Bad guys are always trying to use “exotic” file extensions to deliver their malicious payloads. If common dangerous extensions are often blocked by mail security gateways, there exists plenty of less common extensions. These days, with the COVID19 pandemic, we are facing a peak of phishing and scams trying to lure victims. I spotted one that uses such exotic extension: “DAA”.
“DAA” stands for “Direct-Access-Archive” and is a file format developed by Power Software and its toolbox PowerISO. This is not a brand new way to distribute malware, my friend Didier Stevens already wrote an Internet Storm Center diary about this file format. A DAA file can normally only be processed by PowerISO. This restricts greatly the number of potential victims because, today, Microsoft Windows is able to handle ISO files natively. So, how to handle a suspicious DAA file?
Hopefully, PowerISO has a command-line tool available for free (and statically compiled!). It helps to extract the content of DAA files. Let’s do it in a Docker to not mess with your base OS…
xavier : /Volumes/MalwareZoo/20200401 $ ls Covid-19.001.daa xavier : /Volumes/MalwareZoo/20200401 $ docker run -it --rm -v $(pwd):/data ubuntu bash root@0c027d353187:/# cd /data root@0c027d353187:/data# wget -q -O - http://poweriso.com/poweriso-1.3.tar.gz|tar xzvf - poweriso root@0c027d353187:/data# chmod a+x poweriso root@0c027d353187:/data# ./poweriso extract Covid-19.001.daa / -od . PowerISO Copyright(C) 2004-2008 PowerISO Computing, Inc Type poweriso -? for helpExtracting to ./Covid-19.001.exe ... 100% root@0c027d353187:/data# file Covid-19.001.exe Covid-19.001.exe: PE32 executable (GUI) Intel 80386, for MS Windows
Now, you have got the PE file and you go further with the analysis…
As you can see in the Copyright message, the tool is old (2008) but it works pretty well and deserves to be added to your personal reverse-engineering arsenal!
One comment