QuickSand.io - Tool For Scanning Streams Within Office Documents Plus Xor DB Attack

File Formats For Exploit and Active Content Detection
  • doc, docx, docm, rtf, etc
  • ppt, pptx, pps, ppsx, etc
  • xls, xlsx, etc
  • mime mso
  • eml email

File Formats For Executable Detection
  • All of the above, plus PDF.
  • Any document format such as HWP.

Lite Version - Mplv2 License
  • Key dictionary up to 256 byte XOR
  • Bitwise ROL, ROR, NOT
  • Addition or substraction math cipher
  • Executable extraction: Windows, Mac, Linux, VBA
  • Exploit search
  • RTF pre processing
  • Hex stream extract
  • Base 64 Stream extract
  • Embedded Zip extract
  • ExOleObjStgCompressedAtom extract
  • zLib Decode
  • Mime Mso xml Decoding
  • OpenXML decode (unzip)
  • Yara signatures included: Executables, active content, exploits CVE 2014 and earlier
Example results and more info blog post

Full Version - Commercial License
  • Key cryptanalysis 1-1024 bytes factors of 2; or a specified odd size 1-1024 bytes
  • 1 Byte zerospace not replaced brute force XOR search
  • XOR Look Ahead cipher
  • More Yara signatures included: All lite plus most recent exploits 2014-2016 for CVE identification
  • Try the full version online at QuickSand.io

Dependencies (not included)
  • Yara 3.4+
  • zlib 1.2.1+
  • libzip 1.1.1+

Distributed components under their own licensing
  • MD5 by RSA Data Security, Inc.
  • SHA1 by Paul E. Jones
  • SHA2 by Aaron D. Gifford
  • jWrite by TonyWilk for json output
  • tinydir by Cong Xu, Baudouin Feildel for directory processing

Quick Start
  • ./build.sh
  • ./quicksand.out -h
  • ./quicksand.out malware.doc


No comments

Note: Only a member of this blog may post a comment.

Powered by Blogger.