There have been reports of threat actors using a .wav file as a vector for malware<\/a>.<\/p>\n It’s a proper .wav file, but they didn’t use staganography. The .wav file will play, but you’ll just hear noise:<\/p>\n That’s because the TAs have just replaced the bytes that encode the sound with the BASE64 representation of their payload:<\/p>\n Thus I don’t need a .wav parser to extract the encoded payload, I can just use my base64dump.py<\/a> tool:<\/p>\n The BASE64-decoded payload is an XOR-encoded PE file. So I don’t need to make a custom decoder, I can just perform a known-plaintext attack looking for the DOS header with my xor-kpa.py<\/a> tool:<\/p>\n The XOR key was found. Thus we can easily dump the decoded PE file and see the MZ header at position 0x08 and a bit further down the DOS header we used in the known-plaintext-attack:<\/p>\n And my tool pecheck.py<\/a> can extract an analyse the sample<\/a>:<\/p>\n Didier Stevens (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260419-100007.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260419-100220.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260419-100408.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260419-100857.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260419-102311.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260419-101916.png?ssl=1\")
<\/p>\n
\nSenior handler
\nblog.DidierStevens.com<\/a><\/p>\n
\n
<\/BR><\/p>\n