Analyze McAfee quarantine files with punbup.py

Have you ever needed to extract a McAfee quarantine file? Today’s tutorial will show you how to extract a BUP file with punbup in the lab. There are many reasons to extract the files out of a McAfee quarantine file, the most common is to perform deeper analysis or to restore a file that was incorrectly identified. We will use the SANS SIFT workstation today to perform this task using the punbup.py script.

Script Options

The script has a some really useful options to help you with any BUP file analysis. The -h or –help option will print the options available for use.

$ ./punbup.py -h
usage: punbup.py [-h] [-d] [-o] [-c {md5,sha1,sha256}] [-f] [-x] [-X] [-a]
                 [-A]
                 infile

This script can be used to extract quarantined files from a McAfee .bup file.
If run with no additional options the script will extract all files from the
.bup and place them in a folder with the same name as the supplied .bup file.

positional arguments:
  infile                The file that you wish to un-bup.

optional arguments:
  -h, --help            show this help message and exit
  -d, --details         Only print the contents of the Details file. Don't
                        extract any files.
  -o, --original        Rename all quarantine files to their original names as
                        noted in the Details file. Some assumptions have been
                        made for this to feature to work. Use at your own
                        risk.
  -c {md5,sha1,sha256}, --hash {md5,sha1,sha256}
                        Calculates the hash for all of the files in the bup.
  -f, --firstfile       Output the first quarantined file.
  -x, --hexdumpfirst    Perform a hexdump of the first quarantined file.
  -X, --hexdumpall      Perform a hexdump of all quarantined files.
  -a, --hexasciidumpfirst
                        Perform a hex & ASCII dump of the first quarantined
                        file.
  -A, --hexasciidumpall
                        Perform a hex & ASCII dump of all quarantined files.

The two options you will probably use the most often are -d and -c; these will allow you to view the details of the quarantined file and calculate a hash in either md5, sha1 or sha256. McAfee quarantine files, more commonly know as “bup” files, are basically a container with two or more files in it. The first file is the Details file, it is nothing more than a text file with all the pertinent info for the infected files. The other file or files will be labeled “File_0” and increment by one for each file infected; i.e. if there were two files quarantined there would be three files in the bup file; Details, File_0 and File_1.

Extracting the files

The quarantined files can be easily extracted with the script allowing you to analyze them to determine if they are in fact malicious. Normally an analyst would obtain a copy of the quarantine file and put it in his analysis machine. A good work flow to follow would be to: first display the details of the file with the -d

$ ./punbup.py -d 7e4710162f24650.bup

[Details]
DetectionName=RDN/Generic.hbg
DetectionType=1
EngineMajor=6100
EngineMinor=8979
DATMajor=9684
DATMinor=0
DATType=2
ProductID=12106
CreationYear=2020
CreationMonth=7
CreationDay=16
CreationHour=22
CreationMinute=47
CreationSecond=36
TimeZoneName=Eastern Daylight Time
TimeZoneOffset=240
NumberOfFiles=1
NumberOfValues=0

[File_0]
ObjectType=5
OriginalName=\\?\D:\OD\Programs\EVMXScribeSV.exe
WasAdded=0

The output will include the name of the malware/virus, the signature set and date and time of the antivirus alert, most importantly it will contain the path and filename of the infected file. Next lets get a hash of the file and submit it to VirusTotal to see what kind results we get:

$ ./punbup.py -c md5 7e4710162f24650.bup
md5 hash for File_0: 76943539f7cda6ee54b70552dccb9abf

Now we can take the md5 hash of File_0 and submit it to VirusTotal. The particular file we are examining here will show 17 detection’s out of 71 and this is due to a poorly written application that uses a few questionable utilities. This was verified by static and dynamic analysis in a malware lab. For arguments sake lets just say it is not infected and is a false positive and now we need to restore it to the system it was found on. Running the script with no options will create a folder and in it will be the Details and File_0; however a much better bet would be to add the -o option so it will rename the files to their original names. All that is left is to mark the files as an exclusion and put them back where the go.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.