isodump.py and Malicious ISO Files
Last Updated: 2019-07-15 14:57:16 UTC
by Didier Stevens (Version: 1)
Inspired by my diary entry "Malicious .iso Attachments", @Evild3ad79 created a tool, isodump.py, to help with the analysis of ISO files.
Without any arguments or options, the tool displays its usage:
When you just provide it an ISO file, it does nothing:
You have to provide a command, like displaying metadata (-M):
Or listing the content (-l):
This ISO file contains a file named PAYMENT.EXE, it's very likely a PE file (starts with 4D5A, or MZ). With the provided hashes, we can search for it on VirusTotal.
The file can be selected (-s 0) and dumped to stdout (-d). I like this feature, it allows me to pipe the malware into another analysis tool, without writing it to disk:
If you just need to look at the first file, you can omit option -s: