Using REST API for getting suspicious files from endpoints

I need a solution

This is refering to https://www.symantec.com/connect/forums/using-rest…

As per https://apidocs.symantec.com/home/saep#_send_a_sus… I was able to issue a “/api/v1/command-queue/files” command successfully which then returned the commandID.

Based on this ID I found the [BINARY_RESULTS_ID] in the [COMMAND] table with the given [COMMAND_ID] to run the “/api/v1/command-queue/file/{file_id}/content” successfully, too.

After saving the output so a file I was able to open the “archive” and saw two files:

– binary file
– metadata.xml

<?xml version="1.0" encoding="UTF-8"?>
<MetaFile>
<File Key="128" OriginalFileName="\?C:WindowsSystem32notepad.exe" OriginalFilePath="\?C:WindowsSystem32" FileName="fa2258b2cc57610861ed1279079e2854cce6768178fe7b3e952a56a990403e66" FileSource="filesystem" FileXORed="true"/>
</MetaFile>

The only issue I’m facing now is that I’m unsure how to “convert” the binary file back to its original format (.exe)
I guess you would have to remove the XOR encryption.

0

Related:


Leave a Reply