I hope this helps.

    Slava


  • 3.  RE: CAS 7z files

    Posted 09-15-2020 05:53 PM
    Hello Slava

    My point is rather not to analyze .7z archive with password (we know password) but to extracted file/files in submitting process to Windows profile
    I know about Malware Scanning > Submit > Upload and Unpack for .zip files but we have case with .7z instead :(    (archive with a password which is  the same for every package )
    I do not know if it is simply possible (by python script?) or we need to extract the file from the archive before submit  files to CAS?
    These are external source archives, so we don't want to unpack in a corporate environment, but in a sandbox.

    Thanks for your time and Best Regard
    Jakub



  • 4.  RE: CAS 7z files

    Broadcom Employee
    Posted 09-16-2020 11:07 AM
    Hi Jakub,

    The issue here appears to not be .7z, but password protection. As mentioned in the KB Slava provided, if you have an .7z file that is not password protected, it will work just fine with the 'ghost_user_with_unpacker.py' script. I have recently verified this in my lab. 

    Hope this helps!





  • 5.  RE: CAS 7z files

    Posted 09-16-2020 11:30 AM
    Hi Jacob

    Yes I know it, i ve used ghost_user_with_unpacker.py many times for various extension (.rar, .zip, .7z), you miss the point.
    I m using On-Box-sandboxing with customize Windows 10 profile.
    My point is not to analyze archive file (.7z) witch password but upload .7z archives encrypted by password next open archive and insert password in automatic way.
    This is automated process, archive's files are send to CAS by API and all are .7z with known and the same for all password.
    In view we see open archive with prompt for "insert password".

    Unfortunately there are .7z , i know process for .zip "Malware Scanning > Submit > Upload and Unpack Zip"

    Thanks for your time and Best Regard
    Jakub


  • 6.  RE: CAS 7z files

    Broadcom Employee
    Posted 09-17-2020 12:17 AM
    Hello Jakub, 

    If you are asking if the python script used by the sandboxing can be modified to the point that it would insert a given password when a given archive asks for it then , this is not an option at this time, no showing such options as per the admin guides nor when looking at the submtion of files for sandboxing.

    The one option that comes to mind is , to login to the Windows 10 VM that you have for sandboxing and writing a .bat or powershel or vbs script on that windows , that would execute it self when an archive is opened and a password is request  and it would insert the give password in the password field automatically.

    I have seen it done , but unfortunately my scripting skills are not there so cant help with that part, but i hope this gives you some ideas in the right direction.

    Slava


  • 7.  RE: CAS 7z files

    Broadcom Employee
    Posted 09-17-2020 02:39 PM
    Hi Jakub,

    Like Slava has mentioned, from the GUI, the functionality doesn't exist for password protect .7z currently. Just .zip files.

    Aside from scripting, another avenue to pursue would be the API commands for the sandboxing. A good resource for this would be the Rest API for Malware Analysis Operations section (starts on page 9) of the API Guide for Content Analysis. I have been able to successfully detonate a password protected .7z file in this manner.

    The command(s) you use will depend on your environment. In my environment, I have the ghost_user_with_unpacker.py set as the default plugin. You will find in the guide that there are arguments to set this if it is not default. I also already had a password protected sample already uploaded to the sandbox from the GUI, which you can also upload via API if you want to make a script to automate.

    With my environment, I used the following command to detonate the file in the password protected .7z:

    curl -X POST -d "sample_id=SampleIDNumber&env=ivm&tp_IVM.archive.password=password" https://casIP:port/rapi/tasks -H "X-API-TOKEN:your_api_token"

    Hope this helps!



  • 8.  RE: CAS 7z files

    Posted 09-17-2020 03:25 PM
    Hi Jacob and Slava

    Thank You very much, this is what i'm looking about.
    I noticed this method password = tp.get('IVM.archive.password', None) plugin but i did not realize this  will be helpful.

    Thanks again for you and Slava
    Best Regards 
    Jakub