Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

isodump.py and Malicious ISO Files

Published: 2019-07-15
Last Updated: 2019-07-15 14:57:16 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Inspired by my diary entry "Malicious .iso Attachments", @Evild3ad79 created a tool, isodump.py, to help with the analysis of ISO files.

Without any arguments or options, the tool displays its usage:

When you just provide it an ISO file, it does nothing:

You have to provide a command, like displaying metadata (-M):

Or listing the content (-l):

This ISO file contains a file named PAYMENT.EXE, it's very likely a PE file (starts with 4D5A, or MZ). With the provided hashes, we can search for it on VirusTotal.

The file can be selected (-s 0) and dumped to stdout (-d). I like this feature, it allows me to pipe the malware into another analysis tool, without writing it to disk:

If you just need to look at the first file, you can omit option -s:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: iso isodump
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Guidance to Protect DNS Against Hijacking & Scanning for Version.BIND Still a Thing
Jul 13th 2019
2 days ago by Guy (0 comments)

Russian Dolls Malicious Script Delivering Ursnif
Jul 12th 2019
3 days ago by Xme (0 comments)

Recent AZORult activity
Jul 11th 2019
4 days ago by Brad (0 comments)

Remembering Mike Assante
Jul 11th 2019
4 days ago by Johannes (0 comments)

Samba Project tells us "What's New" - SMBv1 Disabled by Default (finally)
Jul 10th 2019
5 days ago by Rob VandenBrink (0 comments)

Dumping File Contents in Hex (in PowerShell)
Jul 10th 2019
5 days ago by Rob VandenBrink (0 comments)

VMWare Security Advisory on DoS Vulnerability in ESXi
Jul 9th 2019
6 days ago by John (0 comments)

MSFT July 2019 Patch Tuesday
Jul 9th 2019
6 days ago by John (0 comments)

Solving the WHOIS and Privacy Problem: A Draft of Implementing WHOIS in DNS
Jul 9th 2019
6 days ago by John (0 comments)

Machine Code? No!
Jul 8th 2019
1 week ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Worth protecting my website?
created Jun 28th 2019
2 weeks ago by Anonymous (3 replies)

Email Encryption Providers
created Jun 27th 2019
2 weeks ago by Anonymous (2 replies)

Entrust resolving to CNAME that is an invalid CDN host
created Jun 10th 2019
1 month ago by jauntysankey (0 replies)

Outlook Forms (forms.outlook.com)
created May 31st 2019
1 month ago by MasterYoshi (0 replies)

McAfee - Trenmicro - Symantec Breached by Fxmsp hackers
created May 14th 2019
2 months ago by DrGreen (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (0 comments)