Decrypt antivirus quarantine files with DeXRAY
Useful to access quarantined files of Symantec and McAfee
It can happen to have to analyze suspicious files on a compromised machine, but if the antivirus puts them in ‘in quarantine’ (usually encrypted in a specific directory), how recover them?
Simple, with DeXRAY by Hexacorn:
DeXRAY is a simple perl script that tries to discover encrypted executables and DLLs (or, more generically — Portable Executables a.k.a. PE) within a given data file e.g. it could be an encrypted PE that is embedded inside a malicious dropper (including non-PE files e.g. PDFs) or network traffic.
DeXRAY attempts to decrypt
- Any binary file (using X-RAY)
- Symantec Quarantine files (VBN/QBD)
- McAfee Quarantine files (BUP)
Usage:
perl DeXRAY.pl <filename or directory>
What is the output?
If it works, you will get files saved as <original filename.XXXXXXXX.YY.out>
More technical info and downloads
[embed]http://www.hexacorn.com/blog/2012/01/05/dexray-simple-xorcarver/[/embed]