Content & Malware Analysis

Hello everyone 

It is possible to detonate .7z files with password (secret).
I m using ghost_user_with_unpacker.py with Execution Arguments: 7z.exe e {sample} -psecret
Do I need to modify the plug-in (create my own)?


Thank you for your time

Hello Jakub, 

The password protected file will fail scanning with the error " Password Protected File" and that is by design, our solution scans files not deciphers passwords!
The sandboxing and AV scanning will do their best to look at the file signature and try to identify if the file is a threat based on the file MD5 and SHA but as soon as it gets to the Password , it will error out as expected.

Here is how it works for archived files that are not password protected and what needs to be done: https://knowledge.broadcom.com/external/article/175150/onbox-sandboxing-of-archive-files-on-the.html

For more info see the CAS Admin Guide.

I hope this helps.

Slava
Original Message:
Sent: 09-14-2020 08:20 AM
From: Jakub B
Subject: CAS 7z files

Hello everyone 

It is possible to detonate .7z files with password (secret).
I m using ghost_user_with_unpacker.py with Execution Arguments: 7z.exe e {sample} -psecret
Do I need to modify the plug-in (create my own)?


Thank you for your time

Hello Slava

My point is rather not to analyze .7z archive with password (we know password) but to extracted file/files in submitting process to Windows profile
I know about Malware Scanning > Submit > Upload and Unpack for .zip files but we have case with .7z instead :(    (archive with a password which is  the same for every package )
Original Message:
Sent: 09-15-2020 03:49 PM
From: Slava Vasilasco
Subject: CAS 7z files

Hello Jakub, 

The password protected file will fail scanning with the error " Password Protected File" and that is by design, our solution scans files not deciphers passwords!
The sandboxing and AV scanning will do their best to look at the file signature and try to identify if the file is a threat based on the file MD5 and SHA but as soon as it gets to the Password , it will error out as expected.

Here is how it works for archived files that are not password protected and what needs to be done: https://knowledge.broadcom.com/external/article/175150/onbox-sandboxing-of-archive-files-on-the.html

For more info see the CAS Admin Guide.

I hope this helps.

Slava
Original Message:
Sent: 09-14-2020 08:20 AM
From: Jakub B
Subject: CAS 7z files

Hello everyone 

It is possible to detonate .7z files with password (secret).
I m using ghost_user_with_unpacker.py with Execution Arguments: 7z.exe e {sample} -psecret
Do I need to modify the plug-in (create my own)?


Thank you for your time

Hi Jakub,

The issue here appears to not be .7z, but password protection. As mentioned in the KB Slava provided, if you have an .7z file that is not password protected, it will work just fine with the 'ghost_user_with_unpacker.py' script. I have recently verified this in my lab. 

Hope this helps!



Original Message:
Sent: 09-15-2020 05:52 PM
From: Jakub B
Subject: CAS 7z files

Hello Slava

My point is rather not to analyze .7z archive with password (we know password) but to extracted file/files in submitting process to Windows profile
I know about Malware Scanning > Submit > Upload and Unpack for .zip files but we have case with .7z instead :(    (archive with a password which is  the same for every package )

I do not know if it is simply possible (by python script?) or we need to extract the file from the archive before submit  files to CAS?
These are external source archives, so we don't want to unpack in a corporate environment, but in a sandbox.

Thanks for your time and Best Regard
Jakub

Original Message:
Sent: 09-15-2020 03:49 PM
From: Slava Vasilasco
Subject: CAS 7z files

Hello Jakub, 

The password protected file will fail scanning with the error " Password Protected File" and that is by design, our solution scans files not deciphers passwords!
The sandboxing and AV scanning will do their best to look at the file signature and try to identify if the file is a threat based on the file MD5 and SHA but as soon as it gets to the Password , it will error out as expected.

Here is how it works for archived files that are not password protected and what needs to be done: https://knowledge.broadcom.com/external/article/175150/onbox-sandboxing-of-archive-files-on-the.html

For more info see the CAS Admin Guide.

I hope this helps.

Slava
Original Message:
Sent: 09-14-2020 08:20 AM
From: Jakub B
Subject: CAS 7z files

Hello everyone 

It is possible to detonate .7z files with password (secret).
I m using ghost_user_with_unpacker.py with Execution Arguments: 7z.exe e {sample} -psecret
Do I need to modify the plug-in (create my own)?


Thank you for your time

Hi Jacob

Yes I know it, i ve used ghost_user_with_unpacker.py many times for various extension (.rar, .zip, .7z), you miss the point.
I m using On-Box-sandboxing with customize Windows 10 profile.
My point is not to analyze archive file (.7z) witch password but upload .7z archives encrypted by password next open archive and insert password in automatic way.
This is automated process, archive's files are send to CAS by API and all are .7z with known and the same for all password.
In view we see open archive with prompt for "insert password".

Unfortunately there are .7z , i know process for .zip "Malware Scanning > Submit > Upload and Unpack Zip"

Thanks for your time and Best Regard
Jakub
Original Message:
Sent: 09-16-2020 11:07 AM
From: Jacob M
Subject: CAS 7z files

Hi Jakub,

The issue here appears to not be .7z, but password protection. As mentioned in the KB Slava provided, if you have an .7z file that is not password protected, it will work just fine with the 'ghost_user_with_unpacker.py' script. I have recently verified this in my lab. 

Hope this helps!



Original Message:
Sent: 09-15-2020 05:52 PM
From: Jakub B
Subject: CAS 7z files

Hello Slava

My point is rather not to analyze .7z archive with password (we know password) but to extracted file/files in submitting process to Windows profile
I know about Malware Scanning > Submit > Upload and Unpack for .zip files but we have case with .7z instead :(    (archive with a password which is  the same for every package )

I do not know if it is simply possible (by python script?) or we need to extract the file from the archive before submit  files to CAS?
These are external source archives, so we don't want to unpack in a corporate environment, but in a sandbox.

Thanks for your time and Best Regard
Jakub

Original Message:
Sent: 09-15-2020 03:49 PM
From: Slava Vasilasco
Subject: CAS 7z files

Hello Jakub, 

The password protected file will fail scanning with the error " Password Protected File" and that is by design, our solution scans files not deciphers passwords!
The sandboxing and AV scanning will do their best to look at the file signature and try to identify if the file is a threat based on the file MD5 and SHA but as soon as it gets to the Password , it will error out as expected.

Here is how it works for archived files that are not password protected and what needs to be done: https://knowledge.broadcom.com/external/article/175150/onbox-sandboxing-of-archive-files-on-the.html

For more info see the CAS Admin Guide.

I hope this helps.

Slava
Original Message:
Sent: 09-14-2020 08:20 AM
From: Jakub B
Subject: CAS 7z files

Hello everyone 

It is possible to detonate .7z files with password (secret).
I m using ghost_user_with_unpacker.py with Execution Arguments: 7z.exe e {sample} -psecret
Do I need to modify the plug-in (create my own)?


Thank you for your time

Hello Jakub, 

If you are asking if the python script used by the sandboxing can be modified to the point that it would insert a given password when a given archive asks for it then , this is not an option at this time, no showing such options as per the admin guides nor when looking at the submtion of files for sandboxing.

The one option that comes to mind is , to login to the Windows 10 VM that you have for sandboxing and writing a .bat or powershel or vbs script on that windows , that would execute it self when an archive is opened and a password is request  and it would insert the give password in the password field automatically.

I have seen it done , but unfortunately my scripting skills are not there so cant help with that part, but i hope this gives you some ideas in the right direction.

Slava
Original Message:
Sent: 09-16-2020 11:29 AM
From: Jakub B
Subject: CAS 7z files

Hi Jacob

Yes I know it, i ve used ghost_user_with_unpacker.py many times for various extension (.rar, .zip, .7z), you miss the point.
I m using On-Box-sandboxing with customize Windows 10 profile.
My point is not to analyze archive file (.7z) witch password but upload .7z archives encrypted by password next open archive and insert password in automatic way.
This is automated process, archive's files are send to CAS by API and all are .7z with known and the same for all password.
In view we see open archive with prompt for "insert password".

Unfortunately there are .7z , i know process for .zip "Malware Scanning > Submit > Upload and Unpack Zip"

Thanks for your time and Best Regard
Jakub
Original Message:
Sent: 09-16-2020 11:07 AM
From: Jacob M
Subject: CAS 7z files

Hi Jakub,

The issue here appears to not be .7z, but password protection. As mentioned in the KB Slava provided, if you have an .7z file that is not password protected, it will work just fine with the 'ghost_user_with_unpacker.py' script. I have recently verified this in my lab. 

Hope this helps!



Original Message:
Sent: 09-15-2020 05:52 PM
From: Jakub B
Subject: CAS 7z files

Hello Slava

My point is rather not to analyze .7z archive with password (we know password) but to extracted file/files in submitting process to Windows profile
I know about Malware Scanning > Submit > Upload and Unpack for .zip files but we have case with .7z instead :(    (archive with a password which is  the same for every package )

I do not know if it is simply possible (by python script?) or we need to extract the file from the archive before submit  files to CAS?
These are external source archives, so we don't want to unpack in a corporate environment, but in a sandbox.

Thanks for your time and Best Regard
Jakub

Original Message:
Sent: 09-15-2020 03:49 PM
From: Slava Vasilasco
Subject: CAS 7z files

Hello Jakub, 

The password protected file will fail scanning with the error " Password Protected File" and that is by design, our solution scans files not deciphers passwords!
The sandboxing and AV scanning will do their best to look at the file signature and try to identify if the file is a threat based on the file MD5 and SHA but as soon as it gets to the Password , it will error out as expected.

Here is how it works for archived files that are not password protected and what needs to be done: https://knowledge.broadcom.com/external/article/175150/onbox-sandboxing-of-archive-files-on-the.html

For more info see the CAS Admin Guide.

I hope this helps.

Slava
Original Message:
Sent: 09-14-2020 08:20 AM
From: Jakub B
Subject: CAS 7z files

Hello everyone 

It is possible to detonate .7z files with password (secret).
I m using ghost_user_with_unpacker.py with Execution Arguments: 7z.exe e {sample} -psecret
Do I need to modify the plug-in (create my own)?


Thank you for your time

Hi Jakub,

Like Slava has mentioned, from the GUI, the functionality doesn't exist for password protect .7z currently. Just .zip files.

Aside from scripting, another avenue to pursue would be the API commands for the sandboxing. A good resource for this would be the Rest API for Malware Analysis Operations section (starts on page 9) of the API Guide for Content Analysis. I have been able to successfully detonate a password protected .7z file in this manner.

The command(s) you use will depend on your environment. In my environment, I have the ghost_user_with_unpacker.py set as the default plugin. You will find in the guide that there are arguments to set this if it is not default. I also already had a password protected sample already uploaded to the sandbox from the GUI, which you can also upload via API if you want to make a script to automate.

With my environment, I used the following command to detonate the file in the password protected .7z:

curl -X POST -d "sample_id=SampleIDNumber&env=ivm&tp_IVM.archive.password=password" https://casIP:port/rapi/tasks -H "X-API-TOKEN:your_api_token"

Hope this helps!

Original Message:
Sent: 09-17-2020 12:16 AM
From: Slava Vasilasco
Subject: CAS 7z files

Hello Jakub, 

If you are asking if the python script used by the sandboxing can be modified to the point that it would insert a given password when a given archive asks for it then , this is not an option at this time, no showing such options as per the admin guides nor when looking at the submtion of files for sandboxing.

The one option that comes to mind is , to login to the Windows 10 VM that you have for sandboxing and writing a .bat or powershel or vbs script on that windows , that would execute it self when an archive is opened and a password is request  and it would insert the give password in the password field automatically.

I have seen it done , but unfortunately my scripting skills are not there so cant help with that part, but i hope this gives you some ideas in the right direction.

Slava
Original Message:
Sent: 09-16-2020 11:29 AM
From: Jakub B
Subject: CAS 7z files

Hi Jacob

Yes I know it, i ve used ghost_user_with_unpacker.py many times for various extension (.rar, .zip, .7z), you miss the point.
I m using On-Box-sandboxing with customize Windows 10 profile.
My point is not to analyze archive file (.7z) witch password but upload .7z archives encrypted by password next open archive and insert password in automatic way.
This is automated process, archive's files are send to CAS by API and all are .7z with known and the same for all password.
In view we see open archive with prompt for "insert password".

Unfortunately there are .7z , i know process for .zip "Malware Scanning > Submit > Upload and Unpack Zip"

Thanks for your time and Best Regard
Jakub
Original Message:
Sent: 09-16-2020 11:07 AM
From: Jacob M
Subject: CAS 7z files

Hi Jakub,

The issue here appears to not be .7z, but password protection. As mentioned in the KB Slava provided, if you have an .7z file that is not password protected, it will work just fine with the 'ghost_user_with_unpacker.py' script. I have recently verified this in my lab. 

Hope this helps!



Original Message:
Sent: 09-15-2020 05:52 PM
From: Jakub B
Subject: CAS 7z files

Hello Slava

My point is rather not to analyze .7z archive with password (we know password) but to extracted file/files in submitting process to Windows profile
I know about Malware Scanning > Submit > Upload and Unpack for .zip files but we have case with .7z instead :(    (archive with a password which is  the same for every package )

I do not know if it is simply possible (by python script?) or we need to extract the file from the archive before submit  files to CAS?
These are external source archives, so we don't want to unpack in a corporate environment, but in a sandbox.

Thanks for your time and Best Regard
Jakub

Original Message:
Sent: 09-15-2020 03:49 PM
From: Slava Vasilasco
Subject: CAS 7z files

Hello Jakub, 

The password protected file will fail scanning with the error " Password Protected File" and that is by design, our solution scans files not deciphers passwords!
The sandboxing and AV scanning will do their best to look at the file signature and try to identify if the file is a threat based on the file MD5 and SHA but as soon as it gets to the Password , it will error out as expected.

Here is how it works for archived files that are not password protected and what needs to be done: https://knowledge.broadcom.com/external/article/175150/onbox-sandboxing-of-archive-files-on-the.html

For more info see the CAS Admin Guide.

I hope this helps.

Slava
Original Message:
Sent: 09-14-2020 08:20 AM
From: Jakub B
Subject: CAS 7z files

Hello everyone 

It is possible to detonate .7z files with password (secret).
I m using ghost_user_with_unpacker.py with Execution Arguments: 7z.exe e {sample} -psecret
Do I need to modify the plug-in (create my own)?


Thank you for your time

Hi Jacob and Slava

Thank You very much, this is what i'm looking about.
I noticed this method password = tp.get('IVM.archive.password', None) plugin but i did not realize this  will be helpful.

Thanks again for you and Slava
Best Regards 
Jakub
Original Message:
Sent: 09-17-2020 02:38 PM
From: Jacob M
Subject: CAS 7z files

Hi Jakub,

Like Slava has mentioned, from the GUI, the functionality doesn't exist for password protect .7z currently. Just .zip files.

Aside from scripting, another avenue to pursue would be the API commands for the sandboxing. A good resource for this would be the Rest API for Malware Analysis Operations section (starts on page 9) of the API Guide for Content Analysis. I have been able to successfully detonate a password protected .7z file in this manner.

The command(s) you use will depend on your environment. In my environment, I have the ghost_user_with_unpacker.py set as the default plugin. You will find in the guide that there are arguments to set this if it is not default. I also already had a password protected sample already uploaded to the sandbox from the GUI, which you can also upload via API if you want to make a script to automate.

With my environment, I used the following command to detonate the file in the password protected .7z:

curl -X POST -d "sample_id=SampleIDNumber&env=ivm&tp_IVM.archive.password=password" https://casIP:port/rapi/tasks -H "X-API-TOKEN:your_api_token"

Hope this helps!

Original Message:
Sent: 09-17-2020 12:16 AM
From: Slava Vasilasco
Subject: CAS 7z files

Hello Jakub, 

If you are asking if the python script used by the sandboxing can be modified to the point that it would insert a given password when a given archive asks for it then , this is not an option at this time, no showing such options as per the admin guides nor when looking at the submtion of files for sandboxing.

The one option that comes to mind is , to login to the Windows 10 VM that you have for sandboxing and writing a .bat or powershel or vbs script on that windows , that would execute it self when an archive is opened and a password is request  and it would insert the give password in the password field automatically.

I have seen it done , but unfortunately my scripting skills are not there so cant help with that part, but i hope this gives you some ideas in the right direction.

Slava
Original Message:
Sent: 09-16-2020 11:29 AM
From: Jakub B
Subject: CAS 7z files

Hi Jacob

Yes I know it, i ve used ghost_user_with_unpacker.py many times for various extension (.rar, .zip, .7z), you miss the point.
I m using On-Box-sandboxing with customize Windows 10 profile.
My point is not to analyze archive file (.7z) witch password but upload .7z archives encrypted by password next open archive and insert password in automatic way.
This is automated process, archive's files are send to CAS by API and all are .7z with known and the same for all password.
In view we see open archive with prompt for "insert password".

Unfortunately there are .7z , i know process for .zip "Malware Scanning > Submit > Upload and Unpack Zip"

Thanks for your time and Best Regard
Jakub
Original Message:
Sent: 09-16-2020 11:07 AM
From: Jacob M
Subject: CAS 7z files

Hi Jakub,

The issue here appears to not be .7z, but password protection. As mentioned in the KB Slava provided, if you have an .7z file that is not password protected, it will work just fine with the 'ghost_user_with_unpacker.py' script. I have recently verified this in my lab. 

Hope this helps!



Original Message:
Sent: 09-15-2020 05:52 PM
From: Jakub B
Subject: CAS 7z files

Hello Slava

My point is rather not to analyze .7z archive with password (we know password) but to extracted file/files in submitting process to Windows profile
I know about Malware Scanning > Submit > Upload and Unpack for .zip files but we have case with .7z instead :(    (archive with a password which is  the same for every package )

I do not know if it is simply possible (by python script?) or we need to extract the file from the archive before submit  files to CAS?
These are external source archives, so we don't want to unpack in a corporate environment, but in a sandbox.

Thanks for your time and Best Regard
Jakub

Original Message:
Sent: 09-15-2020 03:49 PM
From: Slava Vasilasco
Subject: CAS 7z files

Hello Jakub, 

The password protected file will fail scanning with the error " Password Protected File" and that is by design, our solution scans files not deciphers passwords!
The sandboxing and AV scanning will do their best to look at the file signature and try to identify if the file is a threat based on the file MD5 and SHA but as soon as it gets to the Password , it will error out as expected.

Here is how it works for archived files that are not password protected and what needs to be done: https://knowledge.broadcom.com/external/article/175150/onbox-sandboxing-of-archive-files-on-the.html

For more info see the CAS Admin Guide.

I hope this helps.

Slava
Original Message:
Sent: 09-14-2020 08:20 AM
From: Jakub B
Subject: CAS 7z files

Hello everyone 

It is possible to detonate .7z files with password (secret).
I m using ghost_user_with_unpacker.py with Execution Arguments: 7z.exe e {sample} -psecret
Do I need to modify the plug-in (create my own)?


Thank you for your time