QuickSand.io in depth

In addition to our Cryptam tool. We created QuickSand.io, a fast C document forensics tool which can conduct cryptanalysis attacks on some XOR ciphers. QuickSand is a CLI, a C Library, and can be wrapped in a web interface.

QuickSand has a lot more user-customizable attack options for special cases while keeping the default analysis as fast as possible.


Known exploits are scanned used embedded Yara, document streams are decoded – hex, base 64, zip, gzip. We don’t handle PDF streams – you’ll still need PDFExaminer.com for that.

Finding Embedded exe’s

XOR+Rol from 20-10 bytes are found instantly with the default cryptanalysis attack.

Optional attacks

XOR Lookahead – where the current byte is xored with the following byte.
Math ciphers – +1 to +255 (equivalent to -1 to -255).
Bitwise not
Brute force 1 byte xor – for when null space is not replaced.
Odd XOR lengths

Example odd xor length:

This sample contains an exe obfuscated with a 21 byte XOR key:
./quicksand.out malware/112c64f7c07a959a1cbff6621850a4ad-2.virus -s 21 -e 50000
 -0> root {3}

  -1> xor {3}

More to follow.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips