Scenario: You only have the AppxBlockMap.xml from a potentially malicious Appx. You'd like to identify the original PE contained in the Appx.
AppxBlockMap.xml contains a list of files and their hashes contained in an Appx bundle. Each file is contained in a <File></File> xml
block. You can search for the string <File Name= to see each file or search directly for the relevant .exe. The file hash is the
last element (<b4:FileHash>) and is base64 encoded.
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- https://www.virustotal.com/gui/file/8643553e1d1ba7f26f387a5a1ad6e9bafc04c943795ed2cf6405f557f16c28f7/details
- https://www.virustotal.com/gui/file/3333e2846173468a7bf9dc859e2a0418a4bf1a2840802b397463fce5398fb6d3/details
While attempting to grab a sample of a recent malicious Windows store app that impersonates Ledger Live, I was able to find a task on any.run for the malicious version by searching "ledger-live-web3" and "any.run". Microsoft had already pulled down the files and Windows store entries, but I was able to download the package's AppxBlockMap.xml from anyrun.
This was prompted after a live stream from OALabs on another sample that impersonates Ledger Live, and I was interested in seeing if they were the same (they weren't).