Quickpost: Analyzing .ISO Files Containing Malware

Searching through VirusTotal Intelligence, I found a couple of .iso files (CD & DVD images) containing a malicious EXE spammed via email like this one. Here is the attached .iso file (from May 25th 2017) on VirusTotal, with name “REQUEST FOR QUOTATION,DOC.iso”.

Recent versions of Windows will open ISO files like a folder, and give you access to the contained files.

I found Python library isoparser to help me analyze .iso files.

Here is how I use it interactively to look into the ISO file. I create an iso object from an .iso file, and then I list the children of the root object:

The root folder contains one file: DIALOG42.EXE.

Looking into the content of file DIALOG42.EXE, I see the header is MZ (very likely a PE file):

And I can also retrieve all the content to calculate the MD5 hash:

This is a quick & dirty Python script to dump the first file in an ISO image to stdout:

import isoparser
import sys
import os

oIsoparser = isoparser.parse(sys.argv[1])

if sys.platform == ‘win32’:
import msvcrt
msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY)
sys.stdout.write(oIsoparser.root.children[0].content)

This allows me to pipe the content into other programs, like pecheck.py:

 

Quickpost info


Article Link: https://blog.didierstevens.com/2017/07/17/quickpost-analyzing-iso-files-containing-malware/