XXXSWF

This tool can be downloaded from https://github.com/viper-framework/xxxswf. It is a Python script that accepts the following parameters:

Usage: xxxswf.py [options] <file.bad>

Options:
  -h, --help show this help message and exit
  -x, --extract Extracts the embedded SWF(s), names it MD5HASH.swf &
                        saves it in the working dir. No addition args needed
  -y, --yara Scans the SWF(s) with yara. If the SWF(s) is
                        compressed it will be deflated. No addition args
                        needed
  -s, --md5scan Scans the SWF(s) for MD5 signatures. Please see func
                        checkMD5 to define hashes. No addition args needed
  -H, --header Displays the SWFs file header. No addition args needed
  -d, --decompress Deflates compressed SWFS(s)
  -r PATH, --recdir=PATH
                        Will scan a directory for files that contain SWFs.
                        Must provide path in quotes
  -c, --compress Compress SWF using Zlib
  -z, --zcompress Compress SWF using LZMA

We tried using this tool with demo01.swf. After using the -H paramater, the tool tells us that it is compressed. We then decompressed the file using the -d option. This resulted in a decompressed SWF version in the 243781cd4047e8774c8125072de4edb1.swf file. Finally, we used the -H parameter on the decompressed file:

So far, what comes in useful for this without the yara and md5 features is its ability to search for embedded flash files. This comes in useful for detecting SWF malware with embedded SWFs in it.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.77.71