QuickSand.io in depth

In addition to our Cryptam tool. We created QuickSand.io, a fast C document forensics tool which can conduct cryptanalysis attacks on some XOR ciphers. QuickSand is a CLI, a C Library, and can be wrapped in a web interface.

QuickSand has a lot more user-customizable attack options for special cases while keeping the default analysis as fast as possible.

Exploits

Known exploits are scanned used embedded Yara, document streams are decoded – hex, base 64, zip, gzip. We don’t handle PDF streams – you’ll still need PDFExaminer.com for that.

Finding Embedded exe’s

XOR+Rol from 20-10 bytes are found instantly with the default cryptanalysis attack.

Optional attacks

XOR Lookahead – where the current byte is xored with the following byte.
Math ciphers – +1 to +255 (equivalent to -1 to -255).
Bitwise not
Brute force 1 byte xor – for when null space is not replaced.
Odd XOR lengths

Example odd xor length:

This sample contains an exe obfuscated with a 21 byte XOR key:
./quicksand.out malware/112c64f7c07a959a1cbff6621850a4ad-2.virus -s 21 -e 50000
 -0> root {3}
  md5:112c64f7c07a959a1cbff6621850a4ad
  sha1:e7f7f6caaede6cc29c2e7e4888019f2d1be37cef
  sha256:9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512
  sha512:45e7807bc0ed6b8ab6ecf458c34edebb8781ed928e0b0649d73cf0d981513113160afc3c1dee5cd290a0053357d155fe1b129d342fc2d1072bcb039e972cc61b
  size:367631
  yara:exploits:exploit_cve_2015_2424
  score:30
  is_malware:2

  -1> xor {3}
   md5:31e676fd243e031170be515987784883
   sha1:69b22e4bd485f4486cf0f16aa4f894acb530b6f8
   sha256:a78eb148cd918b0e3e31a42dcfa3eaade731d9c2a935120d2b05428df06f78a0
   sha512:dd8e5bb444269ab4a3bca4c9754d931c7d70c462b5523e98d4dd5124d8196ada9f3e2675bf077998332de04e625c4e3f61b8b63341d58e614aa8d2e52213e17f
   parentsha256:9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512
   size:367631
   yara:executable:executable_win_pe
   xorlen:21
   corky:5cf193921cad62018eb1cf638f3f7eacecb041d240

More to follow.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips