Static configuration extractor for the Karton framework

Project description

Config-extractor karton service

Extracts static configuration from samples and memory dumps using the malduck engine.

Author: CERT.pl

Maintainers: nazywam, psrok1, msm

Consumes:

{
    "type": "sample",
    "stage": "recognized",
    "kind": "runnable",
    "platform": "win32"
},
{
    "type": "sample",
    "stage": "recognized",
    "kind": "runnable",
    "platform": "win64"
},
{
    "type": "sample",
    "stage": "recognized",
    "kind": "runnable",
    "platform": "linux"
},
{
    "type": "analysis",
},

While sample type is self explanatory, the analysis type might be confusing. The analysis task is an output from one of sandboxes: drakvuf-sandbox, cuckoo, or joesandbox. Analysis is a sample with additional memory dumps attached.

The analysis type task is expected to be in format:

task = Task(
    headers={"type": "analysis"}
    payload={
        "sample": <sample>,
        "dumps.zip": Resource.from_directory("dumps.zip", dumps_path.as_posix()),
        "dumps_metadata": [
            {"filename": <dump1_filename>, "base_address": <dump1_base_address>},
            {"filename": <dump2_filename>, "base_address": <dump2_base_address>},
            {"filename": <dump3_filename>, "base_address": <dump3_base_address>},
            [...]
        ],
    }
)

where dumps_metadata contains information about filename and base address for every memory dump in dumps.zip. The following attributes are:

filename which is relative path to the dumps.zip contents;
base_address which hex-encoded base address for dump (leading 0x is supported) You can specify multiple entries for the same file if the same memory dump was found on different base addresses.

The extractor tries to retrieve config from each memory dump and will pick only the best candidate from each malware family.

Produces:

# Dropped dumps related with static configuration
{
    "type": "sample",
    "stage": "analyzed",
    "kind": "dump",
    "platform": "win32",
    "extension": "exe"
    "payload": {
        "sample": <Resource>, # Dump where config was found
        "parent": <Resource>  # Original executable
    }
}

# Static configuration
{
    "type": "config",
    "family": <str>, # Family name
    "payload": {
        "config": <dict>,     # Static configuration
        "sample": <Resource>, # Dump where config was found
        "parent": <Resource>, # Original executable
    }
}

Usage

First of all, make sure you have setup the core system: https://github.com/CERT-Polska/karton

Then install karton-config-extractor from PyPi:

$ pip install karton-config-extractor

$ karton-config-extractor --modules malduck-extractor-modules/

Co-financed by the Connecting Europe Facility by of the European Union

Project details

Release history Release notifications | RSS feed

This version

2.2.0

Sep 7, 2023

2.1.1

Aug 1, 2022

2.1.0

Jul 27, 2022

2.0.2

Feb 22, 2022

2.0.1

May 19, 2021

2.0.0

May 13, 2021

1.1.1

Apr 29, 2021

1.1.0

Apr 28, 2021

1.0.0

Dec 23, 2020

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

karton_config_extractor-2.2.0-py3-none-any.whl (9.0 kB view details)

Uploaded Sep 7, 2023 Python 3

File details

Details for the file karton_config_extractor-2.2.0-py3-none-any.whl.

File metadata

Download URL: karton_config_extractor-2.2.0-py3-none-any.whl
Upload date: Sep 7, 2023
Size: 9.0 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/4.0.2 CPython/3.8.18

File hashes

Hashes for karton_config_extractor-2.2.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`3ab13a8eeedc72112884cc0f950d07a0e7b7251855f76448ada93363a964ce41`
MD5	`f69fe6db5f2b588935e7d3608eef833e`
BLAKE2b-256	`6c710cd8133b2148cda7f5e5e88ef4e971c6f84636cb30cbe3e3b92bf364d645`