 Hello, I'm Didier Stevens. In this video, we are going to look at malware that was delivered through a special zip file. And SpiderLabs has written about this. It was the Nanocore malware that was inside the zip file. And those were actually two different zip files that were concatenated. The first one contained an image and the second one, the executable. And depending on the utility that was used to open the file, some utilities would show the image and others would show the executable. So I adapted my zip dump tool to be able to analyze such files and that's what we are going to look at now. So if you just run my zip dump tool on the sample here, so that zip file, the concatenated zip files here, you see that it contains an executable. And like usual, we can select it, dump it and pipe this through, for example, to file check. And indeed, it is a Windows executable. So that's nothing special. And as you can see, my zip dump utility, which is actually just using the zip module from Python, doesn't recognize that there are two different zip files here and it only finds the second zip file with the executable. Now I have a new option in my tool and it is the find option. And with the find option, you can find the records that make up a zip file inside any file that you provided. And to have an overview of all of those records, you do dash f for finding list, to have a list of all the records. And then you get output like this and you can see here two different file names that there is the JPEG, the image and here you have the executable. But before we go into detail here how to analyze this, we are going to do some more simple examples to get to understand how this works. So first of all, I have a small text file here. And I'm going to create a zip file that contains that text file. So zip test one zip with this text file, this file was created. And if I analyze this with zip dump, then it tells me, okay, it contains one text file. So the normal behavior. And if I do a find list to find all the records, you get output like this. And this is the normal output that you would get for a test file, a zip file that contains a single file. So first you have a file record that contains the compressed data of the file. Second, you have a directory entry record with again the name of the file. And this actually points to this data. And last, at the end of the zip file, you have an end of directory record. And that's how they look. Now, if I create another test file, sorry, with zip, and I have here test two that I'm going to create. And I have a Windows executable here, dialogue 42.exe. Then again, I have my zip file. If I run zip dump on this, I have dialogue 42 that is found. And if I say find list, I have my three records file directory and the entry end of directory. So everything normal. And of course, what you can do with archives is store more than one file. That's what I'm going to show here. Test three dot zip. And so I'm going to put in the text file and the Windows executable. So now I have two files in my archive. Let me clear this. When I run zip dump on the test three, I see the two files. And if I run zip dump again, but with find option list on test three, I have more records, I have two records for the two different files. I have two directory records pointing to the file records. And then I have my end of directory record. So that's how a normal zip file look like. And remember, if I take a look at the malicious sample, we have two end of records. While normal zip file, we have only one end of directory record. So what the malware authors actually did here is the following. They concatenated the first zip file here that contains a text file. And a second zip file here that contains an executable. They concatenated them together into a new zip file that I'm going to call double dot zip like this. And if I run my zip dump tool on double dot zip, it just finds the executable. It doesn't see the text file. And if I run with option list, then you can see the two different zip files. So you have the file directory and end of directory record for the first one. And then file directory and end of directory for the second one. And notice that for each end of directory record, I also put in an index one and two. This index can be used to select the particular zip file and have it analyzed. So the thing to do is then say zip dump minus f find. And you say that you want to find the first one. So the first end of directory record so that you handle the first zip file inside this file double. And then you can see now that indeed it finds a zip file that contains a text file. And then you can just work as usual with zip dump. You, for example, select that first file and you dump it and then you get the file here. And if I say two, so the second one, then I get the executable that I again can select dump, for example, and pipe this to file check. So indeed it is a Windows executable. So and we can come back now to our malicious zip file here. So we only see the executable. And I say f list here. Again, we have the output that we saw in the beginning. So you have two different zip files. You can see that because of two end of directory records here, first one has an order.jpg file and the second one here has an executable. So we can now select that first one first zip file. So I see my order.jpg. I select it. I do a dump, a binary dump. I pipe this into PE file check, file magic sorry. And indeed it is an image. And notice they used extension jpg but it's actually a PMG file. And the same for the second zip file that is the executable. I select the first file of that second zip file. I do a binary dump. We pipe this to file magic. And indeed it is a Windows executable. So that is how that new feature of my zip dump tool works. You can use the f option, the find option to find the different records. And then you can determine if it is a normal zip file or that it is a zip file that has been tampered with. I have two remaining examples here. So I have a zip file where some data is in front of the zip file like this. If I do an f list, you can see that it contains two zip files but also here that there is an entry P. So that the P stands for prefix. So that means that there is data even before the first zip file. And if you want to analyze that data, you can say fp to select the prefix. And let's just do a head. By default, when you do a select like this on the prefix, you get an extra decimal ASCII dump. And you can see that this here is a Windows executable that is prefix to the zip file. And that is something that can be normal when you have self-extracting archives. So archives zip files that can extract themselves without you having a zip utility installed. And that's because they come with an application and there is a zip file concatenated at the end. So that would look like this except that you would only have one zip file not two like here. And then another case that you can have a list that is something that is appended to a zip file like here. We have our two zip files with each one file. And then we have data past the end record the S suffix. And like with the prefix, you can say S to select the suffix. And then by default, you will have an ASCII extra decimal dump. If you want something else than an ASCII extra decimal dump, then you can specify this. For example, I want a binary dump. And then, for example, I can paste that into PE check to have the appended executable analyzed like this.