zipdump & Evasive ZIP Concatenation, (Sat, Nov 9th)

[zipdump -& Evasive ZIP Concatenation](/forums/diary/zipdump+Evasive+ZIP+Concatenation/31426/)==============================================================================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31426 ‘Share on Facebook’)* [](http://twitter.com/share?text=zipdump%20%26%20Evasive%20ZIP%20Concatenation&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31426&via=SANS_ISC ‘Share on Twitter’) **Published** : 2024-11-09. **Last Updated** : 2024-11-09 06:21:25 UTC **by** [Didier Stevens](/handler_list.html#didier-stevens) (Version: 1) [0 comment(s)](/diary/zipdump+Evasive+ZIP+Concatenation/31426/#comments) On [Friday’s Stormcast](https://isc.sans.edu/podcastdetail/9214), Johannes talks about Evasive ZIP Concatenation, a technique where 2 (or more) ZIP files are concatenated together to evade detection.This gives me a good opportunity to remind you that my zip analysis tool [zipdump.py](https://github.com/DidierStevens/DidierStevensSuite/blob/master/zipdump.py) can handle this type of file.zipdump uses Python’s zipfile module (or [pyzipper](https://pypi.org/project/pyzipper/) if you install it), and if you just run it on this type of file without any opions, you get the listing of the last ZIP file:![](https://isc.sans.edu/diaryimages/images/20241109-070559.png)But when you use option -f, zipdump will not use Python’s zipfile module, but directly analyze PKZIP records.When you use option -f l (l stands for listing), you will get a listing of all PKZIP records found inside the provided file:![](https://isc.sans.edu/diaryimages/images/20241109-070622.png)There are 6 PKZIP records here, making up 2 ZIP files. To analyze the content of the first ZIP file with Python’s zipfile module, use option -f 1:![](https://isc.sans.edu/diaryimages/images/20241109-070653.png)And use option -f 2 for the second ZIP file:![](https://isc.sans.edu/diaryimages/images/20241109-070721.png)You can then use zipdump’s other options to analyze the file, for example:![](https://isc.sans.edu/diaryimages/images/20241109-071557.png)zipdump can also analyze individual PKZIP records, you select one by providing it’s position inside the file, as it appears in the listing (-f l):![](https://isc.sans.edu/diaryimages/images/20241109-071652.png)Didier Stevens Senior handler [blog.DidierStevens.com](http://blog.DidierStevens.com) Keywords:[0 comment(s)](/diary/zipdump+Evasive+ZIP+Concatenation/31426/#comments)

Related Tags:
NAICS: 51 – Information

Blog: SANS Internet Storm Center

Associated Indicators:

Threat Intel Solutions

zipdump & Evasive ZIP Concatenation, (Sat, Nov 9th)

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us