How to you want to open this file?

Handling Malware Delivered Into .daa Files

Bad guys are always trying to use “exotic” file extensions to deliver their malicious payloads. If common dangerous extensions are often blocked by mail security gateways, there exists plenty of less common extensions. These days, with the COVID19 pandemic, we are facing a peak of phishing and scams trying to lure victims. I spotted one that uses such exotic extension: “DAA”.

“DAA” stands for “Direct-Access-Archive” and is a file format developed by Power Software and its toolbox PowerISO. This is not a brand new way to distribute malware, my friend Didier Stevens already wrote an Internet Storm Center diary about this file format. A DAA file can normally only be processed by PowerISO. This restricts greatly the number of potential victims because, today, Microsoft Windows is able to handle ISO files natively. So, how to handle a suspicious DAA file?

Hopefully, PowerISO has a command-line tool available for free (and statically compiled!). It helps to extract the content of DAA files. Let’s do it in a Docker to not mess with your base OS…

xavier : /Volumes/MalwareZoo/20200401 $ ls Covid-19.001.daa
xavier : /Volumes/MalwareZoo/20200401 $ docker run -it --rm -v $(pwd):/data ubuntu bash
root@0c027d353187:/# cd /data
root@0c027d353187:/data# wget -q -O - http://poweriso.com/poweriso-1.3.tar.gz|tar xzvf -
poweriso
root@0c027d353187:/data# chmod a+x poweriso
root@0c027d353187:/data# ./poweriso extract Covid-19.001.daa / -od . 

PowerISO   Copyright(C) 2004-2008 PowerISO Computing, Inc                
            Type poweriso -? for helpExtracting to 

./Covid-19.001.exe ...   100%

root@0c027d353187:/data# file Covid-19.001.exe
Covid-19.001.exe: PE32 executable (GUI) Intel 80386, for MS Windows

Now, you have got the PE file and you go further with the analysis…

As you can see in the Copyright message, the tool is old (2008) but it works pretty well and deserves to be added to your personal reverse-engineering arsenal!

One comment

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.