Skip to main content

ARJ

Supported formats

ARJ

Description

ARJ is a legacy archive format, which today has been replaced by more modern formats, such as RAR. It's however still supported by popular archiving software, and sometimes used by threat actors to deliver payload.

info

Available in Contextal Platform 1.0 and later.

Features

All common compression methods are supported.

Symbols

Object

  • LIMITS_REACHED → limits triggered while processing the archive

Children

  • CORRUPTED → this child object was not extracted due to data corruption
  • TOOBIG → this child object was not extracted as it exceeds the limits

Example Metadata

{
   "org": "ctx",
   "object_id": "7932a6a70fee2285af2288ed3f52f237810e8f9e81eec2ca2d64b7c43a290a49",
   "object_type": "ARJ",
   "object_subtype": null,
   "recursion_level": 1,
   "size": 694485,
   "hashes": {
      "sha1": "b0f1e54f0787f7c6eaa3f1ed0154920b39ce5ac6",
      "sha512": "33847196201d12dee66eb1e2d9c6cc0ea8638f9176109c8ccc62b336b61fe119d971390c129066e3b3051e06662c964946136e24678b582a3353e38b099a8e04",
      "sha256": "7932a6a70fee2285af2288ed3f52f237810e8f9e81eec2ca2d64b7c43a290a49",
      "md5": "09f858c124857a8cc478de28a9e79936"
   },
   "ctime": 1726483679.541782,
   "ok": {
      "object_metadata": {
         "_backend_version": "1.0.0",
         "host_os": "UNIX",
         "name": "inv.arj"
      },
      "children": [
         {
            "org": "ctx",
            "object_id": "b54ee7375e7ea979d16b76f183aaaccfa49681e2bd748ffca202fde9cf823346",
            "object_type": "PE",
            "object_subtype": null,
            "recursion_level": 2,
            "size": 1017856,
            "hashes": {
               "sha1": "4344e695b5f65917dc68f241ecde4b99cf25d930",
               "sha256": "b54ee7375e7ea979d16b76f183aaaccfa49681e2bd748ffca202fde9cf823346",
               "sha512": "44963c4b52eebb7c07d8cd9b2766faccc045dea166c76a479cdccbba06a9dc1a5b4be1003daed93b72f64f848497c3ae57be99501aa11d4569b30b7e7e26706c",
               "md5": "d30bb9df615a8d1661f843d426ff40eb"
            },
            "ctime": 1726483679.541782,
            "relation_metadata": {
               "archiver_version_number": 11,
               "arj_flags": 16,
               "compressed_size": 694358,
               "compression_method": "CompressedMost",
               "min_version_to_extract": 1,
               "name": "Inv_0674.exe",
               "original_crc32": 1065715822,
               "original_size": 1017856
            },
[...]

Example Queries

object_type == "ARJ"
    && @count_children() == 1
    && @has_child(object_type == "PE")
  • This matches an ARJ object, which only contains a single object of the type PE.

Configuration Options

  • max_processed_size → maximum size of the input object that will be processed (default: 262144000)
  • max_children → maximum number of children objects to create (default: 100)
  • max_child_input_size → maximum size of a single input children object (default: 41943040)
  • max_child_output_size → maximum size of a single output children object (default: 41943040)