[Worker] Add a new worker for VHD file (used by Qbot)

pandora-analysis / pandora

Pandora is an analysis framework to discover if a file is suspicious and conveniently show the results

https://pandora.circl.lu/

GNU Affero General Public License v3.0

251 stars 36 forks source link

[Worker] Add a new worker for VHD file (used by Qbot) #145

Open FafnerKeyZee opened 1 year ago

FafnerKeyZee commented 1 year ago

Hey,

Qbot is now spreading via vhd instead of iso files :(

BR c861030b12c23dfaea29a8b27cb2ec3f88cd0a1a831dc083a4fe5dcd09f0bcba.vhd.zip

Rafiot commented 1 year ago

This library should (might?) be able to help: https://github.com/libyal/libvhdi/

But it is hardly documented so using it will require quite a lot of poking around. An other issue at this stage is that the mimetype isn't recognized by magic at all, so we will need to have a special type of workers that is triggered by the extension.

But the good news is that as it is not a recognizable mime type, it is considered as malicious by default on Pandora.

FafnerKeyZee commented 1 year ago

Using this code with some modifications it looks like it's working like a charm :) https://github.com/dlcowen/dfirwizard/blob/master/dfvfsWizardv3.py

dfvfsWizardv3.py.zip