VBN File Analysis - Decrypting for the Masses
Read Time: 5 Minutes In 2012, Hexacorn Ltd posted a couple blogs on their website about decrypting VBN files: the original post and a second post . The team at Hexacorn Ltd identified that "...Symantec’s VBN files can be encrypted not only with 0x5A, but also 0xA5..." in their original research. In their later posting disclosing that the encrypted is separated by a "...5 byte ‘chunk divider’ in a form of 0xF6 0x?? 0x?? 0xFF 0xFF. So, to reconstruct the encrypted Quarantine files, one needs to decrypt them with 0xA5 first and then remove the chunk dividers...". Which are both valuable insights that I can confirm should be observed in the decryption of VBN files. For 2018, here are a few more insights into the data structures and analysis considerations for decrypting VBN files: The first 388 bytes is reserved for the original directory and filename of the quarantined file The next 2052 bytes contains meta data regarding the detection...