{"id":231,"date":"2017-11-07T16:36:22","date_gmt":"2017-11-07T14:36:22","guid":{"rendered":"http:\/\/futex.re\/blog\/?p=231"},"modified":"2017-11-09T17:58:50","modified_gmt":"2017-11-09T15:58:50","slug":"extract-malware-defender-quarantine-files","status":"publish","type":"post","link":"https:\/\/futex.re\/blog\/?p=231","title":{"rendered":"Extract malware defender quarantine files"},"content":{"rendered":"<p>I haven&#8217;t post here from a lonnnng time&#8230; And i restart to explain a quick trick.<\/p>\n<p>Few days ago, i search how to extract a malware from a malware defender quarantine files. A friend tell me, it&#8217;s encrypted by a RC4 and he give me the key. I have made a script to automatise that: <a href=\"https:\/\/github.com\/futex\/Reverse\/blob\/master\/Python\/QuarantineExtrators\/MalwareDefenderDecrypter.py\" title=\"MalwareDefenderDecrypter\" target=\"blank\">MalwareDefenderDecrypter<\/a><\/p>\n<p>The output is quite dirty, there is some bytes (probably headers) to remove until the MZ.<\/p>\n<p>I have also add a <a href=\"https:\/\/github.com\/futex\/Reverse\/blob\/master\/Python\/QuarantineExtrators\/Kaspersky_uncrypt.py\" title=\"kaspersky\">kaspersky<\/a> script decoder<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I haven&#8217;t post here from a lonnnng time&#8230; And i restart to explain a quick trick. Few days ago, i search how to extract a malware from a malware defender quarantine files. A friend tell me, it&#8217;s encrypted by a &hellip; <a href=\"https:\/\/futex.re\/blog\/?p=231\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts\/231"}],"collection":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=231"}],"version-history":[{"count":5,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts\/231\/revisions"}],"predecessor-version":[{"id":236,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts\/231\/revisions\/236"}],"wp:attachment":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}