Search the Community
Showing results for tags 'msi'.
-
MSI Dump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner. On Macro-enabled Office documents we can quickly use oletools mraptor to determine whether document is malicious. If we want to dissect it further, we could bring in oletools olevba or oledump. To dissect malicious MSI files, so far we had only one, but reliable and trustworthy lessmsi. However, lessmsi doesn't implement features I was looking for: quick triage Binary data extraction YARA scanning Hence this is where msidump comes into play. Here we can see that input MSI is injected with suspicious VBScript and contains numerous executables in it. Now we want to take a closer look at this VBScript by extracting only that record. [Hidden Content]
- 1 reply
-
- 2
-
- incorporates
- and
- (and 15 more)
-
MSI Dump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner. Features This tool helps in quick triages as well as detailed examinations of malicious MSIs corpora. It lets us: Quickly determine whether file is suspicious or not. List all MSI tables as well as dump specific records Extract Binary data, all files from CABs, scripts from CustomActions scan all inner data and records with YARA rules Uses file/MIME type deduction to determine inner data type [hide][Hidden Content]]