Forensic Data Solutions® 

Service you can count on


Recovering Malware from a Quarantine Folder

Posted by M. Gene Shantz on September 8, 2016 at 7:00 PM

During an incident response engagement, it is common to find the original malware that wreaked havoc in the network was deleted as part of the anti-forensics built into the code or by an over eager first responder. To make matters worse, the deleted malware is often overwritten by the time the IR team gets on site, which can make it difficult to collect and reverse engineer the code to identify Indicators of Compromise (IOCs). However, sometimes we can get lucky and one or more workstations will have an updated anti-virus application that quarantined the malicious files for us.

When McAfee or other anti-virus programs quarantines a malicious file they uses an XOR process with a one-byte key to obfuscate the data. This process can be reversed from within the application but the user never sees what is going on behind the scenes. In order for us to reverse this process manually we must know the one byte XOR key, which is difficult to decipher from the data in the “Details” file.

There are many reasons locating the original malware executable is critical to an investigation, such as reverse engineering the code, hash analysis, text string analysis, etc.. None of which are the subject of this paper. This paper will show you how to extract and de-obfuscate the quarantined files from McAfee AV and Avira anti-virus applications.

We will be using the WinHex hex editing tool from X-Ways forensics to complete this process, however, there are a few other free tools that can be used to achieve the same goal. The purpose here is not to promote a tool but to demonstrate how the process works so you have the knowledge and understanding of what is happening to the data at the disk level and repeat it one whatever AV vendor has quarantined your files.


McAfee stores its quarantined files in a “Quarantine” directory located off the root of the C: drive. Inside the quarantine folder the malware files are stored with a “.bup” extension and while this initially looks complicated the files are simply compound files that can be opened with 7zip or any of the forensic tools of your choice.

In the screenshot below is a quarantined file in the “.bup” format provided by a colleague. Note the eight highlighted bytes of, D0 CF 11 E0 A1 B1 1A E1, are the file signature for a compound file.


There are a couple ways to view the contents of these files. Because it is a compound file, you could use 7zip to open the archive. You are limited on the information that you can gain from the file content. For our purposes, we will continue to use WinHex to view the contents and gather additional information.

 After redefining the snapshot and checking the box to uncover embedded data we can see the contents of the compound file. Additionally, you may wish to hash the files contained in the archive as I did in the screenshot below.

Once complete, we can see this compound file contains three files, a small “Details” file and in this case there are two files, “File_0” and “File_1” both showing the same size. As we will see shortly, the “Details” file will contain all the details about the file(s) that were quarantined and the “File_0” will contain the executable. The second “File_1” shows the same size as the other suggesting a second executable. It has a different hash value. While we can speculate as to what it is, we will have to investigate further.

When looking at the “Details” file in hex the data appears to be encrypted or otherwise unreadable.


Now let’s take a look at the data from the “File_0” file and see if anything stands out.


The first thing that is apparent is the hex value of “6A” that repeats in the file. Because we believe this to be an executable file which has a hex file signature of “0x4D 0x5A” or “MZ” ASCII, we can open any other .exe file and compare the data to identify the key.

In the screenshot below is the hex view of a “7z.exe” executable and we can quickly compare the data in the header and see that 0x6A has replaced all the 0x00 which is a clue that 0x6A is the key.

Now we will use WinHex to open the contents of the “File_0” in a separate window and enable editing. After highlighting the entire contents of the file, right click to edit the data and select Modify Block Data and check the XOR box and enter the 0x6A key as shown in the screenshot below.

Once you hit OK, you should see the hex values change back to their original value confirming the 0x6A was the correct key. In the screenshot below you can see we have been successful, however, the blue color values indicate that the changes have not yet been saved.

This is the point where I provide a word of caution that saving this file will place your system at risk and at the very least cause your own anti-virus to alert. Prior to saving the file, you must turn off your AV application briefly so proceed at your own risk.

To save the now deciphered file, simply “Save As” and WinHex will drop it in your case directory. Now you have the intact executable.

For demonstration purposes, I duplicated this process on the other two files, “Details” and “File_1” and placed them in a compressed zip file so I could continue my analysis.

Once deciphered, the “Details” file indicated both these files were from the Conficker worm and both were in separate locations. See below:




















OriginalName=c:\documents and settings\<User>\local settings\temporary internet files\content.ie5\g9az81mv\vcezd[1].gif




As a side note to the different hash values for “File_0” and “File_1”, it was discovered that this “.bup” file had been recovered from unallocated space and the second file “File_1” was partially overwritten by a small system file.

XOR Process

Simply put, XOR is a process that can take two segments of data and generate a third segment of data. The third segment will be completely different than the first two but can be used against either of the first two segments to reverse the process. This is the same method that is used in Raid 5 striping with parody. In Raid 5 the parody segment that is placed on the third drive is the XOR’ed segment that can be used to recover that segment from either drive 1 or drive 2. More on that topic later.

For our example we will use the data we have in the McAfee block. Let us look at the hex value at offset 00 of “File_0” of the “.bup” file and convert it to binary.

Offset 00 > 0x27 = 00100111 Binary

Now let’s convert the previously identified key to binary

XOR Key > 0x6A = 01101010 Binary

To complete the process, we will do the XOR manually for this byte by comparing each corresponding bit from the two bytes. If the bits are equal then the new value will be a 0 bit, if the two bits are not equal then the new value will be 1.


Offset 00  0x27  0 0 1 0 0 1 1 1

XOR Key 0x6A  0 1 1 0 1 0 1 0

Value =    0x4D  0 1 0 0 1 1 0 1


As you can see from the above process, the results match what WinHex did programmatically.


Avira is another anti-virus program that stores the quarantined files in an “INFECTED” folder at the following location:


Avira uses a “.qua” extension for the malware files, however, these files are not a compound file as they were in McAfee.

In our sample file, a description of the file quarantined precedes the executable. In comparing numerous files, the start of the executable is based on the length of the path for the quarantined file. The bytes highlighted in red describe the type of malware Avira determined this sample to be while the green highlighted bytes are the location path in Unicode. The blue highlighted bytes starting at offset 0x12E appear to be the first eight bytes of the executable.


Unlike the McAfee files, we will not be able to simply select the entire file and perform the XOR operation on it. We will have to copy out the bytes that are identified as being the actual executable.

Starting at offset 0x12E we will sweep to the end of the file and copy that data into another file.

Similar to the McAfee we see a common value of 0xAA that appears to replace the 0x00 value of the executable suggesting this is the XOR key.

Following the same process as previously described we will reverse the XOR operation using the 0xAA key.

To ensure you were successful you may wish to hash your final results and submit it to VirusTotal.

Happy hunting.




Categories: Windows Artifacts

Post a Comment


Oops, you forgot something.


The words you entered did not match the given text. Please try again.

Already a member? Sign In


Reply MagMit
7:15 AM on August 12, 2018 
Reply MagMit
9:33 AM on August 12, 2018 
Reply gerard ian comonfort
12:41 PM on December 30, 2018 
can you get police and medical records for me from 1997 to 2005
Reply alexTIZ
4:18 PM on March 31, 2019 
Reply MichaelHaw
8:25 PM on March 31, 2019 
Reply KennethMor
8:06 PM on April 18, 2019 
There are countless ways to meet local singles these days.
From bars and cafes, to the crossfit gym or music festivals,
to an almost limitless sea of online dating sites.

If you're single, you may be wondering where to start.

Whether you're feeling frisky on a Friday night, want to meet
someone to be your friend with benefits, or are open to all
possibilities, we have the answer:
Reply sharClide
1:59 PM on April 23, 2019 
Want to safely Transfer movies from any gadget to any pc? Check out SHAREit Transfer&Share APP! It works on Windows PCs and Android phones, very easy in use and lighweight. Download SHAREit for PC from here: and share files between your friends, family or strangers!
Reply Zlo88Ml
4:40 PM on May 9, 2019 
Odzyskiwanie informacji Warszawa wiadczy usugi przywracania dostpu do danych po jakichkolwiek wariantach uszkodze noników, jak: zniszczenia logiczne typu formatowanie dysku. Wejd tutaj aby zapozna si z informacjami dotyczcymi odzyskiwania danych
Reply Zlo88Ml
7:02 PM on May 12, 2019 
Odzyskiwanie danych Warszawa wiadczy usugi przywracania dostpu do danych po jakichkolwiek rodzajach uszkodze noników, jak: uszkodzenia logiczne typu formatowanie dysku. Wejd tutaj aby zapozna si z informacjami dotyczcymi odzyskiwania danych
Reply asxMl
7:00 AM on May 29, 2019 
Ekstrakcja informacji Warszawa oferuje usugi przywracania dostpu do skasowanych danych po wszelakich typach uszkodze noników, jak: uszkodzenia logiczne typu wykasowanie danych. Wejd tutaj aby zapozna si z informacjami dotyczcymi odzyskiwania danych z macierzy raid
Reply Aksanov65
5:09 AM on July 5, 2019 
, , , , , , , . . . . , . . . , . , . . . . ,
Reply uraduh
7:57 AM on July 11, 2019 
Reply jejanReox
3:23 PM on August 14, 2019 
buy viagra online
Reply harry motor
12:13 AM on August 21, 2019 
I delight in, cause I found just what I used to be having a look for. You've ended my four day lengthy hunt! God Bless you man. Have a nice day. Bye harry motor harry motor
Reply PeterClext
6:26 AM on August 25, 2019 
canada pharmacy 24h highest rated canadian pharmacies canadian medications
Reply AnthonPag
5:51 AM on October 10, 2019 Ñ?Ñ?езвÑ?й водиÑ?елÑ?
Reply KRfruill
11:29 PM on October 11, 2019 
Our employees create unique design , and of course for all this we pay close attention to requirements your safety and functional of opportunities. Cooperate with client on all absolutely stages execute detailed analysis location rooms ,produce preliminary counts . when the of you have appeared can ask our experts and get answer to them with detailed explanations.
80s kitchen redo probably the same labor-intensive event in cottage
In our firm General Partnership RRITN Van Cortlandt Village involved specialists, they much know about Modular kitchen renovation.
The Holding carries first class 30k kitchen remodel by affordable tariffs . Experienced Masters with great practical experience work no doubt help fully update in a matter of days . The price depends on cost of finishing materials .

Each room apartments, houses, cottages or other housing University Heights unique and has own high-functional load. All this especially touches modern kitchens.

10000 dollar kitchen renovation Financial District : kitchen renovation manhattan
Reply NormanSip
6:38 AM on October 21, 2019 
Specialist cleaning today is greater than merely cleaning: modern tools, devices and also methods of job switch it into an actual state-of-the-art method that substantially changes the conventional understanding of what it indicates to definitely "tidy".

In residence cleaning company - excellent
Maid service midtown west
- it is actually effortless, handy as well as cost effective with our provider.
Trust fund the tidiness forerunners to home cleaning Brooklyn! Our company use specialist soaps and technical equipment of global suppliers in our work as well as carry out an excellent task with cleansing of any kind of intricacy.

8]Find housekeeping jobs ny

Participation with the firm is the guarantor of a remarkable, lucrative and also reliable cleansing of specialist home cleaning and encompassing places. Presently, residence cleaning company from our provider are actually utilized in New Shirt. Enjoy as well as you the real perks and sensible advantages of our business plan.

By authorizing an irreversible service agreement with us, you will certainly manage to leave the demand to maintain a huge team of technological workers, which, consequently, will optimize expenses. The expense of the complicated, daily, overall property cleaning of Staten Island, executed by our employees, are going to regularly be actually less than the price of earnings for cleansers, the acquisition of cleansing products and also equipment.

6]My home cleaning services nyc

Leave a demand on the internet site, indicate your title or even business title, get in touch with contact number and also time of intended cleansing, leave your wants as well as needs in a message to the supervisor if essential, after that our specialist will contact you in the least time as well as indicate the day, opportunity and also work place!
Reply ArnGox
6:53 PM on October 27, 2019 
If youâ??re like most folksâ?¦ you diet, you count calories, you tear up the treadmill, andâ?¦


Thatâ??s how one overweight mother with prediabetes was feelingâ?¦

She did â??everything rightâ?? and never lost an inch. Untilâ?¦

She stumbled on this strange â??carb trickâ?? and burned away an unheard of 22lbs pounds in just 13 daysâ?¦

And because of this one simple shift in her eating, she did it without starving herselfâ?¦!

â?¦ and without a lick of exercise!

Now get this... with the same carb trick she dropped a total of 37lbs in the FIRST month!

â?¦ and shocked her doctor by completely reversing ANY pre diabetic symptoms!

You wonâ??t even believe her final result so I wonâ??t bother telling you. However you can see it for yourself on this page..

This might work for men, however itâ??s only been proven for women...

The odd carb trick burns up to 1LB per DAY
Reply HowardUpliz
10:55 AM on October 31, 2019 Sedesleelp