Skip navigation.
Home

Mislabeled binary fileextension

Hi.

I recently uploaded
http://www.offensivecomputing.net/?q=ocsearch&ocq=aac788374011f1102ed29002197d020f

As Malware.exe.bin because i keep them that way on my drive to reduce the "shoot yourself in the foot" factor.

I am not sure if your virusscanner is able to process it that way: "Magic File Type" is labeled as "Data" and not "MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit" as it should be.

Just an idea, make it possible to submit files as ".exe.bin" and let the uploadscript rename it to ".exe".

Prepended data?

Hi ichinin,

I looked at the file and it appears to be slightly corrupt. What's the MD5 of the file on your system? The first part of the file looks like this:

00000000: 0100 0000 4d5a 9000 0300 0000 0400 0000  ....MZ..........
00000010: ffff 0000 b800 0000 0000 0000 4000 0000  ............@...
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: b000 0000 0e1f ba0e 00b4 09cd 21b8 014c  ............!..L
00000050: cd21 5468 6973 2070 726f 6772 616d 2063  .!This program c
00000060: 616e 6e6f 7420 6265 2072 756e 2069 6e20  annot be run in
00000070: 444f 5320 6d6f 6465 2e0d 0d0a 2400 0000  DOS mode....$...
00000080: 0000 0000 5d65 fdc8 1904 939b 1904 939b  ....]e..........
00000090: 1904 939b 971b 809b 1104 939b e524 819b  .............$..

The 0100 0000 shouldn't be there. If the file is different on your system I'll check out our upload system and see if there's an error.

I cut out the erroneous part

I cut out the erroneous part and ended up with a binary (MD5: AB7ED7E23C6C40108B57A459CF31E129) which i uploaded earlier (and that was a fully working sample caught in the wild).

Seems like i uploaded a Wireshark capture of the file being sent this time, thereby the different signature :o\ Will test "captured" binaries in VMWare before upload in the future.