Next in the malware analysis tools which give you quick wins thread: Binary Refinery (https://github.com/binref/refinery), by the esteemed Mr. @rattle ! This is my #1 most used tool for doing initial triage of malware samples with!

Binary Refinery is a cross-platform collection of command-line tools for processing binary data. The tools can be chained together via pipes to form processing pipelines to extract, decode, transform, and display data. Here is a simple example, where we Base64-decode then Gzip-decompress some data:

You can think of it as like CyberChef for the command line; however, there are many features that make it extremely useful for malware triage specifically, and which put it (in my opinion) above CyberChef:

• There are many units which automagically carve out interesting embedded files in the input for you, similar to what binwalk can do. For example, the carve-pe unit extracts every block of bytes in the input that looks like a PE file; each individually carved PE file can then go through further processing in the pipeline, or be dumped to file.

• Similarly, there are units which can automatically carve out text which looks like indicators, or text which looks like encoded data. For example, you can extract all URLs from the input data with xtp url; you can extract everything that looks like it could be Base64-encoded from the input data with carve b64.

• It is possible to inspect the data in any part of the pipeline, by inserting the peek unit in a pipeline; by default, peek will give you a hexdump of the beginning of the data, and include some basic information about the size of the data, its entropy, and attempt to determine the filetype of the data.

• It provides very good utilities for working with PE files specifically. Ever encounter one of those 300MB PE files filled with null bytes in the PE overlay which artificially inflate the size? You can strip it with the pestrip unit, or take a look at it with the peoverlay unit. You can also view PE file metadata (including signatures) with pemeta, extract each individual section or segment with vsect, or extract PE resources with perc.

As an example, let's take the sample e9e3154e1f71df58e61ade53bb23726927b5c23e8027a452e98b1dbcfafb1ade (available on Malware Bazaar if you want to download and follow along). It's a ZIP file which contains a ~300MB ISO file. With the following 2 pipelines (shown in the attached screenshot), we can extract the contents of the ISO, strip the extra PE overlay bytes from the PE file, peek at both the original and stripped file, dump the stripped file to disk, and look at the PE metadata of the stripped file:

If you want to go further, it is possible to build powerful malware processing pipelines with Binary Refinery. For good examples, see the tutorials folder on the Binary Refinery repository, which includes a mind-blowing #FlareOn9 writeup: https://github.com/binref/refinery/tree/master/tutorials

#malware #malwareanalysis