Static configuration extractor for the Karton framework
Project description
Config-extractor karton service
Extracts static configuration from samples and memory dumps using the malduck engine.
Author: CERT.pl
Maintainers: nazywam, psrok1, msm
Consumes:
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "win32"
},
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "win64"
},
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "linux"
},
{
"type": "analysis",
},
While sample type is self explanatory, the analysis type might be confusing. The analysis task is an output from
one of sandboxes: drakvuf-sandbox, cuckoo, or joesandbox. Analysis is a sample with additional memory dumps
attached.
The analysis type task is expected to be in format:
task = Task(
headers={"type": "analysis"}
payload={
"sample": <sample>,
"dumps.zip": Resource.from_directory("dumps.zip", dumps_path.as_posix()),
"dumps_metadata": [
{"filename": <dump1_filename>, "base_address": <dump1_base_address>},
{"filename": <dump2_filename>, "base_address": <dump2_base_address>},
{"filename": <dump3_filename>, "base_address": <dump3_base_address>},
[...]
],
}
)
where dumps_metadata contains information about filename and base address for every memory dump in dumps.zip. The
following attributes are:
filenamewhich is relative path to the dumps.zip contents;base_addresswhich hex-encoded base address for dump (leading0xis supported) You can specify multiple entries for the same file if the same memory dump was found on different base addresses.
The extractor tries to retrieve config from each memory dump and will pick only the best candidate from each malware family.
Produces:
# Dropped dumps related with static configuration
{
"type": "sample",
"stage": "analyzed",
"kind": "dump",
"platform": "win32",
"extension": "exe"
"payload": {
"sample": <Resource>, # Dump where config was found
"parent": <Resource> # Original executable
}
}
# Static configuration
{
"type": "config",
"family": <str>, # Family name
"payload": {
"config": <dict>, # Static configuration
"sample": <Resource>, # Dump where config was found
"parent": <Resource>, # Original executable
}
}
Usage
First of all, make sure you have setup the core system: https://github.com/CERT-Polska/karton
Then install karton-config-extractor from PyPi:
$ pip install karton-config-extractor
$ karton-config-extractor --modules malduck-extractor-modules/
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file karton_config_extractor-2.2.0-py3-none-any.whl.
File metadata
- Download URL: karton_config_extractor-2.2.0-py3-none-any.whl
- Upload date:
- Size: 9.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.8.18
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3ab13a8eeedc72112884cc0f950d07a0e7b7251855f76448ada93363a964ce41
|
|
| MD5 |
f69fe6db5f2b588935e7d3608eef833e
|
|
| BLAKE2b-256 |
6c710cd8133b2148cda7f5e5e88ef4e971c6f84636cb30cbe3e3b92bf364d645
|
